PolyPedo
JamesBaud
Bloodhound.vbs ... I think I may have something up me sleeve, I'll post when
I'm done with it.
-- jb
thePull
JamesBaud wrote:
>
> No more heuristic snags now... my script takes
> a file and converts every character to a Chr(n) long
> ass string, then executes. As I said before, it was
> detecting PolyPedo as Bloodhound.vbs but after being
> Chr()'ed it ran just fine.
SEE what I am saying? Where is that sniveling little shamster now??
Where ARE THOSE DAMN MAGIC BEADS AV COMPANIES ARE SELLING TO
WARD OFF COMPUTER DEMONS??
>
> Nice little script if I do say so myself... the logic in it is a
> little fucked in that it said I was hosting kiddie porn...
> I haven't torn into much though.
Hrrm, yeah, that would be difficult to really judge on, I would think.
>
> The ChrCon script is attached as vbs. If you DejaFoo's
> can't get the file, try a real ng browser.
http://www.mobilessentials.com/avcenter/cgi-bin/virauto.cgi?vid=18959
You know altavista is popping up this stupid treelot pop up now?
(I have my netscape still set to it, everything else is google.
Netscape:=
great for mail... sucks for a browser.)
Uh oh, better watch out, or THOSE GUYS will come at me threatening
prison for free speech.
Apparently, av.com <- connection here?? Is parsing all clicks through
themselves as well, and they JUST HAPPEN TO NOT BE RESPONDING. So, I
better
get back to work. But, I am interested in any reports from these
companies.
(Though, they have no clue as to the sheer danger of this sort of
worm).
Watch out, though, because these AV suits will prolly sell it to some
foreign governments saying the idea was theirs. The little frauds.
>
> -- jb
>
> "JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
> news:tark4h5...@corp.supernews.com...
> Name: bbxChrConvertor.vbs
> bbxChrConvertor.vbs Type: VBScript Script File (application/x-unknown-content-type-VBSFile)
> Encoding: x-uuencode
6IT
> No more heuristic snags now... my script takes
> a file and converts every character to a Chr(n) long
> ass string, then executes. As I said before, it was
> detecting PolyPedo as Bloodhound.vbs but after being
> Chr()'ed it ran just fine.
Never heard of bloodhound... I'll have to look into it. However, I wouldn't
think AV can pick up the MSEncoded Version of the script, especially after
it's polymorphed a few times...
> Nice little script if I do say so myself... the logic in it is a
> little fucked in that it said I was hosting kiddie porn...
> I haven't torn into much though.
Yeah, the regexp may need to be refined. In the email that goes out it gives
a directory listing of where it found the matches. Check those files and see
what regexp caught them. I just picked some filenames from a couple random
pedo newsgroups and used those. Some really sick shit out there, kinda stuff
that makes a man sick to his stomach and pollutes his soul just from seeing
it...
> The ChrCon script is attached as vbs. If you DejaFoo's
> can't get the file, try a real ng browser.
>
Thanks, -6IT
JamesBaud
the date,
but I need to pick through it some more... will debug later.
I'm in the process of writing a script to Hex()/Chr() over every time the
script is sent right now.
-- jb
"6IT" <6_Inch...@excite.no-spam.com> wrote in message
news:P4sr6.11944$NW6.3...@news.easynews.com...
6IT
"JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
news:tark4h5...@corp.supernews.com...
JamesBaud
They'll most likely (since it's just encoded) port a
decoder for vbe's, whereas to catch what Hex()/Chr()
encoded files do, you have to run it in a PSpace. That
will just open up a whole new flood of DoS against AV
if they implement that option using mutating loops. If they
implement a Run In PSpace to check a file they'll have to
set a timeout (otherwise get locked up) and you can just write
a subbie to loop or pause a significant amount of time before
running... or a vbs that writes an engine to decrypt the rest of
a script in the Sub Main
It's a whole Catch-22.
-- jb
"6IT" <6_Inch...@excite.no-spam.com> wrote in message
news:vXrr6.11681$NW6.3...@news.easynews.com...
6IT
Right now the unmodified PolyPedo is 333+ lines of code and over 20K with
just the raw vbs. After it polymorphs, many of the variants will have names
with 8 to 32 characters in them. This was one of the problems I came across
when debugging. Originally, PolyPedo added itself to the Outlook Express
signature like KAK. However, it was way too big, so I removed that code. If
you Chr() out the characters to two digit hex, you'll slow it down quite a
bit. I learned that mistake with pre-0.6 versions of GMCreator when it RC4
encrypted Godmessage. -6IT
"JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
news:tat0tuj...@corp.supernews.com...
thePull
thePull
JamesBaud wrote:
>
> > I don't run strange scripts from people I hardly know... ;-)
>
> LOL! Yeah, watch out for my mad elite TXT Redirection skeels. My shad0w
> written subliminal messages within the script will fool joo into
> shift-deleting in
> mass quantaties.
>
> -- jb
>
> > Actually, I haven't had time to check it out, maybe this weekend I'll take
> a
> > look at it. -6IT
> >
> > "JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
> > news:tb2adu1...@corp.supernews.com...
> > > Must not have run my script on a file yet... its' very, very, very fast.
> > >
> > > -- jb
> > >
> > >
> > > "6IT" <6_Inch...@excite.no-spam.com> wrote in message
> > > news:t8xr6.22243$NW6.6...@news.easynews.com...
JamesBaud
-- jb
"6IT" <6_Inch...@excite.no-spam.com> wrote in message
news:t8xr6.22243$NW6.6...@news.easynews.com...
JamesBaud
without the many 10's of thousands I'd need to imp
a PSpace executor. Am writing fix to first truly
polymorphic engineless worm not *yet* created.
If anyone knows of a control, or how to, create
a user, change credentials of the user dynamically,
so it can RUNAS that user, limited to file r/w within
only a certain directory, a rigged up "virtual system"
can be made safe (after changing up a code array
dumped to file to get its' contents) to test. Then
by triggers specified by (default) the script writer, or
more stringent one's by the net admin, it can be run
to check for registry access, fso access, env access,
or proprietary control access, and block/allow based
on the boolean triggers.
-- jb
"JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
news:tat0tuj...@corp.supernews.com...
6IT
Actually, I haven't had time to check it out, maybe this weekend I'll take a
look at it. -6IT
"JamesBaud" <NOSPL3Mj...@baudbox.com> wrote in message
news:tb2adu1...@corp.supernews.com...
JamesBaud
LOL! Yeah, watch out for my mad elite TXT Redirection skeels. My shad0w
written subliminal messages within the script will fool joo into
shift-deleting in
mass quantaties.
-- jb
> Actually, I haven't had time to check it out, maybe this weekend I'll take