Oct 282015

Stuxnet is well-known in the IT security community. Its fame stems from the facts that it targeted a very specific industrial facility, it aimed at physical destruction, and it apparently accomplished its mission successfully. In addition to all these characteristics, IT security experts also appreciate its technical sophistication and the zero-day exploits that it used. Yet, we believe that the most important impact of Stuxnet in the long run is that it provides a blueprint for carrying out similar attacks in other embedded computing environments.

To demonstrate this, we started experimenting with attacking cars in the same style as Stuxnet attacked uranium centrifuges. Our experiments show that it is relatively easy to perform dangerous modifications to the settings of different car equipment (e.g., the airbag or the ABS in the car) by simply infecting the mechanic’s PC or laptop that runs the diagnostic software used to manage those equipment in the car, and replacing the DLL responsible for communications between the diagnostic software and the car with a malicious DLL that implements man-in-the-middle type attacks (e.g., replay or modification of commands). Indeed, PCs and laptops in mechanics’ workshops are not well maintained, often connected to the Internet, and used for various purposes, not only for diagnostics on cars. So, while remote attacks via the Internet or wireless interfaces seems to be more exciting than attacking cars via the mechanic’s PC or laptop, the latter can in fact be much easier to carry out and more effective in practice. Note the similarity to Stuxnet, which infected PCs that run the software used to manage the PLCs that controlled the uranium centrifuges, and replaced the DLL that was responsible for the communications between the management software and the PLCs.

More specifically, earlier this year, we carried out some research on an Audi TT at the Department of Automobiles and Vehicle Manufacturing of the Budapest University of Technology and Economics. We partially reverse engineered a widely used third-party car diagnostic software, and managed to identify and replace the DLL that it uses to communicate with a special diagnostic cable that attaches to the car’s OBD connector. Our replacement DLL implements man-in-the-middle attacks: we can log all communications between the diagnostic software and the car, as well as replay and modify messages. For this, we also had to partially reverse engineer the protocol used for communications, including figuring out how to decrypt encrypted messages and compute checksums. Finally, as a proof-of-concept, we managed to replay a message that switches off the airbag of the car without the diagnostic software noticing the misdeed.

We presented this work at the Hacktivity 2015 conference in October. The presentation and the recording of the talk is available on the web site of Hactivity (https://hacktivity.com/en/archives/hacktivity-20151/). The slides are also available on Levente’s publication page (http://www.hit.bme.hu/~buttyan/publications.html#SzijjBSz15hacktivity). The direct link to the recorded talk is: https://www.youtube.com/watch?v=5UCsKQjB6ZE.  The work also generated some media attention:

The most accurate description (after our own slides and this blog post, of course) was published in Hungarian on the HWSW portal: http://www.hwsw.hu/hirek/54692/crysys-auto-jarmu-biztonsag-man-in-the-middle.html

The Register article, which was published first:

Others just copied from the above the Register article, and most of them do not describe our work accurately enough:

Some frequently asked questions:

Can you reveal the name of the diagnostic software which you carried out the experiments with?

No, we do not reveal the name of the software. It is sufficient to know that it’s a pretty widely used diagnostic software that is compatible with cars in the VW group. Note, however, that this has nothing to do with VW itself, it’s not their fault, this is a 3rd party software. In addition, we also looked into two other similar diagnostic software from other vendors, and they seem to have the same problem. Essentially, they all use the FTDI DLL to communicate with the diagnostic cable, so the generic idea of our attack (replacing that DLL with a fake one) would work. Details may be different though, as those software may apply different protections against reversing (e.g., better encryption of messages between the application and the cable which would make understanding the protocol harder). We have not yet checked in details those other two software. Also important to point out, that it is not the specific software, which makes our work interesting, but the main message is that embedded devices are typically managed from PCs and they can be infected by using those PCs as stepping stones. This is what we mean by a Stuxnet-style attack in the title of our talk.

Would the attack work for anything other than Audi TTs?

Yes, it works with other cars in the VW group too without any modification. And as said before, it could work with other car brands that use vulnerable diagnostic applications from other vendors.

How challenging is this attack to a reasonably skilled hacker?

It is not something special, so for a reasonably skilled attacker it is completely doable. Important to note that the attacker does not really need to hack embedded ECUs, but the attack essentially requires reversing and attacking an application running on a PC.

Can you do other things than switching the airbag off?

Anything that can be switched on or off from the diagnostic application could have been switched on or off. Moreover, we can hide this from the operator, because our Man-in-the-middle fake DDL can falsify parameters read out from the car. E.g., after switching off the airbag, we can consistently report to the application that it is still switched on.

Is there any limitation of the attack?

One limitation of our attack is that we can only set parameters when the car is connected to the infected PC. In contrast to this, remote attacks that have been in the media recently can affect the car’s behavior in real-time. However, they are much more difficult to carry out, because the attacker needs to find and exploit some vulnerability in one of the ECU’s of the car, instead of infecting a potentially badly managed PC in a repair shop. Yet, our attack may be extensible to be more dangerous: e.g., it may be possible to update the software/firmware of some ECUs via the OBD2 port, in which case we could insert a hidden functionality that is triggered by some condition later on. This is still not completely interactive, but more than a static switch off of a component. However, we did not performed any experiment of this kind, because we didn’t want to potentially brick our university’s car.

