Netsons Opened

March 7, 2009

Problem solved, http://evilcry.netsons.org now Up ‘n Running :)


End Year – New Year

December 31, 2008

Hi there people!

Another year seems passed! definitely a Good Year..and I hope a better 2009 :)

In these last weeks I was quite busy with Study and Research/Coding tasks.

I’m actively coding and researching new tools related to Evilfingers, but I will not leave obviously my Cave or the Blog, all Work that I realize is done principally for my own pleasure and satisfaction, mine is only an Insane Computer Science Passion :)

A sad news shadowed this last days, the Big CastleCops Died!

CastleCops was a Great Service for People, and also a great source for Malware Researchers, cause could seems strange..but often its HARD TO CATCH New Virus Samples!

So if you have every kind of Virus Sample feel free to submit me It!

For New Year I’ll release other Mw Analysis/Win Internals Papers and hopefully new tools!

Actually I’m also working on FreeBSD, specifically on ACPI Project, in this moment I’m working on the correction of AcpiOsDerivePciId() function, that is not quit right, hope soon to release patch and for readers a little tech report on it!

Another work in TODO List is a little Coding Paper on Thread Deadlock Barrier (TDB) Implementation to Enhance Hook Stability

Have a nice Year!

Giuseppe ‘Evilcry’ Bonfa’



IDA Pro Enhances Hostile Code Analysis Support

October 4, 2008

Hi,

IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.

“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”

“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”

What to say? is a really great enhancement for Malware Analysis ;)

Here you can watch the first video on Bochs Debugging http://hex-rays.com/video/bochs_video_1.html

Regards,

Giuseppe ‘Evilcry’ Bonfa’ :)


My Linkedin Profile

July 30, 2008

Hi,

Here you can see my Linkedin Profile

Have a nice Day,

Evilcry


PayPal Fraud

April 17, 2008

Hi,

Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!

——————————–

—– Original Message —–

From: PayPaI Notice!
Sent: Thursday, April 17, 2008 2:21 PM
Subject: THE PAYMENT IS PENDING FOR THE MOMENT

We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT .

If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)

Thank you for using PayPal!
The PayPal Team

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.

————————————-

The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/

The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:

http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/revalidate.htm?cmd_submitaccess0023044-submit=data_refund

where we’re asked for:

  • Card number
  • Expiration date
  • CVV Code
  • Electronic Signature

Card Number, as we can see by the source code:

if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}

if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}

So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,

4111111111111111

CVV Code:

if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2″);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;

Electronic Signature (PIN):

if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;

If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats page :)

From DomainTools we obtain this:

IP Location: United Kingdom United Kingdom Ftip002881171 Capital Enterprise Centres Chelmsford
Resolve Host: 217-33-56-79.capitalchelmsford.mezzonet.net
IP Address: 217.33.56.79
Blacklist Status: Clear

Whois Record

inetnum:        217.33.56.64 – 217.33.56.127
netname:        CEC-CHELMSFORD
descr:          FTIP002881171 Capital Enterprise Centres Chelmsford
country:        GB
admin-c:        PC6279-RIPE
tech-c:         PC6279-RIPE
status:         ASSIGNED PA
mnt-by:         BTNET-MNT
mnt-lower:        BTNET-MNT
mnt-routes:        BTNET-MNT
remarks:        Please send abuse notification to 

See you to the next post.. :)

PS: Thanks Pì ;)



SPAM Analysis Tools

April 16, 2008

Hi,

Here a quick list of the most used Tools for Spam Analysis:

Other tools will be added in the future.

See you to the next post.. :)


Follow

Get every new post delivered to your Inbox.