Saturday, November 29, 2008

Simple XSS Fuzzer v 1.0

We are proud to announce the release of our new tool, Simple XSS Fuzzer (SiX Fu) v 1.0.

Credit: Gerasimos Kassaras

Gerasimos Kassaras is a blogger for http://blog.kassaras.com and blog.owasp.gr.

The work flow of SiX Fu is as follows:



We will be releasing a "How-to" document in the publication section as well as with the tool package. The tool would be released in the next few hours.

- EF

Our Ancestral Wealth!!!

If you wish to inherit all our ancestral wealth (US $125,000,000,000,000,000), kindly click on the following link asap:

HERE

- EF

Friday, November 28, 2008

Thanks Giving Sale!!!

Hey guys,

Just like any other shop (online or offline), we have opened up a sale just for you and only for this thanks giving 2008. Well, not really!!! We are releasing a new tool called GSAuditor and yes you can download this any day @ any point of time (starting from the day of release: Friday 28th Nov, 2008).

Generic SHA-1 Auditor (GSAuditor) is an application that allows you to brute force password hashes derived from SHA-1. NOTE: GSAuditor is an "experimental" tool.

Current version of GSAuditor supports the following algorithms:

* RAW-SHA-1($password) - Mac OS 10.3 'Panther'
* SHA-1(UNICODE($password).$salt) - MS SQL 2000/2005 (remember that 2000 uses uppercase password!)
* SHA-1($password.$salt) - ORACLE 11g (the salt is currently 10 bytes)
* SHA-1($username.$password) - PHP
* SHA-1($salt.$password) - Mac OS 10.4 'Tiger'

GSAuditor is in early stages of development, so if you encounter any bugs or request additional features. Contact contact.fingers @ gmail.com if you have any further questions.

PS: We do know that thanks giving was yesterday and the black Friday sale is done already. But sometimes, it takes time to realize that the vacation day has come to an end only when you are almost awake. Cheers !!!

- EF

What is one thing according to you that could change our community?

We asked the following question to a gentleman from the infoSec community:
"What would be one thing according to you that could change our community for its best?"

He looked around for a while, and then said:
"When our community starts evaluating about 'what you know', more than 'whom do you know', then I am sure there is more opportunity for our community to auto-clean."

Isn't that a pinch of reality...

- EF

Thursday, November 27, 2008

"NoVirusThanks" on Projects Page

NoVirusThanks offers a free online detection service that analyzes suspicious and malicious files for viruses/worms, Trojans/backdoor and all kinds of Malware that are not only detected by antivirus engines including bots, rootkits, etc.

NoVirusThanks also publishes a blog on analysis of new or weird Malware.

We have provided a page for all out users to submit their suspicious files to NoVirusThanks, which can be found http://www.evilfingers.com/projects/NoVirusThanks.php

NOTE: This page is NOT intended for comparing AV's.

Let us know if you have any questions. Contact us at contact.fingers @ Gmail.com

- EF

Tuesday, November 25, 2008

Developers Welcome!!!

We are looking for developers with knowledge in any of the following languages:
Scripting: Perl, Python, Shellscript, Ruby
Languages: C/C++, Java, VB, .Net
Web: DHTML, CSS, PHP, XML/XSLT

Contact us at contact.fingers @ gmail.com

- EF

Google Chrome MetaCharacter URI Obfuscation Vulnerability.

Google Chrome's latest vulnerability on MetaCharacter URI Obfuscation, released by Aditya K Sood reached the media today.

This is EvilFinger's 5th Vulnerability finding on Google Chrome (3 in Sep 2008, 1 in Oct 2008 and 1 in Nov 2008).

Nov 24, 2008 Google Chrome MetaCharacter URI Obfuscation Vulnerability

Oct 20, 2008 Google Chrome OnbeforeUload and OnUnload Null Check Vuln

Sep 27, 2008 Google Chrome Window Object Suppressing Remote DoS

Sep 23, 2008 Google Chrome Carriage Return Null Obj. Memory Exhaustion Remote DoS

Sep 2, 2008 Google Chrome Browser 0.2.149.27 in chrome.dll

The latest finding was released on 24th Nov 2008 after the security update that fixed URL spoofing flaw that was aimed at pop-ups.

Some websites that listed the latest flaw:
http://www.milw0rm.com/exploits/7226

http://www.securiteam.com/windowsntfocus/6L00O1FN5S.html

http://novirusthanks.org/blog/?p=331

For more details contact us.

- EF

Monday, November 24, 2008

Why EvilFingers?

We asked Jess a question - "What if someone asks us, why EvilFingers? why not Good?" and his answer was "because GoodFingers sounds like something you'd eat."

Jess is also our chief critic for the overall website.

