Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=”">
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”" border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink” alt=”" border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

jQuery(’#registryDataContainer’).show();

Server Data

IP Address:	210.56.53.73
IP Location	- Hong Kong (sar) - Hong Kong - Sun Network (hong Kong) Limited
Response Code:	200
Domain Status:	Registered And Active Website

What to say..I’m a proud paranoid!!!

See you to the next post..

PS: I’m open to job offerings!

Hi,

Usually Spam is targeted to Marketing Massive Action, that does not contains any form of Malicious Code, but in the last period there is a second collateral and heavly emerging trend (especially into Web Applications that allows comments, as Blogs) is the Malicious Spam, an apparent mail of Spam that redirects you to malicious code..

Here the latest Malicious Spam Mail that I’ve received on my gmail account:

Subject: mp3 Shocking for evilcry

Content: Rihanna New video!!!
Look It now

The malicious link points to http://ro{CENSORED}eel.com/index1.php

By dissecting the malicious link we can see that a redirection is done

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>
<head>
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=http://robbiereel.com/video3425gdf3.exe”>
<title></title>
</head>

</div>
</body>
</html>

The technique is always the same, a fake Video.exe that the Victim download and executes, in this case the malware is named video3425gdf3.exe

Let’s analyse video3425gdf3.exe

File: video3425gdf3.exe

MD5: acd73c4930e8191fa7a35dac448d7f4b

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aacg

Hi,

Malware is often really boring to reverse because in high percentage they implements basical well known mechanisms of infection and self protection.
But sometimes there are really intersting malware that implements innovative techniques, this is the case of a trojan borned into 2006 that implemented DeleteFiber() as Anti–Debug Trick in a really easy and smart way.

To understand how it works, let’s see whar DeleteFiber is, directly from MSDN:

Deletes an existing fiber.

VOID WINAPI DeleteFiber(
__in  LPVOID lpFiber
);

lpFiber is the address of the fiber to be deleted.

Important to say that the DeleteFiber function deletes all data associated with the fiber.
This data includes the stack, a subset of the registers, and the fiber data.

Now let’s see a basical use of DeleteFiber():

#define _WIN32_WINNT 0×0400
#include <windows.h>

int main(void)
{
char fiber[1024] = {0};
DeleteFiber(fiber);
return EXIT_SUCCESS;
}

After showing the basical use of DeleteFiber let’s see how can be implemented as Anti-Debug Trick,
I insert here direcly the code:

#define _WIN32_WINNT 0×0400
#include <windows.h>
#include <stdio.h>

int main(void)
{
char fib[1024] = {0};
DeleteFiber(fib);

if(GetLastError() == 0×00000057)
MessageBoxA(NULL,”This process is NOT debugged”,”Info”,MB_OK);
else
MessageBoxA(NULL,”This process IS debugged”,”Info”,MB_OK);


return EXIT_SUCCESS;
}
As you can understant we can resume this trick into two cases:

• If the process is NOT debugged DeleteFiber give us an Error Code of 0×00000057 that corresponds to ERROR_INVALID_PARAMETER
• If the process IS debugged the error code is differs from 0×00000057

What to say it’s really easy to implement and really effective for all kind of debuggers, with a

bit of junk code that confuses ideas the conditional check could be placed really distant from the

DeleteFiber() itself.

Inside DeleteFiber()

Now we will see how DeleteFiber internally works to understand why this should be used as

Anti-Debug trick.

