Bank UBI Fraud – Phishing Domain

September 28, 2008

Hi,

The following blog entry is the result of a research accomplished by Me and Emdel from Playhack that received the mail and with me wrote the paper.

The scam email is the following:

_________________________________________________

GENTILE CLIENTE DI _BANCA UBI,_ Il Servizio Tecnico di Banca UBI Online sta eseguendo un aggiornamento programmato del software bancario al fine di migliorare la qualita dei servizi bancari. Le chiediamo di avviare la procedura di conferma dei dati del Cliente. A questo scopo, La preghiamo di cliccare sul link che Lei trovera alla fine di questo messaggio. CLICCA QUI PER CONFERMARE [1] Ci scusiamo per ogni eventuale disturbo, e La ringraziamo per la collaborazione. &copy Gruppo UBI Banca 2008 Links:

_________________________________________________

Which contains the following link:

It is clearly a phising site this url: http://79.165.218.183/login.php In fact there is not a secure connection so loved by the banks, and the url is mainly a ip address. Looking at the browser bar we can see a redirection:

This last URL give us the following reply:

HTTP/1.1 302 Found

Date: Sun, 28 Sep 2008 12:53:17 GMT

Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c

X-Powered-By: PHP/5.2.0-8+etch10

location: http://quiubi-line.com/hd/login.do.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=WINDOWS-1251

Dissection

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//IT” “http://www.w3.org/TR/html4/loose.dtd”&gt;

<html><head><title>Gruppo UBI Banca – Qui UBI – LOGIN</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

<meta http-equiv=”CONTENT-LANGUAGE” content=”Italian”>

<meta http-equiv=”Expires” content=”Dom, 01 Gen 2006 11:56:50 GMT”>

<meta http-equiv=”Pragma” content=”no-cache”>

<meta http-equiv=”Cache-Control” content=”no-cache”>

<meta name=”keywords” content=””>

<meta name=”description” content=”Build Fase 4.40.00 – 30.01.2008 – Blocchi CI”>

<link rel=”stylesheet” href=”login.do_files/bpu.css” type=”text/css”>

<link rel=”shortcut icon” href=”https://www.quiubi.it/hb/favicon.ico“>

Here Starts the fraud:

<h2 title=”Benvenuto in Qui UBI Home Banking”>

<span>Benvenuto in Qui UBI Home Banking!<br>

Qui UBI è un mondo di servizi di Internet Banking che ti permette di avere la tua banca sempre a portata di mano.

</span>

</h2>

CreditCard Number:

<form name=”LoginForm” method=”post” action=”login.do.php?ref=1201716373577” onSubmit=”javascript:checkAndSubmitLogin();” style=”display: inline;”>

<div class=”txt-form-home”>Codice cliente

<label for=”field1″ style=”display: none;”>Codice cliente</label>

</div>

<input name=”codice” tabindex=”1″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field1″ class=”campiform szInpHome” type=”text”>

SecurityCode

<div class=”txt-form-home”>Codice sicurezza (password)

<label for=”field2″ style=”display: none;”>Codice sicurezza</label></div>

<input name=”password” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field2″ class=”campiform szInpHome” type=”password“>

<br>

PIN:

<div class=”txt-form-home”>PIN Dispositivo

<label for=”label” style=”display: none;”>Codice sicurezza</label></div><input name=”pin” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field3″ class=”campiform szInpHome” type=”password“>

If we compile correctly the form the Credentials are Stolen and  victim redirected to the True UBI Bank Website.