Is this attack something really new?

Actually not. Prior work (e.g., Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces, Usenix Security 2011) already mentioned the possibility of infecting cars by first infecting diagnostic equipment. Our work was a proof of concept where we tried to study how easy such an attack would be.

Is this really an attack? I mean that if you are connected to the OBD port, you can do whatever you want with the car.

Sure. But let us emphasize again the importance of the generic model of the attack: attack a PC that manages an embedded device, and then attack the embedded device itself. This could be a nightmare in the future. Imagine that you manage all your smart devices in your home/office/factory from your PC. Once dozens of embedded devices are successfully infected, the malware can even disappear deliberately from the PC, so all those embedded devices remain infected and you may never detect that. Whether we call this an attack or not does not really matter. This is certainly an important problem and challenge that we have to address in the future.



This was joint work with Dr. Zsolt Szalay from the Department of Automobiles and Vehicle Manufacturing. We are thankful to him for letting us experiment with the department’s Audi TT. Indirectly, we are also thankful to Audi for supporting research at the Budapest University of Technology and Economics.

Jul 232015

DEFCON CTF in Las Vegas – 07 Aug 2015

Our CTF team, !SpamAndHex qualified for the DEFCON CTF 2015 finals in Las Vegas. The competition is scheduled to start on August 7 and lasts for 3 days.

We are really proud of having achieved this for the first time in our history. There are many competitions all around, however, DEFCON CTF is among the most prestigious and difficult ones. At the same time, we are also the first Hungarian team to compete at the DEFCON finals. That’s why we’ll do our best to represent our country in Las Vegas this year.

More info on the CrySyS Student Core webpage (core.crysys.hu).

Without our sponsors, it would be impossible to participate, huge thanks to them.

CrySyS – Ukatemi – Tresorit – Microsec – MRG Effitas – Z – Balabit – EvoPro – ESET – BME Faculty of Electrical Engineering and Informatics – Carinex – Search-Lab

 Posted by at 10:35 am
Jun 102015

Stuxnet is probably the most well-known malware of our times. Its fame stems from the facts that it targeted a very specific industrial facility, namely a uranium enrichment plant in Iran, it aimed at physical destruction of uranium centrifuges, and it apparently accomplished its mission successfully. In addition to all these characteristics, IT security experts also appreciate its technical sophistication and the zero-day exploits that it used. Stuxnet was also an alarm to the developed world: it shed light on the capabilities of advanced attackers, and at the same time, on the numerous weaknesses of our computing infrastructure. Putting these two together, people started to feel hopelessly vulnerable.

Yet, unfortunately, Stuxnet is not a unique example for a highly sophisticated targeted threat, but there are numerous other pieces of malware of similar kind, including Duqu, Flame, Regin,… Among those, Duqu is particularly interesting, not only because we discovered it back in 2011, but because our analysis pointed out that – while Duqu’s objective is different – it has very strong similarities to Stuxnet in terms of architecture, code, and methods to achieve stealthiness. Today, it is widely believed within the IT security community that Duqu was created by the same attackers who created Stuxnet.

And now we have a new member of the same family!

By courtesy of Kaspersky Lab, in late May 2015 we received samples (more specifically two DLL files) of a new threat, with the hint that this might be related to the Duqu attacks. Our common understanding was that it would be interesting to figure out whether this new threat, dubbed “Duqu 2.0,” is indeed related to the old Duqu attack, and we in the CrySyS Lab should carry out an independent analysis for answering this question. In order to be able to perform an unbiased investigation, Kaspersky Lab did not share more details on their findings with usThe blog post on Duqu 2.0 from Kaspersky Lab can be found at https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/

After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active. They reused code and ideas from Duqu in the new Duqu 2.0 malware, but at the same time, they also made modifications in order to render Duqu 2.0 undetectable by the old detection methods.

In our full report, available at http://www.crysys.hu/duqu2/duqu2.pdf, we point out numerous similarities that we discovered between Duqu and Duqu 2.0, including the following:

  • Similar string decryption routines related to Anti-Virus product strings
  • Similar methods, magic number, bug and file format related to files encrypted with AES by both threats
  • Same non-standard CBC mode AES encryption used by both threats
  • Extremely similar logging module with exactly the same magic numbers
  • Similar C++-like coding and compiling style

Naturally, our report contains supporting details and analysis for all the similarities listed above.

Actually, it is not surprising that the attackers reused their old tools, as they have already invested a lot of design and development effort in them.  What is perhaps more interesting that they could tweak and optimize their malware such that it was not detected by state-of-the-art defense mechanisms. In part, this is again due to the information asymmetry between the attackers and the defenders: the attackers had the possibility to read all published analysis reports about Duqu, so they knew what the defenders were prepared for, while the defenders typically know very little about the methods of the attackers. This seems to lead to an endless cat-and-mouse game, where the attackers always have an advantage. This also raises the far reaching questions of how much information the defenders should publish about newly discovered threats, and whether security-by-obscurity is perhaps not such an undesirable approach after all.


 Posted by at 1:05 pm
Dec 172014

As we promised in our previous blog post, we release BAB0, the test sample that bypassed all 5 anti-APT products that we tested earlier in this year.

