Friday, November 25, 2005

Thursday, November 24, 2005

Bots

bots' For Sony Cd Software Spotted Online

Sony's software, installed when playing one of the record label's recent copy-protected CDs in a computer, hides itself on hard drives using a powerful programming tool called a "rootkit." But the tool leaves the door open behind it, allowing other software--including viruses--to be deeply hidden behind the rootkit cloak.

The first version of a Trojan horse spotted early Thursday, which aims to give an attacker complete remote control over an infected computer, didn't work well. But over the course of the day, several others emerged that apparently fixed early flaws.

This is no longer a theoretical vulnerability; it is a real vulnerability," said Sam Curry, vice president of Computer Associates' eTrust Security Management division. "This is no longer about digital rights management or content protection, this is about people having their PCs taken over."

Sony's use of the rootkit software has sparked a firestorm of criticism online and off over the company's techniques, highlighting concerns that remain over record labels' increasingly ambitious attempts to control the ways consumers can use purchased music.

Last week, plaintiffs' attorney Alan Himmelfarb filed a class action suit against Sony BMG in Los Angeles federal court, asserting that the company had violated state and federal statues on unauthorized computer tampering. The company's actions also constituted fraud, trespass and false advertising, the suit contends.

Other attorneys say they are considering other suits. Several Italian consumer groups also have said they are looking into the prospect of taking legal action against Sony, although the relevant discs were distributed by the record label's U.S. division and not intended for overseas sale.

Sony's use of the rootkit stems from record companies' growing concerns that unrestricted music copying is undermining their sales, and they have been looking for a technological way to limit the number of copies that people can make of each CD they buy.

Sony BMG has experimented with several different ways to do this. The current controversy focuses on just one of those tools, created by a British company called First 4 Internet.

The First 4 Internet software is included on a handful of CDs, including recent releases from My Morning Jacket and Southern rockers Van Zant. When the albums are put in a computer's CD drive, they ask a listener to click through a consent form, and then install the rootkit copy-protection software on the hard drive.

A rootkit is a tool that takes a high level of control over a computer, potentially even preventing the original computer user from performing certain tasks. In this case, the First 4 Internet hides itself from view in the computer's guts.

One Trojan horse discovered by security companies Thursday is a variant of a pre-existing software distributed by spam e-mail, among other techniques.

One version of the e-mail claims to be from a business publication and says it is using a photograph of the recipient for a soon-to-be published article, according to security company BitDefender. Clicking on the alleged photograph installs the malicious software, which then connects automatically to the Internet Relay Chat chat network, opening up a channel to control the infected computer.

In a new version of the program, the software hides itself using Sony's rootkit tool and then tries to connect to a server on the chat network. The first version of the Trojan was unable to function after hiding itself, security company F-Secure said. However, several other variants have been found that are able to successfully take over control of a computer after hiding under the Sony software.

All virus companies are rating the danger as fairly low so far, since the Trojans seem to be spreading slowly.

Most antivirus companies are releasing versions of their software that identify or remove the Sony software. A patch on the Sony Web site will uncloak the copy protection tools, but computer users must contact Sony's customer service for instructions on removing it altogether.

Neither Himmelfarb nor a Sony BMG spokesman could immediately be reached for comment. A Sony BMG representative contacted last week noted that the software could be easily uninstalled by contacting the company's customer support service for instructions.

Info found Here

Tuesday, November 22, 2005

Is it only IT individuals who do hacking..?

Most of time hackers known as individuals who committed to attack some one with his/her skills in IT, but when considering the news that we listen in our day to day life, we can ask a question from our selves that does only those individuals who use hacker skills..?. I don think so, see now day it seems most big organizations use hacker skills too
As you know the SONY BMG crisis is long talked news that we heard few days ago. SONY BMG is not the only organizations who use hacker skills to businesses issues. Nowadays hackers are used by military, intelligence services and there are some hacker companies too, most known as computer security companies. The bottom line is every body need hackers and their skills; only deference is how they use them or their skills against others. Well in a way it seems hackers make somebody’s life comfortable while some one get in trouble, well what do you think..?