This is the Dead List:

00401000 PUSH DF.00403370

00401005 CALL DWORD PTR DS:[<&KERNEL32.DeleteFiber>; kernel32.DeleteFiber

inside DeleteFiber()

7C825A9F > MOV EDI,EDI ; DF.00403778

7C825AA1 PUSH EBP

7C825AA2 MOV EBP,ESP

7C825AA4 PUSH ECX

7C825AA5 PUSH ESI

7C825AA6 MOV EAX,DWORD PTR FS:[18] ;_TEB Struct

7C825AAC MOV ECX,DWORD PTR DS:[EAX+10] ;pointer to _TIB.FiberData field

7C825AAF MOV ESI,DWORD PTR SS:[EBP+8] ;lpFiber

7C825AB2 CMP ECX,ESI

7C825AB4 JE kernel32.7C826596 ;ExitThread if( FiberData == lpfiber)

7C825ABA AND DWORD PTR SS:[EBP-4],0 ;Clears this Stack location

7C825ABE PUSH 8000 ;MEM_RELEASE

7C825AC3 LEA EAX,DWORD PTR SS:[EBP-4]

7C825AC6 PUSH EAX

7C825AC7 LEA EAX,DWORD PTR DS:[ESI+10]

7C825ACA PUSH EAX

7C825ACB PUSH -1

7C825ACD CALL DWORD PTR DS:[<&ntdll.NtFreeVirtual> ntdll.ZwFreeVirtualMemory

7C825AD3 MOV EAX,DWORD PTR FS:[18] ;_TEB Struct

7C825AD9 MOV EAX,DWORD PTR DS:[EAX+30] ;points to _PEB Struct

7C825ADC PUSH ESI ;lpFiber

7C825ADD PUSH 0 ;0×00000000

7C825ADF PUSH DWORD PTR DS:[EAX+18] ;PEB.ProcessHeap

7C825AE2 CALL DWORD PTR DS:[<&ntdll.RtlFreeHeap>] ; ntdll.RtlFreeHeap

7C825AE8 POP ESI

7C825AE9 LEAVE

7C825AEA RETN 4

In the first part of DeleteFiber is retrived the _TEB structure and specifically a member of

_TIB structure located at 10h

0:003> dt nt!_TEB -b

ntdll!_TEB

+0×000 NtTib : _NT_TIB

+0×000 ExceptionList : Ptr32

…

+0×00c SubSystemTib : Ptr32

+0×010 FiberData : Ptr32

and next if FiberData is equal to our Fiber’s Address it means that Fiber is suicinding itself

and system calls ExitThread(), next we can notice a NtFreeVirtualMemory call with the following

parameters:

NtFreeVirtualMemory(NtCurrentProcess(), &pStackAllocBase,&nSize,MEM_RELEASE);

The system deallocates the used stack and finally calls RtlFreeHeap in this manner:

RtlFreeHeap(GetProcessHeap(), 0, lpFiber);

This last call clarifies totally the presence of ERROR_INVALID_PARAMETER because has we have seen

DeleteFiber is directly correlated with Heap, and Heap Memory presents a set of Flags that

characterize the Heap itself.

These Flags differs in case the process IS debugged or NOT, so we can suppose that these flags

are created when the exe itself is executed, in other words at Process Creation Time. Under

Windows NT processes are created through PspUserThreadStartup and inside it we can found

LdrInitializeThunk, that as Russinovich sais The LdrInitializeThunk routine initializes the

loader, heap manager, NLS tables, thread-local storage (TLS) array, and critical section

structures. By going more deep we can see that there is a specific function that fill the PEB

Struct of the new process MmCreatePeb(), PEB is important because between his various fields

are stored Heap Flags of our process. I’m talking about NtGlobalFlag, for a debugged process

these flags are:

#define FLG_HEAP_ENABLE_TAIL_CHECK 0×00000010

#define FLG_HEAP_ENABLE_FREE_CHECK 0×00000020

#define FLG_HEAP_VALIDATE_PARAMETERS 0×00000040

Now if a process has these flags enabled ( HeapDebug ) RtlFreeHeap will fail the Heap freeing and

this error will be propagated to DeleteFiber() that will exit with an ERROR_INVALID_PARAMETER.

Anti Anti-Debug

Due to the fact that the Heap Validation is accomplished at Processs Creation Time, one

countermeasure against Anti-Debug will be to attach the debugger after that the process is created.