- EF

I-Worm/Nuwar.W + Rustock.E Variant - Analysis

Robert from www.NoVirusThanks.org has come up with an analysis on I-Worm/Nuwar.W + Rustock.E Variant, which can be found here.

- EF

Google Chrome MetaCharacter URI Obfuscation Vulnerability Released at EvilFingers.com

EvilFingers.com has released yet another Google Chrome vulnerability. This one is on Google Chrome MetaCharacter URI Obfuscation that can be found HERE. Thanks to Aditya K Sood for releasing this.

If you have any questions do contact us at contact.fingers @ gmail.com

- EF

Saturday, November 22, 2008

Holiday Gift!!!

What would you like your special holiday gift to be?

* Phished Emails
* Email Scams from Nigeria
* Worms
* Viruses
* Trojans/Backdoors
* Botnet
* DoS/DDoS

Well, it depends on

* What you click on?
Ans: Don't click on any email that advertises sale!!! Even though you might think that it came from the right source, it could be a Phished mail.

* What not to visit?
Ans: Don't visit sites that you don't know about. You don't want to get free versions of trojans, viruses/worms, botnets etc.

Happy Holidays!!!

- EF

Friday, November 21, 2008

NoVirusThanks.org + EvilFingers.com = Partners

We are glad to announce our new technology partner, www.NoVirusThanks.org.

Kindly, check out their site and contact us if you have any questions.

- EF

Wednesday, November 19, 2008

Immediate Requirements

Developers / Programmers:

We are looking to bring in GUI programmers/developers for our tools. We are also in need of web developers (PHP), Script writers (Perl, Python, Shell), Driver Programmers, C/C++/Java/VB/.Net programmers, etc. If you are a developer/coder and you believe that you could do the work that is assigned to you with in the time YOU predict or allocate yourself, then kindly contact us at contact.fingers @ gmail.com


Kindly, email us your resume/cv/specifications (languages/tools/past-experiences/related links) for us to immediately take you into an appropriate task.

Why should you work for EvilFingers?
You don't have to, but if you did then we can share our experiences and learn stuff from each other.

- EF

ChaosReader implemented to view our PCAP repository

For our users to conveniently view all our PCAPs online, we ran our PCAPs through ChaosReader, a wonderful software that helps us make our PCAPs viewable online.

Check out:
http://www.evilfingers.com/projects/pcaps_challenge.php

http://www.evilfingers.com/projects/pcaps_stunts.php

http://www.evilfingers.com/projects/pcaps_sploits.php


Under the "View Online" column, there is a "view" link across each row of PCAP. Clicking accordingly would take you to the ChaosReader output of each of those PCAPs to view them online.

- EF

Monday, November 17, 2008

What are Botnets?

The definition of botnets is changing to the following:

Interconnecting computers across the world to have the finest and free data share, that ensures lack or privacy, improves zombies lifetime and increases their count exponentially. Botnet also ensures that even if you do not efficiently use your memory or processing power, it would install itself and ensures that every botnet installed system would be most efficiently used to DDoS or DoS useless websites.

Enjoy.

- EF

Sunday, November 16, 2008

Indias Rock!!!

An Indian(I) and an American(A) were in a conversation, "which country is technologically progressing for the past few centuries?"

'A' drove 'I' to Newyork and asked him to dig 1000 feet deep. 'A' then said, "this proves that we had wired communication a century ago". 'I' then took 'A' to India (Mumbai to be precise) and asked him to dig a hole until he finds something. 'A' dug hole, 4000 feet in depth. 'A' gave up and asked 'I', "what are you trying to prove?". 'I' then said, "For 4 centuries we have been using Wireless technology as our communication medium... Now, who is advanced in technology :)".

Hope you enjoyed...
- EF

PS: This joke is based on an email that we received in chain/forwarded emails.

Rootkit Analysis

We are now actively working on Rootkit Analysis. Jack O'Neill and Kirk McGraw are the two dedicated Project Managers allocated for this focus of projects alone.

If you have any questions or if you wish to volunteer, feel free to contact us at contact.fingers @ gmail.com

- EF

Saturday, November 15, 2008

Finally!!! We fixed it...

We had an issue with the Sploits PCAP page. Our PCAPs had spaces in their names and unfortunately when reading the file to open, the file names were read only with the first word that came before the first space and showed it as a broken link. We had to change all PCAPs by filling it up with _ or deleting spaces. We now have a total of 304 sploit PCAPs(269 Web Browser sploit PCAPs and 35 Browser PCAPs).

If you find any missing links or if you find any bugs at all, please feel free to contact us at contact.fingers @ gmail.com

- EF

Friday, November 14, 2008

Worms & Exploits Blog

Worms & Exploits blog is now a supporter of EvilFingers.com.

- EF

Thursday, November 13, 2008

Our new Vulnerability Researcher

EvilFingers is proud to announce our new Vulnerability Researcher, Mountassif Moad (a.k.a Stack). Mountassif has published several PoC's in milw0rm that can be found at http://www.milw0rm.com/author/1331.