Wednesday, November 16, 2005

Adding Back Doors to the Standard C Library

Adding Back Doors to the Standard C Library

Hacked by chrootstrap December 2003

(GNU Free Documentation License)

In computer terms, a library is an archive of reusable functions, data, and types. When a program uses parts of a library, the library is said to be statically linked when the library's parts are copied into the program and dynamically linked when the parts are loaded when the program are running. Libraries which support dynamic linking are said to be shared libraries because their parts may be used by many different programs, even at the same time. Only one copy of the parts needs to be on the system and any updates to a part apply to all programs using the part. Because of these advantages, shared libraries are very popular on many operating systems including Linux.

Normally when a shared library is updated or changed, it has to be rebuilt from all of the original parts and the new library simply replaces the old library. It is possible, however, to modify the library without the original objects. This is usually done with the BFD library, which allows the internal structures of programs and libraries to be operated in a fairly high level way. However, BFD does not allow for the alteration of a library in place; it is necessary to create a new library from the previous one while, perhaps, changing some of its properties. The code to this (viz. object_copy in objcopy.c of binutils) is fairly laborious and heavy handed.

I will explain the use of a somewhat different technique in order to modify the operations of an existing library, the standard C library, in place without changing the file size or internal structure. The end result will be used to make a 'back door' in the open function that will allow us to handle any file name that starts with "http://" by return the file handle of a socket ready for the reading of the file requested by HTTP. Any program that uses the shared library and calls open will have this functionality added to it.

Our example will be for x86 ISA Linux. The code is easily adapted to other architectures (assuming a familiarity with elementary assembly language) and the ideas can be generally applied to systems with ELF shared libraries. To begin, I write the specialized handler for the open function with typical Posix library calls. Please study this version first to get a quick understanding of how the operation is accomplished:

openbackdoor_library.c

However, within the C standard library we should not be loading other libraries and can make things simpler by foregoing the use of standard library calls as well. Furthermore, we are not going to insert from any other section that .text and therefore may not overly use string constants or global variables. In order to meet these criteria we must rewrite the function using system calls and restricted techniques. The most complex rewrite has to do with providing basic gethostbyname functionality. Here is the version that is completely independent of position and other functions:

openbackdoor_systemcalls.c

You'll notice that at the very end of our function we handle the case of a pathname that doesn't start with "http://". We simply use the open system call.

Now we are ready to compile the function and prepare it for insertion into the library. This done simply by entering:

gcc -c openbackdoor_systemcalls.c

Now we need to extract our code into the raw function data:

objcopy -O binary openbackdoor_systemcalls.o

openbackdoor_systemcalls.o is now purely the function's contents. All ELF structures and additional sections have been stripped away. It is ready to be introduced into the standard library. It is time now to prepare the library for insertion. We will test our changes on a disposable copy of the library. Begin by making an empty directory, e.g. one called bdoor. Inside the new directory make two subdirectories, one named lib and one named etc. Into etc copy resolv.conf from /etc/resolv.conf. Now make a small test program named test.c. The test program should have these contents:

#include 
#include

int main (int argc, char **argv)
{
int fd;
char buf [1024];

if ((fd = open("test.c", O_RDONLY, 0)) < fd =" open(">

Compile this program ordinarily ("gcc test.c"). Into the subdirectory, lib, copy two files, ld-linux.so.2 and libc.so.6. These two libraries will be somewhere on your system already, probably in /lib. libc.so.6 is the standard C library and ld-linux.so.2 is the dynamic linker which will our test program will need to load the standard library. Right above the bdoor directory you can switch to using this library copy with your test program by chrooting (you will need to be root to this):