If you are using WinDbg could be used the HeapDebug option ( -hd )

Between the function involved in process creation we have also LdrQueryImageFileExecutionOptions

that mantains trace of IFEO ( Image File Execution Options structure) this struct is located into

Registry under the path

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]

The various possible values are:

Debugger

DisableHeapLookaside

ShutdownFlags

MinimumStackCommitInBytes

ExecuteOptions

GlobalFlag

DebugProcessHeapOnly

ApplicationGoo

RpcThreadPoolThrottle

GlobalFlag can be used to modify NtGlobalFlag, so if you set this key entry to NULL, Heap of the

debugged program will looks as an undebugged one, read this as an Anti-Anti Debug Trick :).
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Target.exe]

"GlobalFlag"=""

Hi,

Here you can see my Linkedin Profile

Have a nice Day,

Evilcry

Hi,

Just yesterday I’ve searched the newest uTorrent client, and the first record appeared in google
by searching “uTorrent” is

This is a Fake uTorrent Website, cause the real one is:

As you can see the page looks pretty well engineered apart the repetitions of “Download Here” in the same page.

Let’s see the application..

MALWARE MALWAREMALWARE MALWAREMALWARE MALWAREMALWARE MALWAREMALWARE

MALWARE MALWAREMALWARE MALWAREMALWARE MALWAREMALWARE MALWAREMALWARE

Really suspicious

install_utorrent1.8rc6.upx.exe.exe

First of all because uTorrent is a Standalone Executable and second for the strange final name
upx.exe.exe

By Virus scan with Jotti service we can see that this application is

Kaspersky: Found Backdoor.Win32.Small.exw

See you to the next post..

Hi,

SetUnhandledExceptionFilter() Anti Debug Trick is frequently used, especially in Malware Applications. Around here there are various plugins for Olly that allows the Reverser to trasparently debug this kind of protection, so there is not a real necessity add other words about the mere practical part.

Due to the fact that today, too many young reversers uses a ton of plugins anti - anti - xxx without knowing how internally they works, I decided to expose here SetUnhandledExceptionFilter() Anti Debug Trick from Internals.

First of all, what is SetUnhandledExceptionFilter() ? according to MSDN documentation:

Enables an application to supersede the top-level exception handler of each thread of a process.

After calling this function, if an exception occurs in a process that is not being debugged, and the exception makes it to the unhandled exception filter, that filter will call the exception filter function specified by the lpTopLevelExceptionFilter parameter.

And this is the Syntax:

LPTOP_LEVEL_EXCEPTION_FILTER WINAPI SetUnhandledExceptionFilter(
__in  LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
);

lpTopLevelExceptionFilter is a pointer to top-level exception filter function that will be called whenever the UnhandledExceptionFilter function gets control, and the process is not being debugged. A value of NULL for this parameter specifies default handling within UnhandledExceptionFilter.

Usually, in absence of an UnhandledExceptionFilter the topmost handler called when an uncatched exception occours, is the default one provided by Windows Itself, the classical MessageBox that advices the user that an Unhandled Exception has occured.

But Windows allow programs to use custom Handlers for UnhandledException. The core of the trick is here, if the application is NOT debugged, the application is able to call the Custom Handler, but if the application IS debugged the Custom Handler will be never called.

The possibility of cognitive differentiation make obviously able the target application to apply a series of countemeasures against debugging, from detection to code hidding.

Just remember that due to the architecture of Windows Exception Handling, in every case is called UnhlandledExceptionFilter() function, and this will our point of attack (for anti - anti dbg trick).