BAB0 is written in C++, and it has a server side written in PHP. BAB0 is downloaded by the victim as part of an HTML page, where it is actually hidden in an image with steganography. The downloaded page also contains scripts that extract an executable from the image when the user clicks on something that appears to be a download button. The image has already been uploaded to Virus Total with 0/54 hits. Once BAB0 is running, it can communicate with a remote C&C server. To hide the C&C network traffic, BAB0 simulates a user clicking on links in a web forum, and downloads full HTML pages with CSS style sheets and images. The real C&C traffic is hidden inside these HTTP requests and responses. BAB0 allows for file download to the victim and file upload to the server, as well as remote execution of commands on the infected computer.

We release the BAB0 sample because we believe this is the most effective way of pushing the vendors to address this and similar threats in future releases of their products and to raise awareness about the fact there are no silver-bullet products that protect against everything possible. The sample that we are releasing now consists of the PNG image that contains the BAB0 executable and the scripts that extract BAB0 from the image. We do not release the source code of BAB0, neither we release the server side of the sample. The sample tries to connect to our server, but no real attacking functionality is deployed on it. In order not to harm end-users, we shared the information being released now with anti-APT vendors (not just the ones that we have tested) almost three weeks ago, when we released the report on our test results. We also shared the BAB0 sample with other security companies who expressed their interest after reading our report. So vendors and security companies had sufficient time to prepare for the public release of BAB0 and protect their customers.

Download BAB0 sample
Disclaimer: This sample is not a malware, but it is a possibly unwanted program. Its functionality is similar to those found in real threats. If you run our sample, it will start communicating with our server, but our server does not send any command to the particular sample program and we do not conduct anything harmfuly for anybody who runs this sample. This sample is designed for security experts to be run in sandbox environment or to analyze its capabilities. We do not prohibit reverse engineering of the sample, and we give explicit permission to run it by security professionals. However, intellectual propery rights on the software and the incorporated ideas belong to CrySyS Lab, part of the Budapest University of Technology and Economics. The sample is provided in an AS-IS basis, as it is disclosed for free, we do not give any warranty, we do not guarantee it cannot cause harm in any IT system. This is a prototype work. If you are not confident how to work with it, please do not download. Authors and the institution take no responsibility on any damages related to the sample or any derivative work.
According to our understanding, this demonstrative work does not contain any exploit, it is not a weapon and not considered as dual-use product according to Hungarian and EU laws. If you have questions or problems, please contact us.

PS. Easter egg:
Babo means hobbit in Hungarian, and we named our sample so, because it was designed to stealthily bypass all state-of-the-art defenses, while actually being very simple, and this is similar to the way Frodo, the hobbit, managed to bypass all defenses of the fearsome Sauron in the Lord of the Rings.

ps2. before you ask. Password is “infected” as usual in the industry.

 Posted by at 8:30 pm
Nov 262014

New anti-APT tools are no silver bullets:
An independent test of APT attack detection appliances

CrySyS Lab, BME http://www.crysys.hu/
MRG-Effitas https://www.mrg-effitas.com/

November 26, 2014.

The term Advanced Persistent Threat (APT) refers to a potential attacker that has the capability and the intent to carry out advanced attacks against specific high profile targets in order to compromise their systems and maintain permanent control over them in a stealthy manner. APT attacks often rely on new malware, which is not yet known to and recognized by traditional anti-virus products. Therefore, a range of new solutions, specifically designed to detect APT attacks, have appeared on the market in the recent past, including Cisco’s SourceFire, Checkpoint, Damballa, Fidelis XPS, FireEye, Fortinet, LastLine, Palo Alto’s WildFire, Trend Micro’s Deep Discovery and Websense.

While these tools are useful, determining their real effectiveness is challenging, because measuring their detection rate would require testing them with new, previously unseen malware samples with characteristics similar to those of advanced malware used by APT attackers. Developing such test samples require special expertise and experience obtained either through the development of advanced targeted malware or at least through extensive analysis of known samples.

We in the CrySyS Lab, together with our colleagues at MRG Effitas, decided to join our forces and perform a test of leading APT attack detection tools using custom developed samples. MRG Effitas has a lot of experience in testing anti-virus products, while the CrySyS Lab has a very good understanding of APT attacks gained through the analysis of many targeted malware campaigns. Therefore, collaborating and bringing together our complementary sets of expertise looked like a promising idea. Our goal was not to determine the detection rates of different APT attack detection products, because that would have required testing with a large set of custom developed malware samples, which was not feasible to obtain within the limited time frame and with the limited resources we had for the test. Instead, our goal was simply to implement some ideas we had for bypassing cutting-edge APT attack detection tools without actually being detected, and to test if our ideas really work in practice.

We developed 4 custom samples in 2 weeks and without access to any APT attack detection tools during the development, and then later tested with these samples 5 APT attack detection solutions in Q3 2014. All 5 tested products are well-established in the market; however, we cannot mention vendor names publicly. The result of the test was alarming:
– one of our 4 custom samples bypassed all 5 products,
– another sample of the remaining 3 samples bypassed 3 products,
– only the two simplest samples have been detected by the tested products, and even those triggered alarms with low severity in some cases.

