Škoda Octavia II battery replacement - výměna baterie

Škoda Octavia II battery replacement

Unfortunately I was not able to find this piece of information on any public materials:
You need "#13" gola key on at least 17cm extension to be able to replace the car battery in Skoda Octavia II.
I was able to by me such long standalone key in OBI :D

Hard time upgrading to Fedora 19 with fedup + LUKS encrypted drive

Hard time upgrading to Fedora 19 with fedup

Seems that using crypto is still not smooth and easy with Fedora. I have both root and home residing on LUKS encrypted LVM volume.

This time I was prepared to have plenty of space in advance for the fedup upgrade (5+GB) and mentally prepared for some glithes, but still I spent some quality time in getting it up and running again.

First phase of Fedup went quite smooth this time (having plenty of free space). Download of dependencies ad preparation for the install was quite OK.
fedup-cli --network 19

After the reboot still everything was fine and all the packages were updated. There was just one moment where the installator was actually asking for the LUKS password on console, but the prompt was overwritten with some status message. It took me some time to figure out it is actually asking me for a password. So far so good.

The real problems came after the first reboot to F19 where the initrd ramdisk was apparently not expecting to have the root volume on a LUKS encrypted LVM drive.
#Open the LUKS device cryptsetup luksOpen /dev/sda5 luks-sda5 #Activate the LVM volumes on the fresh opened LUKS device lvm vgscan lvm vgchange -a y mount /dev/vgsystem/fc19 /sysroot chroot /sysroot

Even tried to mount the standard filesystems to be able to operate the yum database and other stuff: #!/bin/bash mount -t proc proc /proc mount -t sysfs sysfs /sys mount -t devtmpfs devtmpfs /dev mount -t tmpfs tmpfs /run mount -t securityfs securityfs /sys/kernel/security mount -t selinuxfs selinuxfs /sys/fs/selinux mount -t tmpfs tmpfs /dev/shm mount -t devpts devpts /dev/pts mount -t tmpfs tmpfs /sys/fs/cgroup mount -t cgroup cgroup /sys/fs/cgroup/systemd mount -t pstore pstore /sys/fs/pstore mount -t cgroup cgroup /sys/fs/cgroup/cpuset mount -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct mount -t cgroup cgroup /sys/fs/cgroup/memory mount -t cgroup cgroup /sys/fs/cgroup/devices mount -t cgroup cgroup /sys/fs/cgroup/freezer mount -t cgroup cgroup /sys/fs/cgroup/net_cls mount -t cgroup cgroup /sys/fs/cgroup/blkio mount -t cgroup cgroup /sys/fs/cgroup/perf_event

Putting the system half-way up this way was usefull to be able to move around and read and change what was necessary, but actually didn't lead me to solution. I have tried to regenerate the ramdisk, but it didn't help: mkinitrd /boot/initramfs-3.11.2-201.fc19.x86_64.img 3.11.2-201.fc19.x86_64

Also I have tried to run the commands from the kernel post installation scripts, but it didn't helped. rpm -q --scripts kernel-3.11.3-201.fc19.x86_64 /sbin/new-kernel-pkg --package kernel --install 3.11.3-201.fc19.x86_64 /sbin/new-kernel-pkg --package kernel --mkinitrd --dracut --depmod --update 3.11.3-201.fc19.x86_64 /sbin/new-kernel-pkg --package kernel --rpmposttrans 3.11.3-201.fc19.x86_64

Last resort, which actually worked for me was to use the old Fedora 18 kernel to boot into Fedora 19 system. Fedora 18 kernel luckily remained in the grub menu after the Fedup upgrade. I was able to boot it and fix the FC19 kernel resp. the init ramdisk. yum remove kernel-3.11.2-201.fc19.x86_64 yum install kernel-3.11.2-201.fc19.x86_64

After doing this I was finally able to boot into Fedora 19 kernel + Fedora 19 system (+ some manual changes to /etc/grub2.cfg related to my dualboot setup with Windows7+bitkeeper encryption)

Acoording to this article it might have been enough running the dracut to regenerate the init ramdisk: dracut --force or the fix mentioned in the bugzilla 980587: dracut --regenerate-all --force

For completeness here is also link for the Dracut toubleshooting instructions from FedoraProject.