WHOIS Information

Now it is time to dive into whois information to understand the real origin of this weird website:

Query sull’IP 79.165.218.183
Name Resolution:
host-79-165-218-183.qwerty.ru

inetnum: 79.165.208.0 – 79.165.223.255
netname: Neo-CNT
descr: BRAS E-320-29 DHCP-pool
descr: Russian Central Telegraph, Moscow
country: RU
admin-c: VYK9-RIPE
admin-c: AAP43-RIPE
tech-c: VYK9-RIPE
status: ASSIGNED PA
mnt-by: CNT-MNT
source: RIPE # Filtered

person: Victor Y. Kovalenko
address: Central Telegraph
address: 7, Tverskaya st.
address: 103375, Moscow, Russia
remarks: phone: +7 095 2924959
phone: +7 495 2924959
e-mail: vikov@cnt.ru
nic-hdl: VYK9-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

person: Alexey A Petrov
address: 7, Tverskaya st.,
address: Central Telegraph, Moscow,
address: 125375, Russia
remarks: phone: +7 095 504 4449
phone: +7 495 504 4449
remarks: fax-no: +7 095 201 9319
fax-no: +7 495 201 9319
e-mail: apetrov@cnt.ru
nic-hdl: AAP43-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

route: 79.164.0.0/15
descr: CNT-network BLOCK
origin: AS8615
mnt-by: CNT-MNT
source: RIPE # Filtered

It is from Russia! This year a lot of attacks, frauds and other kind of illicit actions were born in ex URSS and sometimes there is the RBN shadow.

Summing up the url steps:

An image can clarify the main fake features of the Russian website:

http://evilcodecave.files.wordpress.com/2008/09/bank_ubi1.jpg

Written by Giuseppe ‘Evilcry’ Bonfa’ and Emdel


Debugger Detection Via NtSystemDebugControl

September 15, 2008

Hi,

NtSystemDebugControl() is a really powerful undocumented function, that allows you Direct Manipulation of System’s Structures.

Here a definition of NtSystemDebugControl:

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Debug/NtSystemDebugControl.html

The use of this function is only limited to the fancy of the coder

I’ve rewritten some basical Anti Debugging Techniques with Direct Structure Reading with NtSystemDebugControl. Obviously there are shorter ways to implement these Anti-Dbg Apps, but I think that more reimplementations exists and more are possibilities to trick an attacker, that may not know/understands the specific trick..especially if embedded in many..many.. Junk Code

Here you can download the Source Code sample:

http://evilcry.netsons.org/other/ntsd.zip

Have a nice Day,
Evilcry


Evilcry’s Dark Cave MOVED!!!!!

September 14, 2008

Hi,

I’ve moved my Website From Altervista To Netsons

The new link is HERE

Regards :)


glib 2.0-2.14.1 gmem.c Core Dump

September 6, 2008

Hi,

glib 2.0-2.14.1 and precisely gmem.c at line 135 is prone to a Core Dump, that can be caused for example by a massive Cut-Pasting from threough tools like Midnight Commander.

Here an ScreenShot of the CoreDump:

 

See you to the next post :)


Fast ApiSpy (of DeviceIoControl) via oSpy2 Defined Hook

September 6, 2008

Hi,

oSpy2 is the evolution of oSpy-1.9.6 coded by oleavr.

With oSpy2 is possible to Spy API Activity of the selected process, you can think that there are many other ApiSpy Tools, but oSpy2 implements a well organized XML called config.xml that allows you to define the function that you want to Spy, it has also other Logging features such as dump of CPU Registers.

Here an XML Samplied applied to DeviceIoControl Spy

 

<hookManager>
    <specs>
    <functions>
      <function name="DeviceIoControl" callingConvention="stdcall">
        <returnValue type="MSBool"/>
        <arguments>
          <argument name="hDevice" direction="in" type="UInt32" hex="true"/>
          <argument name="dwIoControlCode" direction="in" type="UInt32" hex="true" />
          <argument name="lpInBuffer" direction="in" type="ByteArrayPtr" size="arg.nInBufferSize"/>
          <argument name="nInBufferSize" direction="in" type="UInt32"/>
          <argument name="lpOutBuffer" direction="out" type="ByteArrayPtr" size="arg.lpBytesReturned">
            <logCondition>reg.eax !=0</logCondition>
          </argument>
          <argument name="nOutBufferSize" direction="in" type="UInt32"/>
          <argument name="lpBytesReturned" direction="out" type="UInt32Ptr"/>
          <argument name="lpOverlapped" direction="in" type="UInt32" hex="true"/>                    
        </arguments>
      </function>
    </functions>   
  </specs>
  <hooks>
    <dllModule name="kernel32.dll">
      <function specId="DeviceIoControl"/>
    </dllModule>
  </hooks>
</hookManager>