We made the full report (https://blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf) on our test available online. It contains our test methodology, including a brief description of each sample we developed for the purpose of the test, and we also present in it the test results in more details. We decided to publish this report for multiple reasons:
– First of all, we believe that our test was more appropriate for evaluating the detection capabilities of APT attack detection tools than some earlier, heavily criticized tests were, because unlike earlier tests, we used custom developed samples that resemble the malware used in APT attacks.
– Second, some of the products that we tested seem to be overestimated by the users who believe that those products are silver bullets. On the other hand, we have already emphasized at multiple occasions that these products can and will be bypassed by determined attackers. Our test is a clear proof of this, and if we could do that, then APT attackers will also be able to do that, if they have not done so yet.
– Third, we observed that some vendors of APT attack detection tools are often reluctant to participate in tests that try to evaluate the effectiveness of their products. On the one hand, we understand their caution, but on the other hand, we all know that the approach of security by obscurity has its own pitfalls. By publishing this report, we would like to encourage anti-APT tool vendors to participate in independent tests more readily and cooperatively, in order to have sufficient amount of convincing results about their products, based on which well-informed decisions can be made by the users.
– And last but not least, we believe that there are significant differences in the APT detection capabilities of the tested products, and users should be aware that not all vendors provide the same detection rate.

The test sample that bypassed all 5 tested products was developed by the CrySyS Lab. It is a custom designed sample written in C++ with a server side written in PHP. It was designed to be as stealthy as possible. It is downloaded by the victim as part of an HTML page, where it is actually hidden in an image with steganography. The downloaded page also contains scripts that extract an executable from the image when the user clicks on something that appears to be a download button. Once the sample is running, it can communicate with a remote C&C server. To hide the C&C network traffic, the sample simulates a user clicking on links in a web forum, and downloads full HTML pages with CSS style sheets and images. The real C&C traffic is hidden inside these HTTP requests. The sample allows for file download from and upload to the C&C server, as well as remote execution of commands on the victim computer.

We named this test sample BAB0, which (babo) means hobbit in Hungarian, as its objective was to stealthily bypass all state-of-the-art defenses, while actually being very simple, and this situation shows a parallel to the story of the Lord of the Rings, where Frodo, the small hobbit managed to bypass all defenses of the fearsome Sauron, the Lord of Mordor, and reached Amon Amarth, where the One Ring was finally destroyed.

We have a strong intention to publish BAB0 in the near future. This may seem to be controversial, as making the details of BAB0 publicly available can help attackers. We have a different opinion: Powerful attackers have probably been using already similar tricks, but apparently detection tools are not yet prepared to cope with them. By publishing BAB0, we push anti-APT vendors to strengthen their products, which will ultimately make the attackers’ job harder.

For further information, please contact either Zoltan Balázs (Zoltan.Balazs@mrg-effitas.com) or Levente Buttyán (buttyan@crysys.hu). Please note that we cannot provide any vendor specific information about the tests, but we can help organizations to test the products integrated in their environment.

 Posted by at 2:57 pm
Aug 072014

Together with international partners, we have investigated the Turla/Uroburos/Snake related Epic/Wipbot/TavDig/Wordlcupsec operations and the command and control server infrastructure of it. Although hundreds of servers related to the threats were discovered by the community, most of them are not alive as of the analysis. We tried to obtain as much information as possible on the operation, structure and data related to these servers.

Our findings are summarized in our short report

For further information please also check Kaspersky Securelist Post,Symantec blog entry too.

 Posted by at 2:56 pm
Jul 032014

*UPDATE: fixed 4 hashes – 1 character was missing
*UPDATE: 93deb98d89b8acfa4115ce1ca89ac26a45aae4563c3a454bf8b2a26886f40a46 most likely is a False Positive (FP) and not evil
*UPDATE: 8290b324f5cdb5c3ea17fa48a74bc11c856f0da0b049d07d9316d161f71f26a5 is old miniduke sample from 2013

February, 2013 we conducted research together with Kaspersky Lab on a malware campaign called MiniDuke. The research on the threat has not stopped. In 2014 Eset published MiniDuke still duking it out information on related attacks, which we can confirm and for which we’ve sent out some additional information towards the incident response community.

Lately, F-Secure published on CosmicDuke ( see CosmicDuke – Cosmu with a twist of MiniDuke.
Today, Kaspersky Lab also added more insight ( Miniduke is back: Nemesis Gemina and the Botgen Studio) on the threat.

As the information on the threat is now publicly available, we also release some additional hints that can help you to find infections (indicators of compromise).


User names for FTP authentication:


Related file hashes:

--> likely False Positive: 93deb98d89b8acfa4115ce1ca89ac26a45aae4563c3a454bf8b2a26886f40a46
--> This is old miniduke sample 8290b324f5cdb5c3ea17fa48a74bc11c856f0da0b049d07d9316d161f71f26a5

 Posted by at 1:59 pm
Feb 022014

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable “.ENC” file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Gary Warner wrote a blogpost over it, and shared some files and information with us. The question was, how the .enc file is decoded and used.

The droppers sent out through emails are pretty small, around 10-18 kb. These droppers have an obfuscation layer, so hard to directly analyze them. However, with volatility it was relatively easy with procexedump to extract a small, 5k downloader that actually connects to a server to download the related .enc file, decrypt and decompress it, and execute.