This is the general inner meccanism of SetUnhandledExceptionFilter(), going more deep we observe the call stack of the first thread of any Win32 application, we can see that execution in every case is reported to BaseProcess, here the pseudo definition:

VOID BaseProcessStart( PPROCESS_START_ROUTINE pfnStartAddr )
{
    __try
    {
        ExitThread( (pfnStartAddr)() );
    }
    __except( UnhandledExceptionFilter( GetExceptionInformation()) )
    {
        ExitProcess( GetExceptionCode() );
    }
}

The same thing happens for threads, by referencing to BaseThreadStart:

VOID BaseThreadStart( PTHREAD_START_ROUTINE pfnStartAddr, PVOID pParam )
{
    __try
    {
        ExitThread( (pfnStartAddr)(pParam) );
    }
    __except( UnhandledExceptionFilter(GetExceptionInformation()) )
    {
        ExitProcess( GetExceptionCode() );
    }
}

All that happens inside BaseProcessStart() and BaseThreadStart() for what previously said, will be passed to the UnhandledExceptionFilter().

It’s now time to see what really is UnhandledExceptionFilter(), according to MSDN:

An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an Application Error message box and causes the exception handler to be executed. This function can be called only from within the filter expression of an exception handler.

Syntax

LONG WINAPI UnhandledExceptionFilter(
  __in  struct _EXCEPTION_POINTERS *ExceptionInfo
);

Became clear that UnhandledExceptionFilter represents the last choise for processing unhandled exceptions, so the Debugger Presence surely is located inside this function, let’s see a simplified version of this function:

LONG UnhandledExceptionFilter( EXCEPTION_POINTERS* pep )
{
    DWORD rv;

    EXCEPTION_RECORD* per = pep->ExceptionRecord;

    if( ( per->ExceptionCode == EXCEPTION_ACCESS_VIOLATION ) &&
         ( per->ExceptionInformation[0] != 0 ) )
    {
        rv = BasepCheckForReadOnlyResource( per->ExceptionInformation[1] );

        if( rv == EXCEPTION_CONTINUE_EXECUTION )
            return EXCEPTION_CONTINUE_EXECUTION;
    }

    DWORD DebugPort = 0;

    rv = NtQueryInformationProcess( GetCurrentProcess(), ProcessDebugPort,
                                    &DebugPort, sizeof( DebugPort ), 0 );

    if( ( rv >= 0 ) && ( DebugPort != 0 ) )
    {
        // Yes, it is -> Pass exception to the debugger
        return EXCEPTION_CONTINUE_SEARCH;
    }

    // Is custom filter for unhandled exceptions registered ?

    if( BasepCurrentTopLevelFilter != 0 )
    {
        // Yes, it is -> Call the custom filter

        rv = (BasepCurrentTopLevelFilter)(pep);

        if( rv == EXCEPTION_EXECUTE_HANDLER )
            return EXCEPTION_EXECUTE_HANDLER;

        if( rv == EXCEPTION_CONTINUE_EXECUTION )
            return EXCEPTION_CONTINUE_EXECUTION;
    }   

}

As you can see, inside UnhandledExceptionFilter() is called NtQueryInformationProcess() that has as first parameter our process and next DebugPort, this is done to know if the process is debugged.

All that we have to do to obtain an apparently undebugged process is to modify the first parameter (last pushed at debugging time), in other words we have to change the retur value of GetCurrentProcess() from 0xFFFFFFFF to 0×00000000.

So remember, when you have to overcome a SetUnhandledExceptionFilter() just put a Breakpoint for UnhandledExceptionFilter() and go inside this function to modify the previously exposed parameter

Thanks to Oleg Starodumov for pseudocodes

See you to the next blog post..

Hi,

Long time has passed from my last blog post.