chroot bdoor /a.out

If you do this before patching the standard library, it should simply print out the source code for test.c Now, we need to discover some details about the standard library. We need to learn the location of the current open function, the location of the vfwprintf function, the location of the dynsym symbol, and the location of the open symbol. The vfwprintf function is used because we are going to commandeer its location as it's a bloated function that is never called by anything on nearly every system. Start by getting a print out of the dynamic symbol table of libc.so.6 by doing this:

objdump -T libc.so.6 > symboldump

Open symboldump and remove the first four lines to reach the point where the SYMBOL TABLE listings begin. Search for dynsym. Record the leftmost number; it is the location of what this symbol points to (the dynamic symbols), probably between 0x3000 and 0x4000. Now search for open . You will find many instances of open, but you need the one that is only "open" and doesn't have any other text in its identifier. Now record the location (leftmost entry) along line number at which this symbol occurs in the symboldump file. The line number will be used to calculate where it is in the dynsym listing. Finally, find and record the location of vfwprintf. The size is listed after what section is in (.text). Your inserted function can only be up to this size. For example, here are the values in my library:

dynsym symbol location = 0x339C
open function location = 0xD5A20
open line number = 1997
vfwprintf function location = 0x51E10

Now we need to calculate the location of the open symbol. This is (open_line_number * 0x10 + dynsym_symbol_location). In my example it is 0xb06c. Finally, you will need the size of your new function, which is its file size after objcopy -O binary. In my case the new size is 4631. Now write an inserter program using your values in the define statements:

#include 
#include

#define OPEN_SYM 0xb06c - 128
#define OPEN_FUNC 0xd5a20
#define NEW_OPEN_SIZE 4631
#define VFWPRINTF_FUNC 0x51e10

int main ()
{
int x, fd;
char buf [2048];
char c = 0xe9;

fd = open("libc.so.6", O_RDWR, 0);
lseek(fd, OPEN_FUNC, SEEK_SET);
write(fd, &c, 1);
x = VFWPRINTF_FUNC - OPEN_FUNC + 4;
write(fd, &x, 4);
lseek(fd, OPEN_SYM, SEEK_SET);
x = OPEN_FUNC;
x = (int)memmem(buf, read(fd, buf, 2048), &x, 4) - (int)buf;
lseek(fd, OPEN_SYM + x, SEEK_SET);
x = VFWPRINTF_FUNC;
write(fd, &x, 4);
x = NEW_OPEN_SIZE;
write(fd, &x, 4);
lseek(fd, VFWPRINTF_FUNC, SEEK_SET);
while((x = fread(buf, 1, 2048, stdin)) > 0) {
write(fd, buf, x);
}
close(fd);
return 0;
}

What we have done is changed the description of the v symbol's contents. They describe the location and size of our code which we copy into the vfwprintf location. Calculating the location of the open symbol from the line number of the print out gives a result that varies a few bytes more or less from the actual location. This is why we back track a little from the estimate and then search to find the precise location. We also change the contents of the existing open function to simply jump to our back door. This way any standard library function which uses the open function (and has already had its address hard-coded into it) will be redirected to our back door. Cool beans!

Now compile it and run it in the lib directory as:

./a.out <>

Now try your test program again through chroot and ensure that everything works correctly. If everything went correctly, you should now have a back door in the open function that handles pathnames that start with "http://". You can put several functions in vfwprintf, ensuring correct offsets each time. If you want to be nice, you can add a small bit of code to return -1 at the start of vfwprintf and put your functions after that. If you're brave, copy your new library to where the original was, backing up the original first, and give it a try. Now all your binaries that use the shared open function can easily work with HTTP addresses. Happy hacking!

Monday, November 14, 2005

Sony's Anti Piracy

Sonys Xcp Anti Piracy Mechanism Shut Down!

Well its funny that the same mechanism they used to stop piracy is now being copied by hackers to create worms and spyware.Sony had to shut down production of there new disk becuase of the security risk ..
I guess its true that when they step up so will others to put them down..