The encrypted files look like this at the beginning:

0000000000: 5A 5A 50 00 E7 31 0E 1E │ 02 17 0E 50 58 87 0E D1 ZZP ç1♫▲☻↨♫PX┼♫Ń
0000000010: 5C 87 3E AC A7 87 0E EB │ 58 BF 23 52 58 C7 0A 6B \┼>¬§┼♫ëXż#RXÇ◙k
0000000020: 41 87 E6 53 54 89 11 53 │ E2 89 0E E7 51 4A 2F EB A┼ćST%◄Sâ%♫çQJ/ë
0000000030: 58 86 42 9E 79 D3 66 3A │ 2B 87 2E 23 2A E8 69 21 X┼BžyÓf:+┼.#*či!
0000000040: 39 EA 0E 73 3B E6 60 3D │ 37 F3 2E 53 3A E2 2E 21 9ę♫s;ć`=7ó.S:â.!

ZZP\0 is a magic string, then a compressed and encrypted part is stored (here: 0xE7 0x31…)

After downloading the .enc file the dropper checks the magic:

.text:00971450 cmp byte ptr [esi], 5Ah
.text:00971453 jnz short loc_9714D2
.text:00971455 cmp byte ptr [esi+1], 5Ah
.text:00971459 jnz short loc_9714D2
.text:0097145B cmp byte ptr [esi+2], 50h
.text:0097145F jnz short loc_9714D2
.text:00971461 cmp [esi+3], bl
.text:00971464 jnz short loc_9714D2
.text:00971466 shl eax, 2
.text:00971469 push eax ; dwBytes
.text:0097146A push 8 ; dwFlags

… and does the decryption….
.text:0097149C loc_97149C: ; CODE XREF: start+455j
.text:0097149C xor [esi+ecx*4], eax
.text:0097149F mov edi, [ebp+78h+Buffer]
.text:009714A2 inc ecx
.text:009714A3 shr edi, 2
.text:009714A6 cmp ecx, edi
.text:009714A8 jb short loc_97149C

eax stores the encryption key, which is 32 bits long.
The executable stores its configuration in a compressed form, but in cleartext.

0000001000: 85 B0 00 64 63 6D 73 73 │ 65 72 76 00 69 63 65 73 •° dcmsserv ices
0000001010: 2E 63 6F 6D 02 00 0C 00 │ 2F 69 6D 61 67 65 80 73 .com☻ ♀ /image?s
0000001020: 2F 73 74 6F 72 69 01 1C │ 08 6C 69 64 00 18 70 64 /stori☺∟◘lid ↑pd
0000001030: 66 2E 18 65 6E 63 0D B4 │ 0F 00 B8 37 B8 0A 1E 01 f.↑enc♪´☼ ¸7¸◙▲☺
0000001040: 0E 02 00 06 65 6C 65 63 │ 00 74 72 69 63 69 61 6E ♫☻ ♠elec trician
0000001050: 73 00 64 75 62 6C 69 6E │ 69 72 20 65 6C 61 6E 64 s dublinir eland
0000001060: 04 78 2F 77 00 70 2D 63 │ 6F 6E 74 65 6E 00 74 2F ♦x/w p-conten t/
0000001070: 75 70 6C 6F 61 64 00 73 │ 2F 32 30 31 34 2F 30 16 upload s/2014/0▬
0000001080: 31 22 70 02 6B 01 03 6B │ 00 00 00 00 00 00 00 00 1"p☻k☺♥k

The compression here is RtlDecompressBuffer standard windows call.

rtldecompressbuffer_dword_972000 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v9, "RtlDecompressBuffer");

It is called like this:
rtldecompressbuffer_dword_972000(0x102u, v11, 1024, &unk_974000, 256, &v36);

0x102 stands for: 0x100 for max compression level, 0x02 for LZNT1 compression algorithm.

If you don’t have LZNT1 related code at hand, you might use the tool available at the following address: http://reboot.pro/files/file/121-lznt1-tools-bootmgrntfs/
It does not work for all the samples, but works most of the time.

So decompressed config looks like this:

0000000000: 64 63 6D 73 73 65 72 76 │ 69 63 65 73 2E 63 6F 6D dcmsservices.com
0000000010: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000020: 2F 69 6D 61 67 65 73 2F │ 73 74 6F 72 69 65 73 2F /images/stories/
0000000030: 73 6C 69 64 65 73 2F 70 │ 64 66 2E 65 6E 63 00 00 slides/pdf.enc
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000060: B8 37 B8 1E 00 00 00 00 │ 02 00 00 00 65 6C 65 63 ¸7¸▲ ☻ elec
0000000070: 74 72 69 63 69 61 6E 73 │ 64 75 62 6C 69 6E 69 72 triciansdublinir
0000000080: 65 6C 61 6E 64 2E 63 6F │ 6D 00 00 00 2F 77 70 2D eland.com /wp-
0000000090: 63 6F 6E 74 65 6E 74 2F │ 75 70 6C 6F 61 64 73 2F content/uploads/
00000000A0: 32 30 31 34 2F 30 31 2F │ 70 64 66 2E 65 6E 63 00 2014/01/pdf.enc
00000000B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00000000C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 B8 37 B8 1E ¸7¸▲
00000000D0: 00 01 00 00 02 00 00 00 │ ☺ ☻

The 32-bits xor code used for encryption is stored 0x60 bytes after the beginning of this buffer, that means, for both servers it is 0b8 0x37 0xb8 0x1e.
This should be used cyclically on the .enc file to get the compressed file , which again is compressed with RTLCompressBuffer call.