Asprox Botnet 2013 - Phishing Malware As a Service

This blog-post is to compile findings on Asprox botnet. The status described here represents mainly the status of the botnet in cca May-Jun 2013. For the description of current state it would be probably better to read some more recent posts on the history list of articles related to the Asprox botnet

Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.
I call this botnet Asprox based on the whitepaper from Trendmicro. Its architecture looks like enterprise cloud-based service for building the botnet of infected hosts. Infrastructure has got 2 visible load-balanced layers and at least 2 hidden inner layers.
It goes like this:

  1. Email distribution

    Phishing emails in this campaign seems to be send mostly from some hacked web-servers.
  2. Phishing email

    January 2014 phishing is for energy bills.
    December 2013 was a killing spree of many different phishing campaigns for Costco, BestBuy, Walmart, My CV, Adobe.
    September/October 2013 templates pretend to be wedding invitations or voicemail from WhatsApp.

    May-July 2013 Phishing emails direct the victims to follow to so URL to "Get Shipment Info" / or to enter shipment number on "Tracking page"URL (DHL), to "Print Receipt" to receive your parcel (FedEx), "Download It" to use the flight ticket (American Airlines) or to display "Shipment Label" (UPS).

  3. Downloader sites

    Phishing email points to compromised websites to serve ZIP file with malicious executable = Asprox downloader. On the beginning of May 2013 these sites tend to be mainly compromised Joomla 1.5 servers. At the end of May we see it is quite a lot of websites hosted in US, not necesarily Joomla related. Asprox botnet or people behind it us probably several exploits to compromise various PHP websites.
    Links from phishing emails lead to compromised websites to malicious PHP script. This PHP script proxies all the requests to another backend server (in 2013 there was 1 IP in Russia ( and whole bulk of IP addresses in germany (, but there is definitely more such servers. In case of failure/suspicion/ request thresh-hold the PHP script reports fake "404 Not Found" error code.
  4. Download zipfile

    Victim downloads the zip file from the site containing executable file for example "Delivery Information.exe" Executable file has got icon of wordfile to convince the victim to open/run it.

  5. The malware generated in the WhatsApp phishing campaign do have got icon of a note a fool the victims that this is some sound file.
  6. Execute the downloader

    When victim executes the malware, it mimics like some benign things. Notepad is opened to show some bogus tracking information.

    Malware mascarades as windows binary (svchost.exe) to run hidden and undetected on the background.

    Exe file is removed and replaced with a TXT file.
  7. Comand&Control center(s) - dozens of nginx proxies

    Malware contacts in round robin list of C&C for commands and downloading other malware. List of IPs is hardcoded to the downloader binary.Updated list of C&C can be obtained from the C&C. Sites contacted are another farm of compromised webservers running the nginx server configured as a reverse proxy. All requests are proxied to a backend server of C&C.
  8. Download other germs

    Other malware is then downloaded, executed and so on and so forth.
  9. Another layers???

    ... there is possibly more layers.

Interesting bits

These bits make it interesting:
  • Scale

    - Group seems to be running this very same infrastructure for at least 1 year. New evasion features are being added through the time - like encrypting the requests. Campaign in May 2013 was within 2 weeks using dozens of compromised Joomla servers to serve the downloader malware. It is using dozens of servers (mostly compromised webservers) to send a spam. And as of writing the backend C&C is active at least on 34 IP adresses at once. If you consider that they probably have got more to move on and use, once the current ones are closed, the scale is really like a small enterprise.
  • Evasion

    - malicious scripts on compromised download sites stop serving malware after some time and respond with fake HTTP 404 Not Found response, probably to encourage less savvy admins to stay on the current vulnerable version, as it seems that the problem gone away by itself. Similar evasion techniques are implemented on the C&C sites.
  • Automation

    - new obfuscated malware binaries for downloader are generated at least twice a day. The binaries for FakeAV downloaded from the C&C are automatically generated each 6 minutes. This ensures that samples at the time of execution are not known to your antivirus. For AV companies it usually takes 1-3 days to make a signature and propagate it for download for the client and then another days since the victim bothers to update the antivirus signatures. 
  • Cloud

    - availavility of cheap cloud services allows the "throw-away" C&C to be hosted anywhere - especially when the host is compromised server paid by somebody else :). It is surprising that the 1st and 2nd layer of C&Cs is not hosted on some bullet-proof hosting in China or Ukraine, but it is in countries like France, United Kingdom, USA, Netherlands or Germany.

Chewy details

Email Distribution

Phishing Emails

Sample DHL:

If the links are not working, please move message to  "Inbox" folder.