Entertainment giant Sony has finally announced that they are suspending the production of their music CDs that are loaded with controversial anti-piracy mechanism. These measures installed hidden software on the MS Windows based machines to limit the number of times the CD can be replicated on it. However, the mechanism has been so insecure that the concept has been picked up hackers to develop spywares and worms based on it.

Sony has however claimed that they standby their right to prevent users from pirating songs and other digital content from the CDs. They are however halting the manufacturing of these disks, which used XCP technology. Sony said in a statement: “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use.”

Sony BMG Music Entertainment had used this technology in at least 20 of their popular music titles that included releases by Van Zant and The Bad Plus. However, the security expert Mark Russinovich who discovered this flaw in their mechanism is still disappointed. The basic fact is that the company took too long to take this decision and still does not admit that they are at fault here.

In addition, Sony has not said that they will not be using this technology in the future. Several security researchers have already labeled this technology as Spyware considering it is difficult to remove and transmits without warning details about what music is playing. In addition, the consumer was not adequately informed about what happens when he plays the CD in his computer.

In fact, several security software companies have issued updates to their programs, which detect the presence of the Sony’s hidden files and disable them.


That just made my day how about you?

http://news.techwhack.com/2399/121111-sony...racy-music-cds/

Hacking Art or Science

By Mark Hinge (Thu, 29 Sep 2005 21:40:00 +0100) 1. Introduction

The argument regarding the principal nature of hacking - be it an art or a science is not a new one. This paper hopes to discuss both the meaning of the term “hack” and the underlying arguments for it being defined as an art or a science in reference to the base principles and basic methodologies of the discipline.

Ultimately the question is this: Does the creative thinking required to be a successful “hacker” outweigh the necessity for scientific process?

The dictionary [www.dictionary.com] defines the term “hacking” in a computer security context as:


1. Informal.
a. To write or refine computer programs skilfully.
b. To use one's skill in computer programming to gain illegal or unauthorized access to a file or network: hacked into the company's intranet.
The origin of the term however is a far more relevant issue than the “dictionary” definition itself – as is the subsequent media bastardisation of the exact definition of the term, all of which needs to be discussed before moving on to the main topic of this paper.


2. The Definition Of A Hacker

The term “hacking” in a computer science context was first coined in the 1960’s – and its continuing extended usage widely attributed to localised Massachusetts Institute of Technology (MIT) slang at the time, where in the very beginning the term “hack” was synonymous with the word “prank”. An early indication of the darker side of future hacking perhaps but never the less in reference to this origin “hacking” could basically and simply be defined as;


“Making a system, program or piece of hardware do something that it was not designed to do.”


Perhaps a good term to some up the meaning of “hacking” is “tinkering”. Under this broad definition it’d be quite possible to “hack” the toaster into cooking hotter than it was designed to do, or anything else as mundane; the description of the hardware modification involved would fall well within the constraints of the term – a good hack. With the exception of the rather circumstantial, not to mention retrospectively amusing ‘seed’ in the “prank” origin of the term; hacking previous to perhaps the early to mid 1980’s had no real demonised undertones, no media generated air of menace – all of which such additions and confusions of the definition have emerged as commerce and relatively un tech savvy and uneducated parties have had by nature of the changes in day to day life become more involved with areas of computer science and information technology in general, areas which at the origin of the term hacking were quite alien to the man on the street.

As touched upon briefly above, the mass mainstream media have given the term “hacking” a rather hard time since it’s initial outing in 1983 when American media outlets Newsweek and CBS News first used the term to refer to “computer intruders”. Although at this point even those in the computer community referred to such activity as "hacking" they surely did not intend for its usage to intone the purely illegal areas of wider “hacking” – areas that would later to be coined widely as “cracking” by the same underground community.