So how to make a universal decoder for .enc files?

Let’s check this one:

0000000000: 5A 5A 50 00 5F 8D B8 53 │ E2 A7 B8 1D B8 37 B8 9C ZZP _Ť¸S⧸↔¸7¸ś
0000000010: BC 37 88 E1 47 37 B8 A6 │ B8 0F 95 1F B8 77 BC 26 Ľ7?áG7¸|¸☼•▼¸wĽ&
0000000020: A1 37 60 1E B4 39 A7 1E │ 02 39 B8 AA B1 FA 99 A6 ˇ7`▲´9§▲☻9¸Ş+út|
0000000030: B8 36 F4 D3 99 63 D0 77 │ CB 37 98 6E CA 58 DF 6C ¸6ôÓtcĐwË7?nĘXßl

I’m cheating and telling you that it will be decrypted to

0000000000: E7 BA 00 4D 5A 90 00 03 │ 00 00 00 82 04 00 30 FF çş MZ? ♥ '♦ 0˙
0000000010: FF 00 00 B8 00 38 2D 01 │ 00 40 04 38 19 00 D8 00 ˙ ¸ 8-☺ @♦8↓ Ř
0000000020: 0C 0E 1F 00 BA 0E 00 B4 │ 09 CD 21 B8 00 01 4C CD ♀♫▼ ş♫ ´○Í!¸ ☺LÍ

Where B8->00 53->4D E2->5A A7->90 is the transformation.
4D 5A is the standard PE header, and for all the .enc files, the next byte was 0x90. Before the MZ header, the compression magic always contains a 0x00 byte. So we have 4 fixed bytes. Hence let’s calculate the key:

1st byte: 0xB8 xor 0x00 = 0xb8
2nd byte: 0x53 xor 0x4D = 0x1E
3rd byte: 0xE2 xor 0x5A = 0xb8
4th byte: 0xA7 xor 0x90 = 0x37

Remember the config file? The key was B8 37 B8 1E, this is just a rotated version of it with 2 bytes shift as you know, the magic starts with two additional bytes.

So as these bytes are currerntly constants, it’s evident to create a generic decryptor too for the .enc files, that works without the hard coded key, only with the .enc files. After decrypting, of course, you have to run RTLDecompressBuffer to get the actual executable.
Note, there is another small encryption routine in the 5k dropper, we did not fully investigate what it codes:

.text:00971000 encrypt_sub_971000 proc near ; CODE XREF: start+4AFp
.text:00971000 arg_0 = dword ptr 4
.text:00971000 arg_4 = byte ptr 8
.text:00971000 arg_8 = dword ptr 0Ch
.text:00971000 mov ecx, [esp+arg_8]
.text:00971004 test ecx, ecx
.text:00971006 jz short loc_971029
.text:00971008 movzx eax, [esp+arg_4]
.text:0097100D imul eax, 1010101h
.text:00971013 mov edx, ecx
.text:00971015 push ebx
.text:00971016 push edi
.text:00971017 mov edi, [esp+8+arg_0]
.text:0097101B shr ecx, 2
.text:0097101E rep stosd
.text:00971020 mov ecx, edx
.text:00971022 and ecx, 3
.text:00971025 rep stosb
.text:00971027 pop edi
.text:00971028 pop ebx
.text:00971029 loc_971029: ; CODE XREF: encrypt_sub_971000+6j
.text:00971029 mov eax, [esp+arg_0]
.text:0097102D retn
.text:0097102D encrypt_sub_971000 endp

(copied from cef76fa7b4b30f76c7b6d2eefa30d944 sample)

 Posted by at 9:11 pm
Nov 072013

This article reflects results of joint work with Ukatemi guys.
(A magyar nyelvű változat az angol után található.)

Adobe was compromised this September. Stolen data was first found in September and disclosed in early October by Brian Krebs. Later on, some 10 days ago somebody has leaked a 9GB (uncompressed) authentication database stolen from Adobe.

The database was analyzed recently based on the properties of the encryption scheme.
http://stricture-group.com/files/adobe-top100.txt contains the results of the analysis: the top 100 frequently used encrypted passworts and the most probable guesses for the raw password.
Press write-up is also available on the research: http://www.zdnet.com/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad-7000022782/

We were however curious about the passwords chosen by Hungarians. In the Adobe leak, there are 209 125 email addresses with .hu CCTLD domain name. By the same way how the previous research was carried out, we created a list of most frequent passwords among this 200 thousands of users and tried to pinpoint the most likely cleartext password based on the password hint information and email addresses.

Note, however, that due to the much smaller corpus (200k instead of 154M accounts), we had much lower number of password hints, and thus the confidence of our results is lower.
In the table below, we show the frequency, how many times a password was used in the .hu corpus, and for comparison, we also show the frequency in the full database. If a password is often used in the whole database, then it is most likely not a specific hungarian word, but some internationally known word,phrase or code. In addition to the most likely password, we give secondary ideas in cases where we are not confident enough, and some information about the meaning of the specific word, if it relates to Hungarian language or culture.

