Author Topic: WARNING - WinUAE backdoor! (Read 4750 times)

scholle · « **on:** March 31, 2005, 07:22:16 AM »

Dear Friends of the Amiga!

Tonight I found some sort of proof that this machine,
currently runnig UAE was corrupted by some sort of backdoor
program. As we all know, for AmigaOS there is no really
good firewall software, OS3.9 has no memory protection,
so...

I'm still learning to configure my Personal Firewall
(Sygate) correctly for the Windows 2000 side, I guess
the machine was wide open until now.

What I found first was a strange behaviour for SFSSalv.

SFSCheck (SmartFileSystem 1.236) reported a bad partition:

Lass jucken> sfscheck hd1

Partition start offset : 0x00000000:445d5e00 End offset : 0x00000003:45b30400
Surfaces : 7 Blocks/Track : 255
Bytes/Block : 512 Sectors/Block : 1
Total blocks : 25209555
Device interface : NSD (64-bit)

Checking RootBlocks
...okay
Checking AdminSpaceContainers at block 2
...okay
Checking NodeContainers at block 7
ObjectContainer at block 27543 doesn't contain node 95797
...damaged

I thought it would be best to save all data to
a free partition. SFSSalv is installed in C:,
but when I try to run it, I always get a
"Unknown command" error. This is true for
SFSSalv 0.17 and SFSSalv0.16, no matter where
they reside. I also found a very old version
somewhere, but it didn't work properly.

I tried to find the problem with SnoopDOS,
but nothing. Strange thing was that whenever
I ran VirusZ, it presented me a suspicious
CPU interrupt vector, level 6 pointing to
to a destination outside the system area.

After a while I found a file with the
the string "sync" of zero bytes length
in SYS:
It was obvious that it didn't belong
there, so I deleted it. Then I began
to fix the security holes on the Windows
side. At this point I was not sure where
the problem came from, but at the end of
a night fuddling and restarting another
strange occurance in SYS: caught my eye.
It is a binary called uae_rcli, the size
is 8956 bytes. I'm presume it can be
used to open a remote connection to a
UAE-System, but I'm not good at coding
myself. However, a fast look with a HEX-Editor
is always worth it, right? So here's
some of the ASCII data that was contained
in it:

Usage: [-h|?] [-debug] [-nofifo] []

fifo:uae_rcli/wmke -> Starting fifo-handler
run nil: l:fifo-handler -> Reopen fifo
-> Spawning shell
run execute fifo:uae_rcli/rsk echo "-> Remote cli running"
-> No fifo found
endcli endshell quit -> Exiting

If someone wants to take a further look
at this thingy, I'm willing to send it
to a trustworthy person for further analysis.

The display of the altered CPU vector
has vanished, but I don't know wether
this is due to my actions or due to
some advancement of data residing on
the HD. We will see...
I just hope this system will survive long
enough to be taken to OS4.0 somewhen. :-)

Take care!

Piru · « **Reply #1 on:** March 31, 2005, 07:55:57 AM »

SFSSalv failing and VirusZ reporting modified vectors is probably no way connected to this.

However, UAE is wide open to malware, I spotted this years ago. In fact, the host system filesystem is wide open for access from within the emulation, too. So "amiga" apps could well plant x86 files to host system.

Anyway, if you want this thing to be analysed, just mail it to me.

UPDATE:

Quote

another strange occurance in SYS: caught my eye. It is a binary called uae_rcli, the size is 8956 bytes. I'm presume it can be used to open a remote connection to a UAE-System,

uae_rcli is standard part of UAE. uae_rcli.c

It could still be abused, naturally. But as of itself it isn't viral or backdoor.

scholle · « **Reply #2 on:** March 31, 2005, 11:08:40 AM »

I'm quite sure that the host system is compromised, too.

But it's harder to fix, because changes to the system are not
so "visible" as in AmigaOS, at least to me.

uae_rcli may be part of the original UAE, but I've never installed it to my system for sure. So it must have come from outside.

The Sygate FW constantly shows strange traffic from constantly changing IPs with a faked domainname/WWW-Adress, but all owned by AKAMAI.

The problem is with sending the file is, I don't trust my ISPs DNS & Mail server; I've lost several important emails for unknown reasons. But I'll give it a try, thx!

Best regards,

Scholle

Piru · « **Reply #3 on:** March 31, 2005, 11:25:47 AM »

Don't bother with uae_rcli. It's just compile of the source code I posted before.

