[Ronnie] recently posted about his adventures in decoding malware. One of his users reported a phishy email, which did indeed turn out to contain a nasty attachment. The process that [Ronnie] followed in order to figure out what this malware was trying to do is quite fascinating and worth the full read.
[Ronnie] started out by downloading the .doc attachment in a virtual machine. This would isolate any potential damage to a junk system that could be restored easily. When he tried to open the .doc file, he was presented with an error stating that he did not have either enough memory or disk space to proceed. With 45GB of free space and 2GB of RAM, this should not have been an issue. Something was definitely wrong.
The next step was to open the .doc file in Notepad++ for analysis. [Ronnie] quickly noticed that the file was actually a .rtf disguised as a .doc. [Ronnie] scanned through large chunks of data in an attempt to guess what the malware was trying to do. He noticed that one data chunk ended with the bytes “FF” and D9″, which are also found as the ending two bytes of .gif files.
[Ronnie] copied this data into a new document and removed all new line and return characters. He then converted the hex to ASCII, revealing some more signs that this was actually image data. He saved this file as a .gif and opened it up for viewing. It was a 79KB image of a 3D rendered house. He also found another chunk of data that was the same picture, but 3MB in size. Strange to say the least.
After finding a few other weird bits of data, [Ronnie] finally started to see more interesting sections. First he noticed some strings with mixed up capital and lowercase letters, a tactic sometimes used to avoid antivirus signatures. A bit lower he found a section of data that was about the size of typical shellcode. He decoded this data and found what he was looking for. The shellcode contained a readable URL. The URL pointed to a malicious .exe file that happened to still be available online.
Of course [Ronnie] downloaded the .exe and monitored it to see how it acted. He found that it set a run key in the registry to ensure that it would persist later on. The malware installed itself to the user’s appdata folder and also reached out repeatedly to an IP address known to be affiliated with ZeuS malware. It was a lot of obfuscation, but it was still no match for an experienced malware detective.
Arduino + PS2 controller + R2D2
Here’s an unbelievably real-looking R2D2 replica driven by a PS2 controller with an Arduino inside that plays sounds from the movies. Too bad we couldn’t find any more details about it. [Thanks Bill]
Server build time-lapse
[Justin] and his colleagues spent five days upgrading their server by building a 29-unit cluster. Lucky for us they set up a web-cam to capture the process.
Behold this working desktop computer, complete with monitor and mouse. We’re not sure how it was done, or what it’s for, but worth a peek just because of its size. [Thanks Harald via Dvice]
Modelling self-assembling viruses
A 3D printer and magnets were used to build this model of a self-assembling virus. Shake the jar and it falls apart. Shake a bit more and it’ll rebuild itself… it has the technology.
[Simon] is exercising his geek chic with these Tardis cuff links. The Doctor Who inspired accessories were made from a model railroad telephone booth.
When a new virus or other piece of malware is identified, security researchers attempt to get a hold of the infection toolkit used by malicious users, and then apply this infection into a specially controlled environment in order to study how the virus spreads and communicates. Normally, these toolkits also include some sort of management console commonly used to evaluate successfulness of infection and other factors of the malware application. In the case of the EFTPS Malware campaign however, the admin console had a special trick.
This console was actually a fake, accepting a number of generic passwords and user accounts, and provide fake statistics to whoever looked in to it. All the while, the console would “call home” with as much data about the researcher as possible. By tricking the researchers in this way, the crooks would be able to stay one step ahead of anti-virus tools that would limit the effectiveness of any exploit. Thankfully though, the researchers managed to come out on top this time.
Tobacco and E coli can wreak havoc on your body causing serious damage if not death. Some researchers from the University of California at Berkeley have found a way to take these potentially dangerous organisms and make them do our bidding. By genetically engineering a virus they have shown that the two can be used to grow solar cells. Well, they grow some of the important bits that go into solar cells, reducing the environmental impact of the manufacturing process.
Once a tobacco plant is infected with the altered virus it begins producing artificial chromophores that turn sunlight into electricity. Fully grown plants are ground up, suspending the chromophores in a liquid which is sprayed onto glass panels to create the solar cells. This types of creative solar energy production make us wonder if Thunderdome and the apocalypse are further off than we thought.
“Reformat it”. That’s pretty much our default answer when someone calls us complaining of malware and viruses. Though many can be removed, it can sometimes be quicker and less frustrating just to reformat it. Some of us even have specific ways that we organize all of our files just to make the quarterly reformat go smoother. Unfortunately, reformatting may no longer be the absolute cure. Researchers have developed a piece of malware that infects the BIOS. It is un affected by reformating or flashing. This means that it is also OS independent. They tested it on Windows and OpenBSD as well as a machine running VMware Player. This is a grim sign for the future.
Some of the Eee Box PCs have been shipped with viruses on board and ready to go. The virus was sitting on the D: drive, labeled as recycled.exe. As soon as that drive is opened, the virus is unleashed on the other drives and removable media attached. Strangely, Microsoft has come to the rescue as their Malicious Software Removal Tool detects it and removes it. This was only on some models, and apparently mostly in Japan.
Before you denounce ASUS for this oversight keep in mind that they make things that we really want, such as the touch screen Eee PC promised in 2009.
MIT researchers have used a viral assembly method to create a battery at half the size of a human cell. They’ve successfully developed the anode and electrolyte, leaving only the cathode unfinished. each electrode is only 4 micrometers in diameter.
The construction process involves taking a rubbery base and creating a pattern of tiny posts through lithography. Then they add different layers of polymers that act as an electrolyte. Finally the virus preferentially self-assembles on top of the polymer creating the anode. Pictured above is a test plate. The battery itself is too small to be seen.