Scam From Russia

November 28, 2008

Hello,

long time not posting due to my busy real life..

Today we will identify another kind of scam/fraud mail system from Russia..

The first mail was this:

Subject: hello from kara

Do not ignore me please,
I found your email somewhere and now decided to write you.
Let me know if you do not mind. If you want I can send you some pictures of me.
I am a nice pretty girl. Don’t reply to this email.
Email me direclty at dkara {{}} officialsup.com

My reply was

Hello,

yes I’m intersted..

and after many days (kara first contact 2 Nov., Dariya reply 28 Nov.)

here the text of the mail:

Dariya <sladka@myup2you.com>

—————–

Hello my friend
I am so happy to see that you have decided to reply,I see it is very
short letter.It is all right because you are astonished to get my
letter. I know that you’re probably surprised to get my message. I got your email somewhere on the website. I don’t remember which one it was.
I want you to know that I have only good intentions and I have not any secrets.
The thing is that I will work in your country for three months or so and I would like to meet a nice man to fall in love  or just be closest friends.
I don’t want to live in Russia because I have not any chances  here,it is hardly possible to explain from first time but
I want you to know my plans.I will work in  any shop, bar or restaurant the agency that i am going through will suggest
me some locations. It will be my choice in the end as to what option to go for.
So I will have a simple work till I improve my English. And I can  choose any town of your area,agency will only help me
to get a visa and all travel documents + some suggested placed to work in. My best friend last year met the man from
the USA when she worked
there for three months, too. She had two jobs. From morning till 4 pm  she worked in amusement park and after
it she worked as a waitress in some bar till midnight. She was very  tired of course but made very good money there.
It is special programm for young people who wants to work abroad and I  think it is the right way for me ,I am lost here,and I think that I
look pretty enough to find a better place .I want to repeat the same  way,it is only my chance to meet a nice man.I want to work in USA or in Europe or any
nice country. I am full of plans and different dreams and I want to share my life with good man because I’m also full of love
and tenderness,I know that I am not so beautiful like Hollywood Princess but I do hope to meet my Prince and
I am sure he will be not be disappoined to meet me in the real life! This is why I am going to go through the same way.
Well,I will close this letter and I do hope to get your reply.
I will leave russia in two weeks or so (I can’t tell you everything  exactly right now) and I would like to be sure that I
have the man who waits for me there. I will work all day and I want to  find a man to spend all free time together to get
to know each other better.if you have any interest to meet me I will be more than happy to meet you too.
I will tell you all details about me and my life if you like my pictures and want to meet me!  please send picture of you too!!!
Now I write you from my personal mailbox, please write me back here and here only. I will be checking it often.
Kiss you ,Dariya (this is my name)!

—————–

Ehehe the Bolded parts that I’ve signed clearly indicates the presence of a fraud, let analyse it deeper:

1) The thing is that I will work in your country for three months or so and I would like to meet a nice man to fall in love  or just be closest friends.

“Three months” is a well engineered phrase cause usually countryes allows you for a period of 3 months, the initial scope is to meet a man remember this, and really strange “your country” could be every country, obviously by not specifing it this mail is universally reusable 😉

2) And I can  choose any town of your area,agency will only help me
to get a visa and all travel documents + some suggested placed to work in

here appears the necessity of a work, the old Deception Trick of “I’m a lonely nice girl” and to this basilar necessity appears the necessity to have a VISA Card..eheheh

3) I will leave russia in two weeks or so (I can’t tell you everything  exactly right now) and I would like to be sure that I have the man who waits for me there.

really unstable, you start from russia ( can’t tell you everything  exactly ) and you said that you don’t have secrets..but to equilibrate the phrase inserted (great Social Engineering operation) the Time Component ( right now ) so reader is silently driven to believe that this is releated to a time organization, but suddenly after girl knows that she will leave Russia in 2 weeks, a really nice S.E. operation, cause is not a big time to way and reader see the Actuality and the Determination 🙂

What to say, I’ll reply to this mail and I’ll mantain you updated =)

6 Comments | (In)Security | Tagged: , , , , , , , , | Permalink
Posted by evilcodecave

Some word about Vulnerability Patch Analysis

November 16, 2008

Hi,

Actually I’m a bit busy with Work and some project releated to my collaboration with EvilFingers, but soon I hope to release some paper.

Today we are going to talk a bit about the world of Patch Analysis. The Security practice of analysing the security patches released mainly by microsoft but also by big Software House in the last year have had a great diffusion. The basilar concept is to study the patch to understand and or elaborate the PoC or the Exploit it self.

Let’s take in example the latest vulnerabilies released by Microsoft:

  • MS08-69 -> Microsoft XML Core Services Could Allow Remote Code Execution. That can be downloaded here.
  • MS08-69 -> Vulnerability in SMB Could Allow Remote Code Execution. Than can be downloaded here.

After downloading a copy of patches, obviously relative to our OS, we have two executables:

  • WindowsXP-KB957097-x86-ENU.exe
  • msxml6-KB954459-enu-x86.exe

These two executables contains embedded into installer the system files fixed, so the first operation is to NOT install these fixes but to obtain a copy of the New Dlls. In order to accomplish that we have to unpack these two executables. Fortunately MS installers can receive a set of various commands relative to various installation functionalities, in our case we have to extract the content of the installer into a specific directory. So let’s create a directory, for example Out, now we can extract dlls as follows:

WindowsXP-KB957097-x86-ENU.exe /x:Out

we will obtain

  • /SP2GDR
  • /SP2GFE
  • /SP3GDR
  • /SP3GFE
  • /update

We are working, for example with XP Sp2 so let’s take the copy of mrxsmb.sys proper of SP2GDR or SP2GFE. Now we can apply the Binary Diffing approach 😉

In the case of msxml6-KB954459-enu-x86.exe after decompressing it we have a .msi executable, this need to be extracted with msiexec, here how to extract msi files into a wanted directory

msiexec /a PATH_OF YOUR_MSI /qb TARGETDIR=PATH_OF_YOUR_DESTINATION_DIR

in a pratical example

msiexec /a e:\Evil\msxml6.msi /qb TARGETDIR=e:\Evil\Msi\

I also suggest you to pay attention to the Binary Diffing Software that you’re going to use because sometimes patches are “big” 4-5-6 MB and for example Sabre Security’s BinDiff freezes.

The best BinaryDiffer are:

  • Sabre Security’s Bin Diff
  • Eeye Binary Diffing Suite

Regards,

Evilcry 🙂

Leave a Comment » | (In)Security, Reverse Code Engineering | Tagged: , , , , , , , | Permalink
Posted by evilcodecave

.NET Framework Rootkit

November 15, 2008

Hi,

here an truly intersing paper on .NET Framework Rootkits

http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

Have a nice read! 🙂

1 Comment | (In)Security, C / C++ (Visual Studio Based) Coding, Reverse Code Engineering | Tagged: , | Permalink
Posted by evilcodecave