To me it looks like your system is infected by either spyware/adware or virus, and I seriously doubt WinUAE has anything to do with it.

I recommond you scan your system with good AV (if you don't have any, try for example AntiVir), Ad-Aware and Spybot.

« **Reply #4 on:** March 31, 2005, 11:46:20 AM »

Quote

Piru wrote:
Don't bother with uae_rcli. It's just compile of the source code I posted before.

To me it looks like your system is infected by either spyware/adware or virus, and I seriously doubt WinUAE has anything to do with it.

I recommond you scan your system with good AV (if you don't have any, try for example AntiVir), Ad-Aware and Spybot.

Aswell as using the programs Piru mentioned, also install Microsoft Anti-Spyware

Spyware Blaster - As reccomended by Spybot to block stuff it can't immunize

Bad IP Updater v1.5 - Site down atm, but this blocks known bad IP's from your machine.

Also run windowsupdate and get any critical security fixes is suggests to have.

blobrana · « **Reply #5 on:** March 31, 2005, 02:09:47 PM »

Hum,
I’ve had no problems with winuae.
Though I’m aware of the potential problems too.

I’ve got Prevxfirewall (which is a, er, Firewall), but it also monitors for registry changes, program & task launches, and any unauthorised changes to the original system.

If anything changes then you’ll know immediately.

But first, you got to make sure you’ve got a clean system...

Dan · « **Reply #6 on:** March 31, 2005, 02:21:16 PM »

Don´t do what I tried to do, remove spyware/virus from within UAE. I marked some files I shouldn´t have marked and then hit delete in DOpus. XP didn´t start without those drivers imagine that. And when I attempted a repair/install over the old system it just froze.
Luckily I had an empty 120GB HD lying around(was gonna be file-backup)and clean install(propably around time my XP-installation was 2 years old) and I was up and running again.
Workbench was so much easier, just do a straight copy to another disk/partion and then rename/use early bootmenu if anything weny wrong.

Luckily I had learned the lesson back in the Amiga days:
Never save your work on the same disk as the OS!

seer · « **Reply #7 on:** March 31, 2005, 04:21:18 PM »

Hi Blob,

I'm always looking for another good firewall, I wanted to try the one you mentioned, but the link doesn't work.. Seems the FTP is emty. Any other links ? Google isn't that helpfull, just a link to your site.

Edit; Hm..

Is it this one ?

here ? (Same link to the download..)

Which leads us to here... :lol:

blobrana · « **Reply #8 on:** March 31, 2005, 04:40:24 PM »

Yeah,

Thats the one.
the software brain gets updated quite often....

changed my link to:
http://www1.prevx.com/

:-)

scholle · « **Reply #9 on:** April 04, 2005, 09:21:24 PM »

This was really worth it; AdAware alone found 15 entries. Bad, bad Alexa! ;-)

Many thx!

Scholle

« **Reply #10 on:** April 05, 2005, 12:24:05 AM »

Quote

scholle wrote:
This was really worth it; AdAware alone found 15 entries. Bad, bad Alexa! ;-)

Many thx!

Scholle

Make sure you don't rely on AdAware alone. The others will find things AdAware won't and vice-versa.

-edit

Peer Guardian must have tool if you value your privacy/security under Windows.

scholle · « **Reply #11 on:** April 05, 2005, 11:17:33 PM »

Thanks, I've used most of the other recommended tools as well, maybe my choice of English words is not thus correct.
However, the problem with SFSSalv not working is the same as before...

Best regards,

Scholle

AmiGR · « **Reply #12 on:** April 08, 2005, 02:43:25 PM »

Use snoopdos to find what the problem is.

xeron · « **Reply #13 on:** April 08, 2005, 05:06:01 PM »

@Scholle

Just a hunch, but try:

Protect C:SFSSalv +e

and run it again.

scholle · « **Reply #14 on:** April 09, 2005, 06:12:50 PM »

It would have been nice if it was that easy. :-)

But I tried PROTECT C:SFSSalv -e, and the error
"File is not executable" occurred. So it is there
but does not want to be started.

Appended is a full Snoopdos.log, for me it does not
help much...

