~ Malwares ~
         to malware    malwares
(Courtesy of fravia's advanced searching lores)

(¯`·.¸ Delving deeper into Teleport Pro 1.29 ¸.·´¯)
by Noos
published at fravia's searchlores in October 2000

Slightly edited by fravia+
See also Faulpelz's Teleport Pro 1.29, malware galore (May 2000) and Faulpelz's Teleport Pro V1.29 (Build 1107) (January 2001) which deals also with this essay.
Interesting work: the "phone home" part of the programs you insert into your own computers is most disturbing, and deserves to be reversed black and blue by all 'freedom fighters'. A reason more to hate those political lackeyes of the economical powers that be, that would like to outlaw the use of disassemblers and debuggers in order not to disturb the wrongdoings of their masters.
Interesting stab, feel free to build on this and contribute...


"Delving deeper into Teleport Pro 1.29"

by Noos


Foreword:

Ever since I downloaded version 1.0 of Teleport Pro it has been my
favourite program for retrieving
entire websites in a fast and easy way.
But as you can imagine after reading Faulpelz's essay my curiosity was triggered and I immediately downloaded version 1.29 of that great product, anxious as to find out what has hidden inside. My findings: Faulpelz was right on one part, teleport pro secretly connects to www.tenmax.com, but not to request a robots.txt file... nossir: to retrieve a update.txt. As most of you might (and should) know, a robots.txt file is used to store information for the search engine crawlers, and thus it is perfectly normal for teleport pro to check and retrieve that file for the host you are copying. I do agree with Faulpelz that teleport pro retrieves that file, but not on www.tenmax.com but simply on the host you are copying. Faulpelz also mentioned that the request for that file contained the URL of the site you are copying, but this is simply necesarry for name based virtual hosting. But now for the thing that did not seem right. After installing teleport pro 1.29 I set up the machines in my LAN in the following way : / 10.0.0.7 (Web server I'm copying) 10.0.0.2 -----| \ 10.0.0.3 (new IP of www.tenmax.com (HOSTS file) ) 10.0.0.2 is the machine that is running teleport pro. In that machines HOSTS file I added the following line : 10.0.0.3 www.tenmax.com The 10.0.0.3 machine also runs a web server so that requests to www.tenmax.com won't bounce off. Using that setup I created a new project and specified http://10.0.0.7/ as the starting address. At first I was a bit disappointed because it simply connected to 10.0.0.7, retrieved the files and disconnected. Nothing suspicious at all. But I wasn't ready to give up at that point since Faulpelz had seen something. After numerous attempts teleport pro finally connected to 10.0.0.3 and retrieved the earlier mentioned update.txt. Of course this file did not exist on my web server, so I decided to go online and manually retrieve the file from www.tenmax.com.. but alas, the file did not exist there either. I gave it one more shot using the exact HTTP header teleport pro uses, but that also returned zilch. This request could only mean 2 things in my opinion : 1. Log the IP's of all the users that use teleport pro. But this does not make any sense since it only connects every now and then. 2. Tenmax found out they were being naughty and removed the update.txt which probably has been used to tell teleport pro users that a new version is available. That would also explain the necesity to check every 50 projects or so (not sure WHEN it checks). After finding out that it retrieves update.txt I disassembled pro.exe to see what it does with that, but I have not been able to find anything interesting about it. 0041A809 PHONE_HOME: ; CODE XREF: sub_41A360+347j 0041A809 push ebx 0041A80A push 20h 0041A80C push ebx 0041A80D lea ecx, [ebp-40h] 0041A810 call sub_401E4D 0041A815 push offset aUpdate_txt ; "update.txt" 0041A81A push offset unk_47B10C ; path 0041A81F push offset aWww_tenmax_com ;"www.tenmax.com" 0041A824 push 50h 0041A826 push 1 0041A828 lea ecx, [ebp-80h] 0041A82B mov dword ptr [ebp-4], 0Ah 0041A832 call MakeAddress 0041A837 mov [ebp-1Ch], eax 0041A83A lea eax, [ebp-40h] 0041A83D mov edi, offset unk_47F040 What it does is create a URL from these 3 parts (host,path,file) and place a request in it's queue. But I have no idea when the results from that request are being analyzed. I have included to .gifs which display the results from my packet sniffing. It clearly shows the request being made to their server.
overview.gif    packet.gif

Afterword: I doubt teleport pro has any more tricks up the sleeve. They probably realized the update.txt wasn't such a good idea. I also tried different settings with a proxy and password protected sites, but no results until now...


- Noos, October 2000

Petit image

(c) 2000: [fravia+], all rights reserved