REGISTER
desert eagle
main menu

home

forums
    Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads

Rootkit Collection

File Contributer Link
Hacker Def... hfn/a
HE4Hook adminn/a
BASIC CLAS... hoglundn/a
Vanquish xshadown/a
NT Rootkit hoglundn/a
FU fuzen_opn/a
WinlogonHi... JeFFOsZn/a
klister joannan/a
Patchfinde... joannan/a
MyNetwork hoglundn/a
MTDWin hoglundn/a
NTFSHider hoglundn/a
VideoCardK... hoglundn/a
VICE fuzen_opn/a
Klog Clandestin...n/a
NtIllusion Kdmn/a
AFX Rootki... TheRealAph...n/a
SInAR vulndevn/a
Shadow Wal... Clandestin...n/a
BootRootki... dereksoede...n/a
CHAZ - Nim... neocrackrn/a
Clandestin... merlvingia...n/a
FUTo petersilbe...n/a
Windows Me... alcapone66...n/a
RAIDE petersilbe...n/a
BOOT KIT vipinkumarn/a
BluePill Joanna and...n/a
DEFRAG blume1975n/a
Keyboard H... chpien/a
CheatEngin... DarkByten/a

search the site

Ad-Aware PR : message board

post a message

Show all posts in this forum

view options: unpacked threads | collapsed threads | old style view

how many threads to display:

search board (text+titles):

Posted by roy_batty (Normal user) [ip info hidden] - Apr 20 2006, 20:52 (UTC+0)
Defeating Ad-Aware Authenticity Check
[Defeating Ad-Aware Authenticity Check]
It's again ... trivial.

downloadable here [http://updates.ls-servers.com/public/AAWAC.EXE]

[How it works]
The Authenticity plugin computes md5 checksum of the
defs.ref file and then connects to ip address 67.15.193.237
(ev1s-67-15-193-237.ev1servers.net) to port 80 (http) and performs a post query
with param md5=. Then it checks for "HTTP/1.1 200 OK". If this
is not returned, then it warns user about ref file tamper. The backend server
obviously checks for stored original defs md5s and compares the sent value
against them.

[How to defeat]
There are multiple ways to do it. Block the access internet access for this
site for ad-aware.exe. Return all the time "HTTP/1.1 200 OK". Patch the dll.
Think and you'll find other solutions.

My message to LavaSoft: try better. This is not what I would expect from firm
that claims it has best anti-spyware around.

----------------------------
In [] there are my comments.


The authenticity check plugin was created after my last article. A message on
www.lavasoftsupport.com appeared - "A vulnerability was recently discovered that
could be used to compromise the definition file used with all versions of
Ad-Aware SE." So you can see, that my article didn't lie ...


Next thing one can read:
"Yes dear reader, this type of irresponsible behavior and lack of professional
ethics helps foster new malicious code and exploit development rather than to
bring about positive change or product improvements. How often have computer
users been placed at risk just because someone decided it would be a good idea
to publish this type of information and for what purpose; just to be first?"

"We call on the security news and discussion industry to stop allowing
publication of vulnerabilities before developers have an appropriate
opportunity to provide corrections so that users remain protected."
[Vendors should in first design programs in a secure manner. It wasn't fault in
the code. The design was entirely bad. From the very beginning. It is vendors
fault, not the one who finds that. Besides, not only the definition file was
badly designed. What about the number of definitions? What about multiplying
with 1.46? This is what I call arogancy ... Don't expect from me to help
vendor who has no respect for his users!

And no, the number is not artifical, is not computed from the definition file,
it's not that it really finds that number of samples. I thought very much
about it, I was surprised, I couldn't believe it. People lie, but the code
does not. And it's in there ... It's there just to claim it has more samples
than it has, there is no other reason.]


This text was written in the city of Sofia
(C) 1999-06 Roy Batty, who is a stranger in the world he was made to live in
roy.batty@phreaker.net

Eddie lives...somewhere in time
reply to this message  
   
Posted by roy_batty (Normal user) [ip info hidden] - Apr 23 2006, 15:41 (UTC+0)
Re: Defeating Ad-Aware Authenticity Check
Here's the update. There exists a beta version #2 of AAWC downloadable from the same site.

There are just two differences from the previous:
1) the connection is made against 67.15.193.240 (securelavasoft.com) this time
2) plugin checks for presence of securelavasoft.com and download.lavasoft.de.edgesuite.net in hosts file to check, whether the sites aren't redirected to some false site/localhost

but no redirection is needed. the plugin doesn't even say the user, that it couldn't connect to the site, so simply drop every connection made by ad-aware to verification sites. plugin will be quiet and it won't check anything.

btw, the plugin is written in c++ instead of delphi used for writing ad-aware. easier to read, now the analysis doesn't take 10 minutes, but only 5. thanks guys.

ps, i'll help you ... set the variable at address 1000B040 (ie verification fail) also when you cannot connect to the verification sites. you can for example check for having an internet connection and unability to connect there. that is suspicious. and say to the user, that you couldn't verify the def file. now even when the plugin doesn't connect and thus verify the def file it does look for the user, that the def file is ok and there is no problem. which is of course not what it is meant to do ...
reply to this message  
Posted by roy_batty (Normal user) [ip info hidden] - Apr 20 2006, 21:04 (UTC+0)
Re: Defeating Ad-Aware Authenticity Check
performs a post to http://xxx.xxx.xxx/verification.php to be more precise -)
reply to this message  


Beware of Programmers who carry screwdrivers. -- Leonard Brandwein