Profile cover photo
Profile photo
Auke Kok
698 followers
698 followers
About
Auke's posts

I've apparently received a "Secure Document" and my curiosity is burning! Does anyone know of a way to extract a VB script payload from a Microsoft "doc" (`file` calls it a "Composite Document File V2 Document", apparently it's an excel spreadsheet") ?

I'm very interested to see what this exploit actually does. A quick scan on strings says it's something using `_Evaluate` :)

I doubt LibreOffice would handle it properly, so that's not something I'm willing to try, yet.

Dear LazyNet. I'm looking for a CalDav Android app/client, but I can't seem to find one. I'll have to build Acal apk myself once to see if it's worth using and actually what I need (I don't want to sync to another format or other external calendar, I just want a client to my caldav so I can get reminders for events on my caldav calendar)

Any ideas?

+Alexander Larsson Trying to package flatpak but I noticed Polkit is a hard stop requirement, any chance of making it optional? What is it needed for? Our distro doesn't have Polkit and "we really don't want to go there".

Post has attachment
Hmmm, nope, still haven't made any progress to cutting down on CO2. I think this year's high is even going to exceed the trend predictions, and by a fair margin too.

http://www.esrl.noaa.gov/gmd/webdata/ccgg/trends/co2_trend_mlo.png

An Actual Attempt to Pwn me.

I just received an actual malicious e-mail that actually attempts to do bad stuff to my computer. I usually delete them quickly (as you should), but this one I'm going to dissect, so you can get an idea what criminals are doing nowadays technology wise.

First, the most important aspect of these e-mails is human gullibility: The email starts with "Notice to appear" and has the following text:

"This is to inform you to appear in the Court on the May 24 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come."

Second: you are tricked to open an attachment. The attachment is malicious, I will go into this later.

At this point you should have deleted the e-mail already. If you wish to verify that it was bogus, you can easily check that (1) there is no police officer outside your door with a warrant, and (2) nothing else. So just go ahead and delete notices like these. The cops will send you a paper letter, not an e-mail.

Going another step further, we can look at the e-mail headers and see stuff in the headers like this:

From: "State Court" <tim.atkinson@shop.denioj.com>

I don't think the state court uses a .com address, do you? If you do think, perhaps you should look at what shop.denioj.com looks like (go ahead and open that in a browser, it's not malicious or bad). Ahhh, it's a Honk Kong rip off illegal football paraphenalia website. They just got "joe jobbed" and someone is relaying these e-mails illegally through their mail server, that's all.

So no, this isn't in any way legitimate, and they don't even try very hard to conceal it. They're not looking to break into my computer, but they are looking to break into gullible people who are not tech savvy. People who panic, click the attachment.

Alright, so what's in the attachment: "00560291.zip"?

Smart move by these guys: don't directly attach an executable file which surely would set off virus scanners. Ok so there's a zip file, you'd have to open it and extract it which takes you out of gmail potentially or outside of Outlook. It's meant to distract you and make you uncomfortable if you're not computer literate.

Now, most virus scanners actually look inside zip files and will scan the files in there, so a bad executable file in there will also be found. So criminals like these like to come up with alternate ways to "obfuscate" and "avoid" scanning software.

In this case, the zip file contains a file named "00560291.doc.js".

This is a javascript file, but since Windows is written from the perspective that users are dumb and should not be educated ...

(presumably to make sure they keep paying 20$ for PowerArchiver2000, and if my condescending tone is taking it too far, please stop reading, or pretend that this is narrated either by Morgan Freeman to soothe your experience, or Joe Pesci if you prefer a more absurdist colorization).

... it hides the extension from the user, so this files shows up for most computer users as "00560291.doc". And of course they want you to double click it, right? yes?

Obviously it's just evil Javascript. You'd execute a bad, bad script.

So what's in the script? Let's dig a step deeper:

q89='var';
var y81='.ba';
var n77='alse';
q89+=' id=';
var y68='sp';

A few thousand lines like these. It's called obfuscation, again, it's just probably simple code, but made really hard to read by humans. I'm not sure why, it's probably obfuscated because it's so easy to use obfuscation software, but I doubt these criminals are dumb enough to expose themselves, right?

Let's go and scan through this a bit deeper then:

var e90=eval;

ahh, they're stuffing a bunch of stuff in a variable, and then

e90(q89);

which ends up, thusly, calling `eval` on `q89`. Presumably the bad code is in `q89` and that is then executed. neat.

Now, I could try to un-obfuscate this all myself, or I can just execute the code and see what it does. But it would be kinda dumb to do this on my own PC. Fortunately, there's plenty of online sandbox tools around that you can use to execute code safely away from your system.