   26.04.2013                                                                     PACK STATION     

DHL Ship Shipment Notification

On April 25, 2013 a shipment label was printed for delivery.

The shipment number of this package is 36085695.

To get additional info about this shipment use any of these options:

1) Click the following URL in your browser:

                  Get Shipment Info

2) Enter the shipment number on tracking page:

                  Tracking Page

For further assistance, please call DHL Customer Service.

For International Customer Service, please use official DHL site.


This message was created by DHL Ship, a product of DHL, at the request

of the sender. No authentication of email address has been performed.

  Deutsche Post DHL                    2013 DHL International GmbH. All rights reserved.   

Sample DHL Express:


2013-08-01 at 11:59
Shipment not delivered
Dear Customer, your package has arrived on August 1st, but messenger was unable to deliver the package to you, for more detailed information, please, download and read mailing label.
2013 DHL International GmbH. All rights reserved.

Downloader sites

Majority the sites serving malicious downloader file in May campaign seems to be servers with Joomla 1.5.
Backed script serving the downloader is performing some limitations on the download of the malware:
  • limit 4 downloads per IP - number seems to be shared across the botnet infrastructure, this limitation probably makes it low profile from services like Google Badware
  • allow only certain User-Agents
  • probably some other filtering (geoip?, language?)
Once the limit is reached the malware scipt is generating fake HTTP "404 Not Found" message. This way it probably avoids some malware analysis and it is maybe also convincing to website managers to avoid checking and removing the malware - it seems for the first sight that the problem disappeared itself while the malicious script is still there and kicking. Versions of the script from August 2013 - January 2014 get the 404 message from the very same server to look very real. 404 message is taken from url http://this_server/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA. In the original response all occurences of called URI (AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA) are replaced with the current URI requested by the Asprox PHP proxy script to make the cloaking complete. function error_404(){ header("HTTP/1.1 404 Not Found"); $uri=preg_replace("/(\?).*\$/","",$_SERVER["REQUEST_URI"]); $content=http_request("http://".$_SERVER["SERVER_NAME"]."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA"); $content=str_replace("/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA",$uri,$content); exit($content); } Older versions (till August 2013) were using static page which was possible to use for fingerprinting the proxy script. $ curl http://www.into-focus.de/templates/system/onlines.php?get_info=4_36160170 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head><title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> </body></html> Looks like 404 Not Found

Not Found

The requested URL was not found on this server.

The download sites are being reused at the same time for different phishing campaigns and they serve different malware binaries based on the type of the request.

RequestCampaignsampleName of Exe
?ticket=American Airlineshttp://andiburns.de/img/get.php?ticket=ss00_323Electronic Ticket.exe
?i_info=FedExhttp://andiburns.de/img/get.php?i_info=ss00_323Shipment Label.exe
?receipt=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe
?receipt_print=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe
?print=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe

List of active download sites - last updated 2013-06-05 and largely outdated - keeping it here just as sample.
activehttp://s350098153.onlinehome.us/img/get.php?info=882_734823154 US
activehttp://tradeline.in.ua/img/get.php?info=833_1616925145 RU
activehttp://www.calanss.com/img/get.php?info=870_538703202 US
activehttp://stevenseagal.com/img/get.php?info=885_3137019897.74.215.39 US
infectedhttp://aptekapanacea.ru/images/index.php?get_info=ss00_32389.232.139.17 RU
infectedhttp://bdvi-lsa.de/templates/rssgets.php?get_info=ss00_32385.214.40.177 DE

Sample of the PHP script can be found on this forum. It forwards the requests to some backend server with the information about the IP of the client connecting (take from proxy tags if possible).

Asprox Downloader

The downloader encrypts the requests with RC4 (see more info on the analysis from Trendmicro). Encrypted request is passed to the second layer of C&C. IP addresses of the C&Cs is hardcoded to the downloader binary. This request contains MD5 hash as identification of the victim computer and contains some action.

