Monthly Archives: January 2011

Blog wrap-up for January 2011

  • Malware: how comes we are infected?
  • The most successful malware requires user interaction to be installed.

  • How to change attribute in AD: alternatives #2
  • How to create your own GUI for changing an attribute for an AD object.

  • %SystemRoot%System32 secrets
  • Do you know what is in your system32 folder? Ohhh… There are treasures =)

  • Creating self-signed certificate for code-signing
  • You need a certificate for your own use and don’t want to pay? Do it yourself!

  • Live Writer Wrap Up Tool: My version
  • My very first C# application. Quite buggy in some respects but it WORKS! =)

  • MS Guru writes a thriller, MS OneNote starts in iPhone
  • The world went nuts, but I like it.

  • %SystemRoot%System32 Secrets: Schtasks
  • The continuation of the series.

  • %SystemRoot%System32 Secrets: Auditpol
  • And once more the continuation.

    %SystemRoot%System32 Secrets: Auditpol

    CLIThis command is very useful in case you need to fine-tune audit. For example you cannot set “Audit directory service changes” without setting “Audit directory service replication” using only GUI, because “There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories”. therefore, you need auditpol badly in case you need to set those subcategories. You also need it in order to script changes to or audit of SACL. You need it also to backup or restore those policies quickly (say you need to turn some auditing settings on for some time and turn them off later). You also can fully reset auditing policy.

    Wow! While writing the text I become filled with awe. I definitely should have used it more =)

    Syntax is quite excessive, so I just show you a very simple example:

    image

    Have fun! =)

    %SystemRoot%System32 Secrets: Schtasks

    CLIAfter my previous post about AT command I received some feed back from people who obviously enough hadn’t read my post in its entirety =) The feedback stated that “AT is deprecated and is to be replaced with schtasks”. You bet I knew that! =)

    Nevertheless, schtasks is really more powerful and since my article touched more than one heart I decided to write next message not about auditpol, which is next in my alphabetical list of interesting apps in System32 folder, but about schtasks. Let’s begin.

    Schtasks

    Comparing to AT it is a huge advancement. Really, here are its subcommands: create, change, run, end, delete, query. Actually it can do everything you can do through Scheduled Tasks applet in Control Panel. And since it is a CLI command, everything is scriptable. But as usual, there is a payback for the power: the syntax description consists of 33 pages in MS Word with the font size 8.5. 33 pages! Still, they recommend to switch from AT to this command and, to be honest, you don’t have much choice if you need just a bit more than AT can give you. Moreover, if you want to learn the syntax, it can be rewarding:

    schtasks /create /tn “Shutdown Friends Machine” /tr “shutdown /s /f /t 0” /sc minute /mo 5 /s friend

    The command above replaces ALL the commands I was to enter using AT.

    MS Guru writes a thriller, MS OneNote starts in iPhone

    What a crazy world, one can say… Still it is true:

    New book of Mark Russinovich

    Mark Russinovich has wrote a thriller book named Zero Day. Something about cyber crime, cyber attacks and so on. I won’t even read the excerpts: I’ll just get this book as soon as I can after it is out (March 2011). Pre-0rder i$ @v@i1@b1e. Winking smile

    OneNote is on iPhone/iPod.

    And it even works, though I haven’t yet fully synchronized it from my SkyDrive storage. The process is to be continued soon, though.Download it on the Apple store and enjoy. It is “free for a limited time”

    Live Writer Wrap Up Tool: My version

    As I mentioned some time ago, a guy named Simon May created a small tool which allows you to create a blog post with all your recent blog posts inside. It is cool and really saves me some time. However, I decided to:

    1) adapt it more for my needs

    2) write at last my first app since… Hell, I haven’t been writing anything but scripts for 15 years already =)

    So, a guy with more than one blog and programming knowledge on the BASIC (not even VB!) “Hello World” level closes his eyes, downloads Visual C# 2010 Express and starts to develop his own application. Ok, I had to open my eyes before downloading VS. Then I got Simon’s explanations of his process of programming the thing, spent about 10-15 hours looking for solutions of my problems on MSDN and other Internet resources and…

    image

    Well, my program is definitely not so good looking, more complex, contain an orthographical mistake (will be fixed in next “release”. Yeah, now I can “release” things. Like I were actual programmer =))) ).