 

Note that this sample code is thaken from oleavr’s blog but with a basical difference

 <argument name=”dwIoControlCode” direction=”in” type=”UInt32″ hex=”true” />
He used as type IoControlCode and hex disabled, in this way oSpy2 not worked because he wasn’t able to recognize IoControlCode type.
Here thew output result:
<event id="1" type="FunctionCall" timestamp="128651541912187500" processName="_CENSORED_" processId="1924" threadId="2620">
    <name>
        kernel32.dll::DeviceIoControl
    </name>
    <backtrace>
        <entry moduleName="_CENSORED_">
            0x100786d9
        </entry>
        <entry moduleName="_CENSORED_">
            0x10078780
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10078803
        </entry>
        <entry moduleName="_CENSORED_l">
            0x1007886c
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10078983
        </entry>
        <entry moduleName="_CENSORED_">
            0x10078a15
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10077fe0
        </entry>
        <entry moduleName="_CENSORED_l">
            0x100963f6
        </entry>
    </backtrace>
    <cpuContext direction="in">
        <register name="eax" value="0x78"/>
        <register name="ebx" value="0x2000"/>
        <register name="ecx" value="0xc3fa28"/>
        <register name="edx" value="0xc3fa28"/>
        <register name="edi" value="0xad0000"/>
        <register name="esi" value="0x62babc"/>
        <register name="ebp" value="0x78"/>
        <register name="esp" value="0xc3f9ec"/>
    </cpuContext>
    <arguments direction="in">
        <argument name="hDevice">
            <value type="UInt32" value="0x78"/>
        </argument>
        <argument name="dwIoControlCode">
            <value type="UInt32" value="0x80012004"/>
        </argument>
        <argument name="lpInBuffer">
            <value type="Pointer" value="0x00C3FA28">
                <value type="ByteArray" size="16">
                    AAAAAAAAAAAAAK0AACAAAA==
                </value>
            </value>
        </argument>
        <argument name="nInBufferSize">
            <value type="UInt32" value="16"/>
        </argument>
        <argument name="lpOutBuffer">
            <value type="Pointer" value="0x00C3FA28"/>
        </argument>
        <argument name="nOutBufferSize">
            <value type="UInt32" value="16"/>
        </argument>
        <argument name="lpBytesReturned">
            <value type="Pointer" value="0x00C3FA24"/>
        </argument>
        <argument name="lpOverlapped">
            <value type="UInt32" value="0"/>
        </argument>
    </arguments>
    <cpuContext direction="out">
        <register name="eax" value="0x1"/>
        <register name="ebx" value="0x2000"/>
        <register name="ecx" value="0x7c801694"/>
        <register name="edx" value="0x7c91eb94"/>
        <register name="edi" value="0xad0000"/>
        <register name="esi" value="0x62babc"/>
        <register name="ebp" value="0x78"/>
        <register name="esp" value="0xc3fa1c"/>
    </cpuContext>
<arguments direction="out">
        <argument name="lpOutBuffer">
            <value type="Pointer" value="0x00C3FA28"/>
        </argument>
        <argument name="lpBytesReturned">
            <value type="Pointer" value="0x00C3FA24">
                <value type="UInt32" value="16"/>
            </value>
        </argument>
    </arguments>
    <returnValue>
        <value type="Boolean" value="true"/>
    </returnValue>
</event>
What to say..a really powerful tool!
See you to the next post.. :)

Follow

Get every new post delivered to your Inbox.