Ezév szeptemberében vették észre, hogy valamilyen ismeretlen csoport feltörte a világszerte ismert Adobe szoftvergyártót (többek között az Acrobat Reader, Photoshop és Flash Player gyártóját), és elloptak a cégtől forráskódokat valamint nagyméretű felhasználói adatokat tartalmazó adatbázisokat. Október elején került napvilágra az adatlopás ténye, és október végén hírek kaptak napvilágra arról, hogy a cég 154 millió felhasználójának adatai is napvilágra kerültek. Pár nappal később egyre több helyen volt elérhető ez az ellopott 9GB méretű információhalmaz. Az adatok tartalmazzák a felhasználók e-mail címeit, kódolt jelszavát és ún. jelszó-tanácsát is. A kódolt jelszó egy szimmetrikus rejtjelezővel, egy erősnek számító 3DES algoritmussal van rejtjelezve, a jelszó-tanács egy védelem nélküli szöveg.
A rejtjelezett jelszót kulcs nélkül nem lehet dekódolni, és a kulcs egyelőre nem szivárgott ki. Ezért a jelszavak elvileg nem feltörhetőek. Sajnos azonban az iparági gyakorlattól eltérően a tárolási mód sérülékenységeket rejt magában. A rejtjelezett kulcsok nem salt-oltak és ECB módban “IV” nélkül rejtejelezettek. Ezek a szakkifejezések azt mondják ki: ha két felhasználónak azonos a jelszava, akkor a rejtjelezett párjuk is azonos.

Ez pedig gond. Sok felhasználó esetén sokan használnak azonos jelszót. Ha két felhasználó azonos jelszót használ, akkor a kódolt jelszavuk is azonos lesz. Ha találunk két felhasználót, akiknek azonos a kódolt jelszavuk, és az egyik a jelszó-tanács mezőben az írja, hogy “A jelszó három a betű és az 12 számsor”, akkor nagy valószínűséggel tudjuk, hogy a másik felhasználónak is aaa12 a jelszava. Nincs lehetőségünk a teljes bizonyosság megszerzésére, tehát ez a trükk főleg olyan jelszavakra működik, ahol a jelszavakat sokan használják és sok a jelszó-tanács (password hint) is.

Ennek megfelelően külföldön már pár napja publikáltak egy listát a leggyakoribb 100 rejtelezett jelszóról és annak megfejtett párjairól. A .hu domain névvvel regisztrált email című felhasználók száma meghaladja a 200 000 elemet a listában, közösen az Ukatemi startup cégünk embereivel azt vizsgáltuk meg, hogy mik a magyar jelszóválasztási szokások, és hogyan illeszkednek a nemzetközi környezethez.

Az alábbi listában megtekinthető a magyarok (.hu email) által leggyakrabban használt jelszavak kódolt változata, a darabszám, ahányszor .hu domainről használták, a darabszám, ahányszor nemzetközileg használták (ez is érdekes lehet, hisz vannak magyarok .com cím alatt is, és vannak jelszavak, amik nemzetközi szinten is használatosak). Feltűntettük a legvalósznűbb becslésünket a jelszóra (ami nem biztos, mert nem ellenőrizhető jogszerűen), és a tippjeinket, ha a legbiztosabb ötlet nem igaz. A külföldiek számára kis értelmezést is elhelyeztünk a jelszó jelentéséről.
Összesen csak kb. 3 jelszó esetén nem volt elég adat a nagyjából biztonságos azonosításra, ezeknél valamilyen okból senki, vagy szinte senki nem jelölt meg jelszó-emlékeztetőt.


  • Sok citromail.hu felhasználó jelszava “citrom” – nem túl kreatív és veszélyes
  • Sok jelszó-tanács nagyon egyszerű ” a van ellentéte” “nem narancs” “A tudom ellentéte”
  • Sok tanács kiad plusz információt “Ugyanaz, mint az xy@z.hu címemen” – ez külön segítség, hogy mit támadhatunk meg még a jelszóval.
    “Mint mindenhol” – ez is egyértelműen gond, nemcsak, hogy ugyanazt a jelszót használja a felhasználó, de még segíti is a támadót, hogy továbbmenjen.

  • Sok felhasználó “nevem” “barátnő neve” “második nevem” szöveget írt, mondván, esetleg az email címéből ez nem következik. Ugyanakkor, a többi azonos jelszót
    használó felhasználónak elég egy szempillantást venni az email címeire, és triviális, hogy ha 20 emberből 10-nek csilla szerepel a címében, akkor a jelszó csilla, vagy annak becézése lesz. És innentől egy vadidegenről azt is tudhatjuk, hogy mi a neve, barátnője neve, második neve stb., ami segítség ún. social engineering támadásokhoz is.

FRISSÍTÉS: Találtunk pár apróbb hibát, ezeket “FIXED” felirattal javítjuk

Mintaként nézzük meg a következő rövidített listát (lecseréltük X-re a nem releváns részeket):


A “nevem” “name” “Asszony” és “kislanyom” alapján egyértelmű, hogy egy női nevet keresünk. Ezután pedig elég ránézni az e-mail címek listájára, hogy észrevegyük mennyire sok “csilla” szerepel rajta. Persze tévedhetünk, hiszen van egy “lindus” email című is, de a “csilla” elsöprő többségben van.