After taking away the eval, and just dumping the output of q89, we get:

http://pastebin.com/A4KsPCaE

(Am I a leet hacked for posting an exploit on pastebin, or what?)

Now, one can read the text there to get a good idea of what is going on, or just read my excellent summary:

If that code runs on your computer, and it has access to your data files (meaning, you executed it in your normal desktop), then it goes and downloads a little executable tool that encrypts all your files and sends the secret key to a bunch of servers on the internet that the attackers presumably control.

The attackers then wait for you to pay the bitcoin fee, and then send you the decryption code so that you can access your files again. The cost is about 230$, which isn't that much actually, apparently they make more money if the price isn't too high for people to pay it, but low enough that most people can get over it.

I'd like to stress the following parts of the exploit:

fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
fp.WriteLine(" - Nobody can help you except us.");
fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc.");
fp.WriteLine(" - Your files can be decrypted only after you make payment.");
fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt).");

This isn't necessarily true, actually, there are fortunately tools already out there that can decrypt these files (it depends on the encryption used, of course) in many variants of this exploit, but in general it's entirely correct - you're likely out of luck attempting to decrypt your stuff yourself.

I hope you enjoyed this deep dive in the terribly shallow web. This exploit isn't brilliant, not by far, it's actually one of the simplest I've seen in a long time.

Make sure you don't fall for them, and educate your friends and coworkers. If you are the person who regularly shares hoaxes and internet scares, you can repent by sharing this with your friends - I won't mind a bit.

On respect versus merit.

I've recently seen a few typical Open Source Collisions happen and being involved in it partially as well. As I'm a fairly pragmatic person I tend to shrug it off and focus on the work at hand, but there are always a few people around that can't understand that respect and merit are orthogonal.

Any new person who starts out doing Open Source should be met with the utmost respect. They have absolutely no merit to begin with, and others should encourage them and show the beginner mistakes in their work. The new people should treat experienced people as you would treat any good teacher: without any significant more respect than anyone else(!). Poke them, ask them, prod them for answers and explanations, but certainly do not go easy on your mentors - they are there not to sit on a throne and rule, but to guide everyone to do better.

Any experienced person should treat new contributors with respect, but treat their code for what it's worth. No need to get salty if it's bad. Just say "It's terrible" and leave it at that.

But that's where things go wrong. If you, as an experienced developer, fail to explain why a submission is wrong or misinformed, you're not giving someone the education or knowledge that you have, and you're guilty of depriving them of a chance to learn.

Now what I've noticed is that there seem to be many capable, experienced OSS contributors who lavish in merit and destroy their own respect, by ignoring this advice. These aren't business critical projects, but nonetheless it matters to a lot of people, so things get heated pretty quickly.

I've now seen two out of control spirals of disrespect end in people leaving. For no good reason than that the involved senior people entirely confuse merit and respect, and think that they are interchangeable.

It starts with reviews ending up saltier and shorter, especially for reviews from newer contributors. It ends with someone giving up, and sadly it's usually the newer people that give up, even though the potential that they will contribute more and better code in the future is often far more likely than that the merit-soaker is coming back to do actual coding.

So, takeaways for those that recognize the situation? If you don't code anymore in a project, don't become the grumpy reviewer. Let others take over. Stay constructive and technical, and teach instead of criticize. Never attack a person, ever.

Yes, there are indeed plenty of public OSS figures out there that violate these guidelines, and it's inexcusable, really. And totally not needed, either. I've most certainly have been on the wrong side as well, for sure, in the past. I hope I've made up for it, though, and intend to improve where I can.

Post has attachment
I spent the last day killing TIFF from +Clear Linux Project for Intel Architecture ... Given the amount of unfixed CVE's open against the unpatched latest release, and unlikelihood that a fixed release is ever coming out, I can only say that this is going to save everyone a lot of time.

https://lists.clearlinux.org/pipermail/dev/2016-April/000290.html

Where do you find an atx power supply at 6:30 PM? :/

Whatcha reckon folks, is go ready for making cross-platform GUI applications? Any hints? Or stay away until it gets better?

Post has attachment
And this is why college sports organizations that are just shims for professional sports exploitation need to be banned. The pressure of money from above is making these kids immune to corruption, and they don't have a chance.

And don't give the "this did so much nice things for so-and-so" nonsense. These kids are being taken advantage of, even if they are drafted. Of course the NCAA will just blame the coach and kids, perpetuating the cycle.
Wait while more posts are being loaded