Request gate for work

Id is MD5 hash identifying the victim machine. Gate responds with command to the downloader. So far I have seen 3 commands sent to downloader - rdl, run, idl. Accoriding the analysis from TrendMicro there is more commands. Gate is quite picky about the format of the request - probably to make it low-profile against the automated probes from the Anti-Malware sites. If you perform the request using ordinary browser or commands like wget, you will most likely obtain only HTTP 404 Not Found
  1. rdl

    - run dll. According to TrendMicro the DLL is encrypted with RC4. After downloaded it is injected to the svchost.exe running the downloader and is executed. GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:17 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2 GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 18:37:19 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/pg.dll.crp_bak&a=0&k=52f608b4&crc=214e3b765d01df7a5b28480fa885b84e
  2. run

    - run executable - since 27-Apr-2013 till 22-05-2013 I hae seen only e3943d7369aa6add911aca18b3a507f4.exe, which is some rogue antivirus. Checking report on virustotal/threadexpert there are links also to other exe files. Since 23-May-2013 the C&Cs are serving a5347c1b5b4aa9bd13d76736eb57c67f.exe, 6b761f91b02f89f9e695d4b5a87806de.exe and b2f7e9141eb124ce3152352c5df520f7.exe. So far I do not know, what the hash filename stands for. GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:20 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2
  3. idl

    - sleep 1 second GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:22 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=idl

Request Gate for the list of IPS

Id in this case is not whole MACHINEID (MD5 identification of victim), but just first 8 chars from that. For example:
GET User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: Response is RC4 encrypted list of IPs of 3rd layer C&C to contact.

Comand&Control center(s)

Current list of active C&C sites is available from Asprox tracker

Download other germs

Files are downloaded as exe (plain exe file to be executed) or as dll. The DLL have got extension crp and seem to have very high entropy, which means it is either compressed or encrypted. More analysis of the downloader is needer to determine what is happening with the dll files after downloading.

So far I have identified these files that can be downloaded as DLL modules: Corpus of Asprox Modules

In 2013 the Asprox was involved in distribution of FakeAV - new malware file (for example /get/e3943d7369aa6add911aca18b3a507f4.exe) was generated once in 6 minutes. It takes to some scheduled job another 6 minutes delay to deliver it to C&C servers. Here are samples just for one day - just to give you idea how much will your antivirus protect you against this threat. At the time of generation it is usually found as malicious only by cca 2-3 out of 46 antivirus vendors at virustotal = most probably it won't be detected by your anrivirus at the time of first execution: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457
This exe file - FakeAV - is some rogue Antivirus. Once it is executed it reports itself to some registration site in Hongkong:


Hard time upgrading to Fedora 18

Hard time upgrading to Fedora 18

Upgrade to new version of Fedora (Fedora 18) was this time harder than french kissing an Anaconda. Both recommended methods of installing (USB from ISO) / upgrading (FedUp) failed for me.

Using FedUp is nightmare. It required in my case 3GB for download just to copy it to install directory (another 3GB). Even when I was able to empty that much space in the system partition it asked for another 2GB of empty space for the upgrade. After cleaning up the unnecessary stuff it still crashed in infinite loop asking for password for my encrypted drive (probably bug 896010).

Then I decided just delete the system partition and just make fresh install of it. Booting from the ISO image using USB / HDD grub2 loopback was quite ok. Problem is I was not able to pass through disk partitioning. I have got quite unusual partition table with multiboot to 3+ systems. All partitions are encrypted - truecrypt NTFS, LUKS + ext3, LUKS + swap, LUKS + LVM - probably some of that crypto stuff is freaking Anaconda do death. (bugs 890881 and/or 862948 )

My workaround to upgrade Fedora 17 to Fedora 18 with all the encryption was this:

  • boot from ISO CD / USB
  • use cryptsetup luksOpen for the system partition
  • format /dev/mapper/luks-root with mkfs -t ext4 to clean it
  • Clone the minimal filesystem on the ISO to your new system partition. The image of the minimal FC18 filesystem is as device mapped somewhere in /dev/mapper/*. Pipe "dump" command to "restore" to clone the whole filesystem. Someting like:
    dump -0u /dev/mapper/iso-min-something | (cd /mnt/root; restore -rf -)
  • mount the luks-root to /mnt/root directory and use yum --installroot=/mnt/root to install updated kernel
  • copy vmlinuz and initrd files to /boot partition
  • copy old fedora 17 record from /boot/grub2/grub.cfg to new one and update with the new fc18 version of kernel
  • change the UUID of the root partition in the grub record. Use "ls -l /dev/disk/by-uuid/" and "ls -l /dev/mapper/" to determine the UUID of the partition on the LUKS encrypted volume.
  • reboot
  • just for the case reinstall grub2 package "yum reinstall grub2"
  • yum -y update