    Some things are ugly crutches because I don’t know all the abilities of the language and didn’t plan for it well. Some places in my code are a topics to research further, because I used them without understanding them. Just take a look at this beautiful comment:

    /// Tell me what the hell am I doing here? =) I guess it is LINQ? =)
    OrderedFeed = feed.Items.OrderBy(i => i.PublishDate);

    But it works for me!

    I’ve replaced calendar from Simon’s version with to date pickers, add two presets to time period selection, added possibility to remember several blog feeds and sort items in the wrap up.

    What’s the moral of the story? You can create a program even if you are not a professional in it. With Visual Studio it is really easy. So, if you need something small, but you cannot find it – create your own goodies. It is also a fun – create something, look for solutions and etc.

    Just in case you want to try my app yourself, the link to the install is below. Just several points to notice before you install it:

    1) It was fun for me. And it was designed for me. And I promise you I didn’t intend the program to be harmful. But still being a somewhat security guy: why should you trust me? And it is placed on a free hosting. Anyway, I won’t take any responsibility for the program results should they be not good.

    2) The program will look for updates while starting. If you need a version which doesn’t… Well, write your own one =)

    3) If you have ideas about it: write me, I’ll think it over. I don’t promise I will implement your ideas, but I like challenges, so why not?

    4) If you need sources… Ok, but:

    • if you are newbie to the C# or programming at all, I’d recommend you to write it from scratch yourself. It is fun and it is more useful then copying and compiling my code.
    • if you are a professional, then I’ll give you the sources only after you promise me explain why you were laughing at them and how I should correct or improve it =)

    5) It creates a registry key HKEY_CURRENT_USERSoftwareWLWWrapupper which is not deleted when you uninstall the tool. Remove it manually if you care.

    If you are not scared of my “notice”, install it from here.

    Creating self-signed certificate for code-signing

    imageJust in case you cannot google it or you don’t like solutions longer then two strings of command line…

    Sometimes you need to assure yourself that scripts or code you are about to run are the same as you’ve created them. One of the ways to achieve it is to put a flash drive with them into a safe. Another – get them signed. The second option seems to be a more convenient mean, but it requires a code-signing certificate. Buying one is quite an expense: I have failed to find any cheaper then $99 per two years. Well, it is not actually a huge sum of money, but will you care to pay if the only target is to be sure that it is your code? Maybe yes, maybe no and in case the answer is “no”: you can create your own certificate for code-signing without paying money and this certificate will be no worse unless you try to prove someone else, that this is your code =)

    Here I’ve found a couple of brilliant answers, but somehow they involve creation of two certificates: one for your very own CA and the second – code-signing itself. While it is a good choice to create such a structure, some (like me) will prefer just a two-line solution, here you are:

    1) Download windows SDK (it is a part of all the solutions, because here we get our makecert utility), install it and go to its installation folder.

    2) makecert.exe -cy end -pe -r -n “CN=You Fancy Certificate’s Name” -sky Signature –sv path_tokey.pvk path_tokey.cer

    3) pvk2pfx.exe -pvk path_tokey.pvk -spc path_tokey.cer -pfx path_tokey.pfx

    4) Import key.pfx into your private certificate store. Or onto your smartcard.

    Use it anywhere you need it. Notice, that in bold+italic are the parts you may want to change in your case.

    I hope it will work for you as it worked for me.

    Descriptions for makecert and pvk2pfx are here and here.

    %SystemRoot%System32 secrets

    Remember myOld good command lineseries? I decided to continue. But now I will take interesting commands not from some fabulous site, but from inside my very own Windows 7. From the folder stated in the subject. Usually it is c:windowssystem32, but who knows what you’ve done to your innocent computer =)

    So, let the manuscript begin…

    The first command in the show is:

    at.exe

    Well, well, well… Look, who’s there. The command was considered as deprecated since Windows 2003 RTM, but it is still included into W7. While we have much more powerful schtasks (to be covered in the future releases of  the series), we still can use at, if fall we need is to create one simple task or script its creation. Why use at instead of schtasks? For example if you, like me are old enough to remember the syntax of at and lazy enough not to remember schtasks’ one. =) Why do I remember this syntax? Because it was fun some 10 years ago to create a task on a friend’s workstation to shutdown every 5 minutes Winking smile

