End Year – New Year

Hi there people!

Another year seems passed! definitely a Good Year..and I hope a better 2009

In these last weeks I was quite busy with Study and Research/Coding tasks.

I’m actively coding and researching new tools related to Evilfingers, but I will not leave obviously my Cave or the Blog, all Work that I realize is done principally for my own pleasure and satisfaction, mine is only an Insane Computer Science Passion

A sad news shadowed this last days, the Big CastleCops Died!

CastleCops was a Great Service for People, and also a great source for Malware Researchers, cause could seems strange..but often its HARD TO CATCH New Virus Samples!

So if you have every kind of Virus Sample feel free to submit me It!

For New Year I’ll release other Mw Analysis/Win Internals Papers and hopefully new tools!

Actually I’m also working on FreeBSD, specifically on ACPI Project, in this moment I’m working on the correction of AcpiOsDerivePciId() function, that is not quit right, hope soon to release patch and for readers a little tech report on it!

Another work in TODO List is a little Coding Paper on Thread Deadlock Barrier (TDB) Implementation to Enhance Hook Stability

Have a nice Year!

Giuseppe ‘Evilcry’ Bonfa’

Felicissimus Dies Natalis Solis Invicti

Felicissimus Dies Natalis Solis Invicti!!!!!!

To all new and old followers of my blog!!

This is For you!

PGP Desktop 9.0.6 Denial Of Service Vulnerability

Hi,

Today I’ve released an Advisory for PGP Desktop 9.0.6,

Advisory:
PGP Desktop 9.0.6 Denial Of Service Vulnerability.

Version Affected:
PGP Desktop 9.0.6 [Build 6060] (other version could be affected)

Component Affected:
PGPwded.sys

Release Date:
Release Date. 23 December ,2008

Description:
PGP Desktop ’s PGPweded.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD. Affected IOCTL is 0×80022038.

Proof Of Concept can be downloaded HERE

Regards,

Giuseppe ‘Evilcry’ Bonfa’

BlockersNorthWe.info Another MSN Spam Domain

Hi,

Here reported a fast analysis of the latest domain catched by my MSN-HoneyPot

Today I received the following advisory by my offline contact:

Xxx scrive:
%random2% hello
www.BlockersNorthWe.info/ %random3%

Let’s dissect BlockersNorthWe.info

Source code for: http://www.BlockersNorthWe.info/
Server IP: 67.228.41.183 [ 67.228.41.183-static.reverse.softlayer.com ]
hpHosts Status: Not Checked
MDL Status: Not Checked
PhishTank Status: Not Checked
Date: sabato 20 dicembre 2008
Time: 18.01.52.01

<meta HTTP-EQUIV=”REFRESH” content=”0; url=http://reklam.softreklam.com/affiliates/manage.php?affid=2&o=17&c=17&d=1094″>

As you can see its used a Metarefresh = 0 that silently redirects you to

http://reklam.softreklam.com/affiliates/manage.php?affid=2&o=17&c=17&d=1094

<script language=”JavaScript”>
self.moveTo(0,0);self.resizeTo(screen.availWidth,screen.availHeight);setInterval(“x()”,10);setInterval(“y()”,500000);self.focus();
function x(){window.status=”SOHBET”}
function y(){self.focus()};
</script>

<meta http-equiv=”refresh” content=”0;url= http://www.flycell.it/offer/?ref=2900&transid=IT2“>

Another Metarefresh for http://www.flycell.it/offer/?ref=2900&transid=IT2

This is the Destination URL..

as you can understand this time we are in front off an MSN Spam Domain..

Server Type:	Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
IP Address:	67.228.41.183 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location	– Wilayah Persekutuan – Kuala Lumpur – Whei Meng Wong
Response Code:	200
Domain Status:	Registered And Active Website

Backdoor.Win32.UltimateDefender Reverse Engineering

Hi,

I’ve released Backdoor.Win32.UltimateDefender.gtz Reverse Engineering on my Website:

http://evilcry.netsons.org/tuts/Mw/Backdoor-UltimateDefender.pdf

Regards,

Giuseppe ‘Evilcry’ Bonfa’

MSN Credentials Theft nustuff4u.com

Hi,

My MSN-honeypot catched in these moments another classical MSN Credentials theft.

The system used is the classical Offline Message sent by an already compromised contact.

Here the message:

___________________________

Xxx scrive:
Xxx check out these awesome pics from the awesome party LOL   http://Yyy.nustuff4u.com

__________________________

nustuff4u.com presents a classical form that asks for

MSN E-Mail

MSN Password

and as usual the already see (please refer to my previous MSN releated blog posts) a disclaimer..

Now let’s investigate a bit on this domain..

ICANN Registrar:	ENOM, INC.
Created:	2008-12-04
Expires:	2009-12-04
Updated:	2008-12-04
Registrar Status:	clientTransferProhibited
Name Server:	DNS1.REGISTRAR-SERVERS.COM (has 151,962 domains) IP Address: 202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute IP Location – Hong Kong (sar) – Hong Kong – Ta_kung_pao And finally we can see that is Whois Protected Domain name: nustuff4u.com Registrant Contact: WhoisGuard WhoisGuard Protected ()

Scam from Russia #2

Hi there,

Releated to my previous post, here the successive mails sent by “Dariya”..

-----------------
I sent an email yesterday from an email which i don't frequently use, so you'd better reply to me here. sorry for the confusion.
Dariya
-----------------

New mail address is devochka_dariya @ mtsglobe.com
after this mail followed another one:

-------------
Hello my dear , thank you for your kind letter!
At first I think I have to say that I am new in cyber space and I have
only good intentions. you should know that I am not very good writer in english,please be patient to read my
---------------

Just for curiosity, let me search about the first words of this mail, here the results:

• http://www.russian-scammers.com/Russia_dating_scams/Known_Scammers/
• http://www.scammers.ru/scammers/103200.htm
• http://www.russian-detective.com/black_lists/individ/new/n_trad/khikurava_svetlana.htm

in the next episodes I’ll write someting about the Social Engineering techniques used =)

Regards,
Evilcry