If you have any questions regarding volunteering or helping our community, kindly contact contact.fingers @ gmail.com.

- EF

Wednesday, November 12, 2008

Interview with a Terrorist

Rumor says that a news agency interviewed a terrorist on world terror. When they asked him the cause of such destructive actions, he responded that the creator is the destroyer.

The news reporter then said that the terrorist also mentioned that a well known organization "My Crow Soft" was also in the same position of creating an destroying technology and why couldn't the creator of creators do the same.

This is something to think about...

- EF

MS releases security bulletin for Nov (Nov 11th 2008)

Microsoft Security Bulletin MS08-068 – Important (Vulnerability in SMB Could Allow Remote Code Execution (957097))

Executive Summary


This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and Moderate for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that SMB authentication replies are validated to prevent the replay of credentials. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation.
Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues.
None

Microsoft Security Bulletin MS08-069 – Critical (Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218))


Executive Summary

This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Microsoft XML Core Services 3.0 and Important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0, and Microsoft XML Core Services 6.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that Microsoft XML Core Services parses XML content, handles external document type definitions (DTD), and sets HTTP request fields. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation.
Microsoft recommends that customers apply the update immediately.

Known Issues. Microsoft Knowledge Base Article 955218 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

More information is available at http://www.microsoft.com/technet/security/current.aspx.

- EF

Tuesday, November 11, 2008

Interview with a 5yr old...

When talking to a 5yr old, we had a general knowledge question...

Who is posing a major threat to Alaska?

(1) Terrorists
(2) Other states of US
(3) Russia
(4) None of the above.

The kid answered, well terrorists cannot go there since it is too cold for them and the terrorist are from hot regions, or at least that is how people have described about terrorists, that they are people from warm or hotter countries/continents...

So option 1 is ruled out. Then the kid said, other states of US are close to each other and Alaska is way above their head to even think about... and it is way above the other states of US itself and hence option 2 is rules out.

Russians wouldn't pose a threat to Alaska. We asked the kid as to why Russians will not pose a threat. The kid says, well they were the ones who donated Alaska for a cheap bid...

And the kid asked us a question. Although option 4 is the right choice, why did you not add Sarah Palin...


Have Fun...
- EF

Saturday, November 8, 2008

Virus Analysis

One fine morning, when 2 different people met under a single roof the following discussion took place:

John: Hello Sir!!! May I know the time please...
Smith: Hey... It is 9AM and it is really cold for that :)

John: Yes indeed, I am really running to work to analyze the outbreak of a new virus today.
Smith: Oh cool!!! So if you don't mind sharing, what are its specs... What is the vector? How many systems has it infected so far?

John: Sure !!! So far, it has affected our nervous system...
Smith: Oh, you are a doctor... I am sorry, I thought you were talking about computer virus...

John: Oh yeah!!! It is a computer virus and it affected our nervous system, since we have been in terrible shock since the day we started analyzing it...
Smith: Nice...

Enjoy and have fun!!!

- EF

Friday, November 7, 2008

New President Elected

The President says, "Thank you EvilFingers for all your support and commitment in the elections." and we responded back saying "We did nothing!!!" and he responded "That is what I was talking about. Thanks for not doing anything."

Anyways, that was just a joke...

Our hearty congratulations to President Elect Obama. Whether he is Republican or Democrat, he is the President of the United States and we hope that he would be as neutral as his speech and works for the betterment of our world... God Bless America!!!

- EF

Monday, November 3, 2008

Coincidence or fate

I did not know what to call this "Coincidence or fate"...

When looking through the web server logs, I noticed the following graph...


Wait a second!!! That sure looks familiar...


Is my website causing the global economy meltdown? Can it be coincidence or fate... hmm.

- EF :) hope you had some fun

Saturday, November 1, 2008

Giuseppe Bonfa - A new research member at EvilFingers

Two new research papers released by Giuseppe Bonfa:



Worm.Win32.Zhelatin.pk Reverse Engineering


Abstract: In this paper (Worm.Win32.Zhelatin.pk Reverse Engineering) we will analyze with a classical Approach the entire structure of Worm.Win32.Zhelatin.pk from the pure Infection starting with happy-2008.exe, which is a classical E-Card Malware spreaded through fake mails.



CartellaUnicaTasse.exe - An Italian Malware Reverse Engineering
Study


Abstract: CartellaUnicaTasse.exe is an e-mail spreaded Malware that acts as a Downloader Agent for other Malicious Executable Applications. Thanks to CUT.exe a series of executables are downloaded and runned into the victim user. In this paper we will analyze with a classical RCE Approach the entire structure of CartellaUnicaTasse from the pure Infection to the Network Point of View.

- EF