WebSentry.ca

There are a couple options available to a web designer when it comes to preloading images. In the recent past, the most common way was to do it through Javascript (as shown in Example 1), but when the paranoia about cross-site scripting exploits using Javascript started gaining publicity, a fair percentage of the web-saavy community disabled Javascript, which can and has seriously crippled the functionality of many websites. The only viable alternative, with which all modern browsers support is through CSS (as shown in Example 2).

Example 1 (Javascript)
{code type=html}<script type=”text/javascript” language=”JavaScript”>
imgLogo = new Image();
imgLogo.src = “logo.gif”;
</script>{/code}

Example 2 (CSS)
{code type=css}<div style=”display:none;”>
<img src=”logo.gif” height=”150″ width=”350″>
<img src=”logo_rollover.gif” height=”150″ width=”350″>
</div>{/code}

Note: With both examples, the code has to be placed as early in the document as possible. With CSS, it should be placed after the <body> tag, and with the Javascript, it should be placed between the <head> tags.

Well, since my last posting, I have been studying much more in detail what it was that compromised the computers systems at my work and how. Here is what I have found out. A rootkit was traditionally a label given to programs on unix/linux machines that would escalate a program or user to have root privileges… pretty much meaning un-hindered or un-restricted access to the entire machine. There are many ways for a rootkit to get on a machine, usually using a software exploitation of some sort for remote installation or exploiting a system locally with software that would have greater permissions than the working user.

Rootkits are a collection of little programs which are intended for all sorts of little nasty things, and most of the things that they do are pretty much irreversable except at great pain, and practically undetectable too. There is a common utility in rootkits which will edit the systems kernel directory listing functions which can make a certain file un-detectable to the system itself. It works like this, I could modify the kernels directory listing function to ignore files that start with a $ symbol. A file such as “$evilproc.exe” would be invisible to any programs such as Spybot/Ad-Aware or any application level program since all of them use the windows calls to get listings of files, and that kernel function had been editted. Pretty cool idea the hackers came up with, but it’s a nasty trick. Modification to the Task Manager is also possible so that it skips certain processes without listing them as running.

I found most of this information from a podcast from this website (http://www.grc.com/) called “Security Now”. It is a very good podcast and I highly recommend it. They talk about a lot of topics relating to computer and internet security issues. Guess what? Did you know that Sony made use of Rootkit technology, and even put a call-back home in it. Many of the enhanced CDs from Sony have a rootkit as part of the CD. Listen to the podcasts to see what it is all about. The next version of windows (Vista) is supposed to be re-focused on making users just users, and having to escalate to administrator status for small periods to combat things such as rootkits and spyware. We shall see…

So… the hacker struck again. This time we were more prepared for observation. I had asked my work to phone me if anything unusual happened, so when the mouse started moving on one of our machines, we were ready. It was found that the hacker was connecting through the running VNC server on the computers, which led me to believe that my VNC password had been compromised. Although this is always a possibility, I found after a quick web search that there had been a security alert put out for a “VNC 4.1.0 – 4.1.1 (VNC Null Authentication) Auth Bypass Exploit”. So, that was what had let the hacker in, our own remote admin software. I have since then had it removed from all the computers, as I never trusted it 100% but this proved it all the more.

When the hacker connected, he opened up a command window and ftp’d down a rar executable file. He ran it, then I gave the decision to pull the network cord before he got too far. The executable was self installing so its payload was being delivered from a installable batch file. After searching for a few of the files through google, I came across this link as the most closely resembling the files that had been downloaded. http://www.sophos.com/virusinfo/analyses/trojmultidrds.html.

Basically, what it looks like it does is install a Serv-U server daemon (with its configuration file), then installs a crippling program which destroys defences on computers such as hiding processes/services and registry entries. It then follows up with installing a remote installation program, a service starting tool, and a command-line registry editting program. This is what this one self-executing executable file would and has done. From then, the hacker basically ‘owns’ the machine, can ftp files on it, the machine ip settings are locked down, and remote installation tools are in place so they can remotely execute any program they wish with the process being completely hidden.

Scary stuff eh? So, basically the only way to reverse the process suitably at this point is to give a nice clean install to the computer, and not to install too much third-party software such as VNC for now, or at least with much more rigourous security exploit monitoring on my side.

Yesterday was a stressful day… I got a call from work asking if I was remotely controlling a computer, as I sometimes do, for maintenance when I am not nearby. I was not.

Dread set in as I quickly started asking exactly what they saw. The computer was opening web browsers and a command window was open with lots of typing. My guess? Most likely they were downloading scripts to set up shop and make the computer theirs.

Why did this happen? How did this happen? I have no definite answer to that. It could be possibility an unforced windows update, or the lack of user security consciousness that could have led to this. Not to mention I found it had a copy of RealVNC (which I sometimes use for remote connections) with ‘No Authentication Required’ selected, therefore, if anyone did a scan for machines with a vnc server on our network, and tried to connect, there would be no password or anything to stop them from connecting. My setting for it is by default a fairly long password, but either a virus strain (assuming possible) or the user had reset it to nothing.

I went in, and ran some Spybot and Ad-Aware utilities and they found some things, most of them more harmless spyware that comes from general surfing on the Internet. The computer was also loaded with Yahoo games and other ‘contraband’ to the IT policy. This is what happens with you give users more privileges than you should. The user that had viewed this ‘attack’ gave me some quick notes of what the hacker was doing before I instructed to pull the network cord. This hacker/script-kiddie had been downloading his whole tool-kit from a free web hosting site. It had a lot of stuff, including server daemons, batch files, and lots of very damaging type files.

I decided to download a few of them to check what they were, being very careful to not actually execute any of them. It was just as I had expected, the scripts this guy had were highly refined to scan internal networks to try and spread, while also subdue-ing the current machine and opening ways that they could connect easier and hide their presence. I then submitted a ‘report abuse’ form to the web hosting company, I know it is a temporary fix, but hey, causes a few minutes of annoyance for the hacker. I am surprised the web hosting companies do not shut them down faster, four of the twenty-ish files were caught by my Corporate Symantec right away and would not let me download them. Shouldn’t web hosting companies be running these too?

I installed a very exclusive firewall on the workstation, and removed all the un-necessary programs (eg. ones especially breaking the IT policy). I Spy-botted, removed things, and it should be fine for now. Next step when I find some time, seeing if this hacker got a functional root kit successfully installed, or if it was just the vnc server. *sigh*