The upshot of this initial ‘definition by fire’ is a simple misunderstanding of the wider meanings of the term “hacking” by the mass media which perpetuates to this very day. While the educated underground community largely still consider the term “hacking” to be representative of the initial meaning of the phrase (ie. “making a system, program or piece of hardware do something that it was not designed to do”) the media have steamrollered the definition into focusing, for the most part, on ‘illegal entry into computer systems’. A small part of the broad definition of “hacking” which generally (perhaps largely due to the media bastardisation of the term “hacking”) is now referred to as “cracking” by the underground community at large.

The differences between the terms could perhaps be defined as:


Hacking: Making a system, program or piece of hardware do something that it was not designed to do.

Cracking: Gaining access to a system, program, server or piece of hardware via methods which bypass any security in place or give the ‘cracker’ inflated privileges within the targeted system, program, server or hardware.


The arguments about definition and scope of the term “hacking” aside, the important fact (in terms of this paper) remains that as far as the wider population are concerned “cracking” is either synonymous with the term “hacking”, or irrelevant in the face of the term “hacking”. To the man on the street “the hacker” has become an evil figure lurking in dark cellars surrounded by computer screens ready to steal credit card details online or deface websites – the media bastardisation is at this time complete and this is something the underground community now have to live with; not to mention a prime candidate for future more careful use of language both by specialised communities and the media who always eventually pick up on the slang used by such specialised communities.

Despite this, and as a historical lead on to the rest of this paper it is very interesting to note that the original definition of the term could also be applied to another group of individuals within society who have not been so demonised. Think carefully:

What are scientists doing if not making a system, program or piece of hardware do something that it was not designed to do? Where system, program or piece of hardware equals any area of science brought into question. This concept will be explored further later.

It is this comparison – between hackers and early scientists - which inspired this paper. Is original science just a retrospective redefinition of “hacking” – that is to say could the 1960’s term hacking be used to describe the thinking process behind the scientific revolution? Were the goals and methodologies of the original scientists similar in essence to those of the original “hackers” and does this suggest that “hacking” as we know it (be it art or science) is the first step along the road of discovery in terms of newly discovered disciplines?

Did those original hackers at MIT just design a slang term for the process of early developmental science? Personally, I think they probably did.

Conversely and moving onto the fundamental topic for this paper, despite it’s apparent similarities with the early stages of science is “hacking” in fact more of an art form than a true science; does the experimental and non-linear nature of “hacking” have more in common with artistic exploration than scientific process?


3. Basic “Hacking” Methodologies

From here on in, and having discussed at length the fate of the word “hacking” at the hands of the mass media, the phrase will now be used on that same media’s terms; “hacking” will now essentially become “cracking” also – this to save on later confusion and arguments as regard the meaning of the word in the context of this paper.

In essence the basic method for a “hack” can be defined fairly simply. The process, although never defined definitively, can be quite linear in it’s execution:


1. Approach a target.
2. Define possible attack vectors for acquired target.
3. Select most efficient attack vector.
4. Execute attack.

Although being mainly in reference to “Cracking” the above method can equally be applied to most if not all forms of ‘traditional’ hacking. Find a problem, find ways around the problem, choose the most efficient way around the problem; execute the hack. The nature of the “hack” makes no difference.

And although on occasion “hackers” may stray from this process, perhaps into the realms of what can be defined as “Voodoo Hacking” – a fun system which has no real process and is basically executed at random with the hope of producing at least some result, that result being the one you were striving to achieve or, in most cases, not.

As with the initial argument this very examination of the process has presented us with two sides of the coin; a very scientific approach and a random perhaps more artistic approach – both methodologies which all “hackers” have used at one stage or another during their own personal learning process I am sure.

But which is most representative of the overall tone of the discipline?


4. The Argument For Science


The mentality of curiosity necessary to succeed in scientific research is certainly equitable to that which is needed to succeed as “a hacker”, and although on the face of it making something “do that which it was not intended to do” is essentially unscientific - as mentioned earlier on in this paper some comparison can be drawn between that very foundation of “hacking” and scientific endeavour.