I’ve released CartellaUnicaTasse.exe An Italian Malware Case Study,

the paper can be downloaded here: http://evilcry.altervista.org/tuts/Mw/CartellaUnicaTasse.pdf

See you to the next post

Hi there,

Another “new” attempt of fraud from alinarbar56 (@) yahoo.com

I hope this letter meets you well, I am sorry if I
have intruded on your privacy or barged in on you
without your permission.I have a very rewarding
project which I think will be beneficial to both of us
putting trust,confidentialty and most of all the fear
of God into focus. If after going through this email
you do not find it interesting please disregard it and
send me a formal response.I was a member of the Abuja
National stadium building and organizing committee of
the just concluded “ALL AFRICAN GAMES” which was
organized and hosted by Nigeria but before now I have
been a director of sports in the Federal Ministry of
Sports and Youth Development.We were appointed over 5
years ago to supervise the building of the ultra
modern Abuja National stadium, putting in place all
equipments needed for the completion of the stadium
which is acclaimed to be one of the best in the world
today and also involved in the planning and hosting of
the games.This project
cost the government of Nigeria millions of dollars.

The stadium project has been completed,all equipments
put in place and commissioned and used for the All
African Games tagged “ABUJA 2003“.The accounts have
been rendered to the government satisfactorily and we
have received commendations for a job well done.During
the construction, planning and execution of this
project,as the chairman of contract award committee I
was able to make some money for myself through
contract that was awarded to Dewolfgang Gmbh which I
over-invoiced to the tune of USD18.5M with the help of
Dewolfgang contractor.All I want you to do is to
assist me in clearing this amount while standing in as
the owner and director of Vacknol Nigeria
International Limited in whose name I made as the
beneficiary of the funds.Vacknol Nigeria International
Limited is an international company and could have a
company anywhere in the world the mostimportant thing
been that it is registered here in Nigeria as a
limited liability company in line with the company and
allied matters decree of Nigeria which I have since
done, I have also in my possession some contract
document which will act as proof that Vacknol Nigeria
International Limited executed the contract as a sub
contractor under the Dewolfgang Gmbh who is the major
contractor that executed the contract that was over
-invoiced.

On the payment of this money to you as the supplier in
the name of Vacknol Nigeria International Limited
because I will apply for the transfer in this name,and
you as the director of the company. I will come to
meet with you so that we can both sit down and discuss
further,what kind of business we will enter into or if
need be expand your already existing business, but
actually I hope to establish a five star hotel and go
into real estate development as these are life time
businesses that I know are of high yeild interest any
where in the world.I know you will be entitled to some
percentage of this money as compensation for your
efforts, Please feel free to indicate what you will
take from this amount,as this is very important to me
before we commence proceedings.I will tell you more
about this when I hear from you.

Best Regards.

Have a nice Day,

Evilcry

Hi,

Device Drivers Security is not a really spreaded and known, not many researchers are involved into this field, one of my scope, in this blog is to summarize all material related to Windows Kernel Mode Security..

Here two intersing new papers about Kernel Pool Overflows and Driver Impersonation Attack:

http://immunityinc.com/downloads/KernelPool.odp

http://immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf

See you to the next post..

Hi,

Today my Girl kindly signaled me an e-mail that she has received some time ago. This mail have as subject Cartella esattoriale n° 003 210400360968173 and contains an Executable in attachement called CartellaUnicaTasse.exe

This executable is packed with a layer of UPX so it can be easly unpacked, is also coded in VB6, this malware is actually detected as Trojan-Downloader.Win32.VB.fcd by many AVs but is still working in all its functionalities.

From a fast analysis we can carve two URLs from which are downloaded two virusses:

hxxp://2{CENSORED}.biz/mef/download1.exe

hxxp://2{CENSORED}.biz/mef/download3.exe

Download1.exe -> Trojan-Clicker.Win32.Agent.aqk

Download2.exe -> Trojan.Win32.Small.atd

Download3.exe -> Trojan.Win32.Dialer.qi

loader_mef.exe -> Trojan-Downloader.Win32.VB.fcd

mef.exe -> Trojan-Clicker.Win32.Agent.aqk

I’ll analyze both Download1 and Download3 and I’ll post soon how these craps works

All these Malwares are written by an Italian, the downloader contains the path c:\Programmi\ and the Dialer contains also italian terms.

See you to the next post..