Dialers – Under a Magnifying err… Prism

Posted on by

Last weekend I err.. prismed a small collection of dialer samples to test if I can automatically extract RAS dialup connection properties from this old school malware. The results were not mind blowing, but dropping it here in case someone finds it useful.

What I found interesting was that the passwords often seemed to be supertrivial and countries I have identified using prefixes listed on wikipedia appear to include quite a few exotic places:

  • +239 – São_Tomé_and_Príncipe
  • +246 – British Indian Ocean Territory
  • +31 – The Netherlands
  • +372 – Estonia
  • +423 – Liechtenstein
  • +453 – Denmark
  • +56 – Chile
  • +675 – Papua New Guinea
  • +677 – Solomon Islands
  • +678 – Vanuatu
  • +681 – Wallis and Futuna
  • +682 – Cook Islands
  • +683 – Niue
  • +850 – North Korea

Two prefixes seem to be country-independent:

  • +881-9 – Globalstar
  • +882-13 – Telespazio

and a few numbers which I can’t attribute – they seem to be either mobile phones, or some country-specific premium lines… I guess the best way to check is to just… dial them 😉

List of Unique Passwords used in RAS dialup connections:

  • p033052172
  • premium
  • password
  • 7309
  • SE899
  • sh095z3ma
  • oxt145uks2ma
  • fpdz5s1ma
  • import
  • welcomein
  • color
  • ah12M
  • 4592
  • x
  • radius
  • pass
  • guest
  • nocard
  • tronyx
  • tyra
  • smart
  • 1234
  • xxx
  • newDialer
  • all4world
  • ConnInt1

List of Unique Phone Numbers used in RAS dialup connections:

  • 0,00881939110003
  • 0,00881939110004
  • 0,00881939110005
  • 0,899015708
  • 0,899015716
  • 00239203533
  • 002463535445
  • 002467323
  • 0031620101356
  • 0037254111251
  • 0037254111455
  • 003727032150
  • 00423663098495
  • 004535293061
  • 0056111488
  • 0056113680
  • 0056113681
  • 005688800000
  • 006753039093
  • 0067746160
  • 0067867861
  • 00681507747
  • 00681729173
  • 0068246802
  • 006831423
  • 0085099721002
  • 00881939100020
  • 00881939100038
  • 00881939100039
  • 00881939110003
  • 00881939110004
  • 00881939110005
  • 0088213881692
  • 01367867861
  • 019008496713
  • 08718731247
  • 09062001830
  • 09062658623
  • 09065170091
  • 09065170092
  • 09090272201
  • 09090272203
  • 09099629050
  • 10330016646641055
  • 1661 43309
  • 1782072027
  • 1782072028
  • 1782072030
  • 1782072035
  • 1782072039
  • 199317770
  • 199317771
  • 199317772
  • 199317773
  • 7090101101
  • 7090101121
  • 7090101603
  • 89230362
  • 899001594
  • 899015339
  • 899015708
  • 899015716
  • 899020117
  • 899020120
  • 899020335
  • 899111301
  • 899111302
  • 899151401
  • 899151602,,02014812497309
  • 899151602,,02014860614592
  • 899161006,,,0881171482733
  • 899191028
  • 899191420
  • 899550532
  • 899550533
  • 899554573
  • 899999583
  • 899999594
  • 976702233
  • 976702236
  • T0031620101409
  • T087847249
  • T899161336

List of Unique Connection Names used in RAS dialup connections:

  • amstercam italia
  • AXIS
  • Best Porn Network
  • connection
  • connessione Predefinita
  • Csex1
  • default
  • desktop-celebrita
  • desktop01
  • DIDI
  • dMi_77_Connection
  • ENTER
  • gsa1002_Connection
  • gsa_01746_Connection
  • Help and Internet
  • Internet Connectio
  • Internet Connection
  • Internet…
  • karaokex31_Connection
  • karaokex_4_Connection
  • Launch DerBiz.com
  • nd02191_Connection
  • nocard210
  • nocard2101
  • nocard21012
  • nocard210123
  • nocard260
  • nocard2601
  • nocard26012
  • nocard260123
  • Porn Access Connection
  • SIXA
  • test
  • tyra210
  • tyra2101
  • tyra21012
  • tyra210123
  • UnNet
  • Video
  • westat1x_Connection
  • wladesk74x_Connection
  • wmdtips24x_Connection
  • www_bau

“Malicious” Magic Squares

Posted on by

Update

Found one more 🙂

   L   I   S   T   A   S
   I   M   P   O   R   T
   S   P   U   L   E   R
   T   O   L   O   S   E
   A   R   E   S   E   S
   S   T   R   E   S   S

Old post
As a kid I loved to solve cross-words, I also published my own (together with various riddles).

I was very fond especially of magic squares e.g. a classic one:

S     A     T     O     R
A     R     E     P     O
T     E     N     E     T
O     P     E     R     A
R     O     T     A     S

and palindromes e.g.

malayalam

and anything that would be a bit unusual (e.g. 7-letter words with 4 As, partially overlapping words, etc.).

When I learned programming I wrote various cross-word generators including one for magic squares.

Finding magic squares is very easy for 3-, 4-, 5- letters. It gets a bit more challenging with 6-, but it’s still quite easy and it gets really tough with 7-, 8-, 9- letters.

Having nothing else to do, today I tried to see how my old code would perform taking a small database of malware-related keywords as a base. To my surprise, it actually found a few magic squares for 6 characters!

Here they are:

G   A   G   G   L   E
A   P   R   O   O   L
G   R   O   O   V   E
G   O   O   B   E   R
L   O   V   E   N   A
E   L   E   R   A   D

H   A   L   E   S   S
A   T   O   M   I   C
L   O   O   P   E   R
E   M   P   I   R   E
S   I   E   R   R   A
S   C   R   E   A   M

I   S   T   B   A   R
S   P   A   R   S   E
T   A   R   A   P   A
B   R   A   B   A   N
A   S   P   A   D   E
R   E   A   N   E   T

If you google these words, you will find out that all of them are actual names of a malware.

Bonus

How often do you see a code like this nowadays? Addressing via seg:ofs was a real pain in a 16-bit real-mode 😉

               xor dx,dx
               mov ax,word ptr fs:[si]
               add ax,ax
               adc dx,0
               add ax,ax
               adc dx,0
               shl dx,12
               add dx,CS:DSegm0
               mov es,dx
               mov bx,ax

              [...]