When the Wright brothers set out to create a flying machine, they were essentially setting out to make a solid object incapable of natural flight, fly; what real difference between that and our defined terms are there?

History is littered with such examples.

The existence of various patterns and the factor of, all be it non definitive, ‘set rules’ in the realms of “hacking” also makes it similar to conventional sciences on a fundamental level; no matter how many vulnerabilities and exploits we may find on, for example a Linux server, ultimately it is still a Linux server and still operates upon the set of rules that Linux servers operate upon; there are exceptions and later additions to these rules in terms of perhaps patches and discovered vulnerabilities’, but this process of discovery and amendment is no different to the process of scientific theory which are, from time to time, discredited, rethought or amended as we better our understanding of the subject matter.

Going as far as to put all of the above aside for a moment, the main argument for hacking being a scientific endeavour is as simple as a set basis from which to work. No matter what is being “hacked” it will without exception have a fundamental set of rules from which you can initially begin to work down “the hacking process” (as discussed earlier in the ‘Basic “Hacking” Methodologies’ section). You cannot “hack” thin air – you can create art from thin air.


5. The Argument For Art

A love of “hacking” (not to be confused with a love of the scene, which is something else entirely) is commonplace amongst self proclaimed hackers and professional Infosec workers alike. It’s true to say that unlike any other topic known to me the area of computer security requires a certain passion; one that many “hackers” would argue outweighs the passion required to participate successfully in any other technical activity – indeed a required passion is a trait “hacking” shares with many of the arts in stark contrast to the sciences.

Second to this is the indisputable fact that despite the existence of any rudimentary scientific process, creativity is without a doubt the key to success in hacking; more so than with any other conventional science. Thinking “outside the box” is the norm when discussing “hacking” issues; not a convoluted buzzword designed to inspire artificially fostered creative thinking.

Equally and again despite the theoretical existence of rudimentary scientific processes, patterns and rules within the realms of hacking it is often the case that these rules, more so than with only scientific discipline can be bent or even flat out broken. “Hacking” is a very mobile art in which definitions and rules change on a constant basis – so much so that it is still possible to achieve some levels of success without even being aware of said theoretical processes, patterns and rules in the first place (the afore mentioned ‘passion’ in some cases being enough) – a simple fact that makes “hacking” instantly very different from conventional sciences in which a base knowledge of the subject is crucial.

The question of style is always likely to float to the surface sooner or later when discussing hacking and it’s artistic or scientific definition. A hacker’s style and indeed the very substance of his work is almost always different from his peers. Two targeted hacks (not to be confused with script kiddie adventures) are rarely ever identical, and even less likely embarked upon with the same motive; it has been suggested that tracking repeat hackers (in particular those who deface websites) by their style (ie. choice of attack vector, time of execution, style of defacement and apparent motive) could prove an efficient way to ascertain a black hat’s future targets and even gather incriminating evidence against them. This is perhaps the most damning argument for hacking having become more of an art form than a science, could you claim the above for any conventional scientific discipline?

Or is it simply the case that in conventional science the rules are too rigid to allow for any real “style” in process?


6. Conclusion

All of the above is of course, just my opinion. The beauty of this argument is not only the depth at which you can draw comparison, especially historically – but the fact that ultimately it does not really matter.

From it’s origins in the 1960’s (and perhaps as discussed earlier in this paper, beyond) to this very day hacking has become an evolving activity. Hacking and “what constitutes hacking” changes, and by doing so incorporates both new levels of scientific method and artistic creativity.

The conclusion to this paper is simply a couple of questions which must be answered by the individual:


• Can a scientist be artistic with his chosen discipline?

• Are you an artist or a scientist?


Personally I’d like to think that a hacker can be artistic in his work while being more of a scientist than anything else. But, it’s all just opinion, what’s yours?