Sunday Hacker Puzzle: Matryoshka Dolls - HINTS

By now, some of you are very close to solving the puzzle from Sunday.  For fear I may have made it too difficult I will be giving you a few hints.

The original image I started with is here.  In addition to being cropped, there are other visual differences between the images.

If you don’t see the difference visually, you might want to look here.  Does all of the binary data match what you expect to see?

Good luck and keep hacking…

Sunday Hacker Puzzle: Matryoshka Dolls

In last weeks puzzle we saw how much can be revealed by simply observing a file.  Using “strings” or a hex editor, you found the password embedded in the binary code of the executable.

Todays challenge isn’t going to be so easy.

A Matryoshka doll (or Russian nested doll) is a classic metaphor for how many technologies we use every day use encapsulation. With that in mind, examine the file below entirely.  If you find your way to the center of this “Russian doll” you will find a famous command.

Email your answers to [email protected] by next Sunday (Feb 6, 2010).  One winner will be randomly chosen among the correct answers and will receive one of the nifty lockpicks featured my previous article “The four reasons why lockpicking is an essential skill for IT

To make this fair, please do not post any questions or answers in the comments.  If enough people are stumped, I will place a hint in the comments in a few days.

Have fun!

RussianDolls.ppm

AVG compromised?

In my recent work, it appears that AVG might be getting compromised by the latest round of “Personal Antivirus”.  Unfortunately, I haven’t gotten a chance to confirm this, but it seems likely that something like this would eventually happen. The symptoms I have seen are as follows:

  • Popups and banners from “Personal Antivirus”

  • AVG cannot be killed or uninstalled or updated

Here is my current procedure for removal.

  • Boot into safe-mode

  • Using autoruns remove any “weird” entries and entries for AVG

  • Reboot into safe-mode

  • Run a known good copy of combofix

  • Reboot into safe-mode

  • Run ccleaner to delete any temp files (some variants hide there)

  • Uninstall (using revouninstaller or similar) AVG, Personal Antivirus and other junk

  • Remove any traces of Personal Antivirus from “C:\Program Files”

  • Patch to Service Pack 3 and IE 8 (if necessary)

  • Run Malwarebytes

  • Install your preferred antivirus solution (I like antivir)

Has anyone else seen this one? Any additional virus removal tips you would like to share?

Resources