    Something like this, I guess:

    at \friend 00:00 /every:M,T,W,Th,F,S,Su “shutdown /s /f /t 0”

    at \friend 00:05 /every:M,T,W,Th,F,S,Su “shutdown /s /f /t 0”

    at \friend 00:10 /every:M,T,W,Th,F,S,Su “shutdown /s /f /t 0”

    ………………………………………………………………..

    at \friend 23:55 /every:M,T,W,Th,F,S,Su “shutdown /s /f /t 0”

    (Yeah, I wasn’t so lazy as I am now back then. And we had no AD and the same passwords)

    Or, may be it was some other line, I didn’t check it now =)

    Syntax is here, it hasn’t changed since Win2000.

    Have fun.

    How to change attribute in AD: alternatives #2

    Returning to the question of AD attributes change tools I should go on for some more graphical tools. From now on I know only some self-created possibilities, which require some coding. First is to create some

    Custom GUI Application

    There are multitudes of variants: C#, VBScript, C, you name it. Being somewhat lazy, I decided to take a short cut. In a beautiful book from Windows 2008 resource kit, namely: Windows Administration Resource Kit, there are some useful additions. Among them there is an .HTA script, named “Object_Attribute_EmployeeNumber.hta”. It allows me to show EmployeeNumber attribute and set it. As we were demonstrating EmployeeID attribute changes I had to implement some changes, like replacing where it was needed word “number” with word “ID” (be careful: not every “number” entry needs to be replaced), like that:

    image 

    and some minor bug fixing. But since I’ve done it – voila:

    image

    What are pros of the method? Obviously, it is very flexible method and you may create the application as powerful as you need. And this method requires less education for your staff. Still, you have some drawbacks: you have to create some app, you have to support and develop it in case it becomes stale.

    Anyway, this leaves us with one more method:

    extending the ADUC or other AD mmc consoles

    It should be absolutely cool, but it is way over my head at the moment. I am not really ready to give anyone a step-by-step guide how to implement the feature yet, so I will postpone the article till I am able to.

    Malware: how comes we are infected?

    It was not the first time I had the same argue: some of my peers and even colleagues still think that the major infection method for client computers is through some kind of vulnerabilities which don’t involve stupidity. I believe (and I have some brothers in arm in my belief) that abovementioned “stupidity”, or let’s say lack of education and carelessness is the major threat. What am I talking about? Well… Some of the sources tells us that most of successful malware installs itself using USB sticks, shared drives or some kind of other user-involving technologies.

    For example, in MS Security Intelligence report #9 (1H2010) we see the following table:

    1

    Win32/Taterf

    2

    Win32/Frethog

    3

    Win32/Renos

    4

    Win32/Rimecud

    5

    Win32/Conficker

    6

    Win32/Autorun

    7

    Win32/Hotbar

    8

    Win32/FakeSpypro

    9

    Win32/Alureon

    10

    Win32/Zwangi

     

    These are the top 10 malware families detected on client computers. The 1st is the most often detected. The 10th, correspondingly, the least (of these 10, of course). Now I will just repeat the table with addition of infection mechanisms:

    1

    Win32/Taterf

    Win32/Taterf is a family of worms that spread via mapped drives in order to steal login and account details for popular online games.

    2

    Win32/Frethog

    Spreads Via…

    Mapped Drives

    3

    Win32/Renos

    Downloads of “video codecs” and other “goodies” from malicious sites. 
    4

    Win32/Rimecud

    Win32/Rimecud is a family of worms with multiple components that spreads via removable drives, and instant messaging.
    5

    Win32/Conficker

    No argues here: it is spreading through the vulnerability. And still: “it may also spread via removable drives and by exploiting weak passwords.”
    6

    Win32/Autorun

    No arguing here, too: “spreads through fixed and removable drives by dropping copies of itself.
    7

    Win32/Hotbar

    Install it yourself kit. Seriously.
    8

    Win32/FakeSpypro

    Rogue:Win32/FakeSpypro may be installed from the program’s web site or by social engineering from third party web sites.
    9

    Win32/Alureon

    Manual download (keygens, drive-by downloads, etc…)
    10

    Win32/Zwangi

    Manual download.

     

    You know what? I even don’t want to discuss it. Read one more report. And that’s all: no need to “hack” into your computer if a criminal can hack into your head.

    Be careful at least this year and the following ones =)