A jelszavak listájából látszik, hogy nagy az átfedés a nemzetközileg is használt jelszavakkal pl. “123456”, de vannak lokálisak is “szerelem”. A legtöbb jelszó továbbra is név vagy becenév, alig van ettől eltérő az első százban. Tanács: Sose használjuk emberek neveit, beceneveit, vagy azok módosításait, mert ezek a leggyakoribbak. Legyünk kreatívabbak, még mindig igaz, hogy a cseresznye151pok sokkalta biztonságosabb, mint a kr1sztinaIloveyou. A legjobb, ha valami generátorral készítünk jelszavakat, ezek sem tudnak csodát tenni, de egy DooYee7goe5EeFa nagyon erős. Összehasonlíthatatlanul erősebb az eddigi vicces példáknál.

A helyzet tehát az, hogy aki regisztrált az Adobe-nál bármilyen okból, és a jelszavát máshol is használta, azonnal jelszót kell változtatnia a többi helyen.

RankNo. in .huNo. in allEncrypted PWMost likely passwordIs it in top100/english?remarks, other guesses
2525932pbn7wO3zb+8=jelszopassword in hungarian
534813401uQM9dmQq8vE=qwertzhungarian keyboard layout has y=z
15189320q1A6iHNzTFg=valamisomething in hungarian
1717614673zV1jrgwEro=attilahungarian male name
18175284MiWs/2HM40w=lacikahungarian male name
21151274z5rLiwD12co=almafaappletree in hungarian
22150260N4+iUEuZbPw=cicacat in hungarian
23137214MAEvnIZOuSk=petipeter in short
241356662uIMAMQyXI/g=something international, 6600 hits
25134239dvqulUaGiQg=zolikazoltan in short, male name
26126273AhfBRgIzdos=tamasmaybe tomi tomika, male name
27125294W/jzwDNnaOw=lofaszshould be censored
28124367MSycWzt2SLPqvJr9l/X59g==szerelemlove in hungarian
29123220rA3xnflDDXI=esztikemaybe eszter, hungarian female name
32116234zjrHRH4etC0=macikamaybe maci, stands for bear or teddy
33107234m0/4nMkmJyM=gabimaybe gabika, female or male name in short
35104187P9f9Bgw46Hk=nincsmeans it does not exist
36102194zwakdT5tFhk=titoksecret in hungarian
37100192/jNYdvynVr0=csillagstar in hungarian
381001162+bZCz+Mm7WHioxG6CatHBw==budapestcapital of Hungary
3997235iqVZniq2Z6fioxG6CatHBw==cicamicalike pussycat
4097443bDjmWzVDGMo=danimale name in short
4492155FClbZZD1l1A=FIXED: nemtomI dunno in short
4591149Xe2T3yCUsCc=balazsmaybe balu, balika
4690155lwXlGk4RTzc=mazsolakind name
4789247D0B1TLHoZoTioxG6CatHBw==szeretetlove (one version) in hungarian
4888197Yg/0iyYFi+A=janikamale name in short
5086421FvWPZ2OI8V0=tigrismaybe tigris1
52844540TYrTfuuBGm0=monikafemale name in short
5383142p6kbkduAMhPioxG6CatHBw==FIXED: macilaci/TD>Yogi Bear
5482153iolWV4U4baM=madarbird in hungarian
5581131TiMyOmRnnYk=mokussecond guess: manoka mokus is for squirrel
5680214ugYjb/7SO9DioxG6CatHBw==FIXED: nemtudom“I don’t know”
59796920QkLIDf6naxw=no hint, strange
61784829XWs+3joEULU=0123456maybe 012345
6374377syBP2PbOprLioxG6CatHBw==FIXED: freemail
64739787C6fdPcrsYlU=123asdor asd123
68717991E3P4TkKmrIE=no hint, strange
7169111WHnoclxstks=some woman’s name, bea, betti, zsuzsa or monika are most likely
77681398Nd+cNdQ360=csillahungarian female name
7866959remGyraE2+rioxG6CatHBw==viktoriahungarian female name
79665213SVXt5Rlot1U=cleveror something related to iq, cleverness, and a brand of computer mouse
816613531DuMurYI43dU=blablablahblah in hungarian
8265737vEldih7WrfY=vivienfemale name
8365129o2D+z1QYuHo=FIXED: nyuszibunny in hugarian
84657070U1yPApWcaOA=barbarafemale name
8662128vQGGxx87Fyk=leventemale name
8762957DOklOXTFPo=zsoleszor other forms of zsolt, like zsolti
896181gkfBa7HrOnY=citromfunny, many “citromail.hu” users chose that, hungarian: lemon
9160102kiQXbvrKbiA=robior robert, robby, roby, or similar
926088GsQ/41R7pXw=FIXED: krisztifemale name
9360194/EoAhM0rWA8=katamaybe katalin, kati, female name
9659181Kt3DWt8h3tg=ildikohungarian female name
9857146MoedSZDdCmk=zsuzsior zsuzsanna, hungarian name like suzy
1005697pp3j26xZbvTioxG6CatHBw==kiskacsastands for duck in hungarian. fix: kacsa->kiskacsa “small duck”
10156P2x/N9v5UaM=melindafemale name in short

Edited by: Boldizsar Bencsath

 Posted by at 9:36 pm