SnoopDos-Log started am Samstag, 09-Apr-05 um 17:58:38

Prozess Name Aktion Ziel Name Optionen Res.
------------ ------ --------- -------- ----
SnoopDos aktiviert um 17:59:04
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[2] Workbench #DISK_INFO 4029124 CD0 OK
[2] Workbench #DISK_INFO 4029138 ENV OK
[2] Workbench #DISK_INFO 402914C RAM OK
[2] Workbench #DISK_INFO 4029160 HD0 OK
[2] Workbench #DISK_INFO 4029174 DF0 OK
[2] Workbench #DISK_INFO 4029188 HD1 OK
[2] Workbench #DISK_INFO 402919C HD2 OK
[2] Workbench #DISK_INFO 40291B0 DF1 OK
[2] Workbench #INFO 4149506, 406A222 HD1 OK
[2] Workbench #INFO 4129E9C, 406A222 HD0 OK
[4] Shell Process FindVar sfssalv Alias Fehl
[4] Shell Process *Lock HD0:WBStartup/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412B224, 412B17B, FFFFFFFE HD0 OK
[4] Shell Process #COPY_DIR 412B224 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156B16, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process #EXAM_OBJEC 4156C0A, 412B0F8 HD0 OK
[4] Shell Process #PARENT 4156C0A HD0 OK
[4] Shell Process #FREE_LOCK 4156C0A HD0 OK
[4] Shell Process Lock HD0:WBStartup/sfssalv Read Fehl
[4] Shell Process *Lock RAM:sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 4030715, 412B17B, FFFFFFFE RAM Fehl
[4] Shell Process #COPY_DIR 4030715 RAM OK
[4] Shell Process #EXAM_OBJEC 4030B6F, 412B0F8 RAM OK
[4] Shell Process #PARENT 4030B6F RAM Fehl
[4] Shell Process #FREE_LOCK 4030B6F RAM OK
[4] Shell Process Lock RAM:sfssalv Read Fehl
[4] Shell Process *Lock HD0:C/sfssalv Read Fehl
[4] Shell Process #LOC_OBJECT 412AD52, 412B17B, FFFFFFFE HD0 Fehl
[4] Shell Process #EXAM_OBJEC 4156B16, 412B250 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] Shell Process *Open HD0:C/sfssalv Read OK
[4] Shell Process #FINDINPUT 4156B17, 412AD52, 4129D55 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059CEC4, 5978 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 105A2B7C, 2C0 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #READ 1055B028, 1059C240, 400 HD0 OK
[4] Shell Process #END 1055B028 HD0 OK
[4] Shell Process *Lock HD0:C/sfssalv Read OK
[4] Shell Process #LOC_OBJECT 412AD52, 412B184, FFFFFFFE HD0 OK
[4] Shell Process #PARENT 4156B16 HD0 OK
[4] Shell Process #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv *Lock PROGDIR: Read OK
[4] sfssalv #LOC_OBJECT 4156C0A, 416CF67, FFFFFFFE HD0 OK
[4] sfssalv *Open HD0:C/sfssalv Read OK
[4] sfssalv #FINDINPUT 4156C3D, 4156B16, 4129D55 HD0 OK
[4] sfssalv #FREE_LOCK 4156B16 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #READ 10599AA0, 105B3F78, 8000 HD0 OK
[4] sfssalv #END 10599AA0 HD0 OK
[4] sfssalv RunCommand 8192 Fehl
[4] sfssalv #FREE_LOCK 4156C0A HD0 Fehl
[4] Shell Process GetVar echo Local Fehl
[4] Shell Process GetVar oldredirect Local Fehl
[4] Shell Process GetVar keepdoublequotes Local Fehl
SnoopDos eingefroren um 17:59:13

Schliesse SnoopDos-Log um 17:59:28

Any ideas?

I've also noticed that I can run processes in the background
in UNIX/Linux style, i.e. using & instead of RUN . My original OS3.1 does not mention that. Hm.

Best regards,

Scholle

Author Topic: WARNING - WinUAE backdoor! (Read 4750 times)

scholle

WARNING - WinUAE backdoor!

Piru

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!

Piru

Re: WARNING - WinUAE backdoor!

Re: WARNING - WinUAE backdoor!

blobrana

Re: Who pulled the chain?

Dan

Re: WARNING - WinUAE backdoor!

seer

Re: Who pulled the chain?

blobrana

Re: Who pulled the chain?

scholle

Re: WARNING - WinUAE backdoor!

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!

AmiGR

Re: WARNING - WinUAE backdoor!

xeron

Re: WARNING - WinUAE backdoor!

scholle

Re: WARNING - WinUAE backdoor!