Problem solved, http://evilcry.netsons.org now Up ‘n Running :)
Netsons Opened
March 7, 2009
1 Comment | 
TechLife | Tagged: http://evilcry.netsons.org, running, up | 
Permalink
Posted by evilcodecave
End Year – New Year
December 31, 2008Hi there people!
Another year seems passed! definitely a Good Year..and I hope a better 2009 :)
In these last weeks I was quite busy with Study and Research/Coding tasks.
I’m actively coding and researching new tools related to Evilfingers, but I will not leave obviously my Cave or the Blog, all Work that I realize is done principally for my own pleasure and satisfaction, mine is only an Insane Computer Science Passion :)
A sad news shadowed this last days, the Big CastleCops Died!
CastleCops was a Great Service for People, and also a great source for Malware Researchers, cause could seems strange..but often its HARD TO CATCH New Virus Samples!
So if you have every kind of Virus Sample feel free to submit me It!
For New Year I’ll release other Mw Analysis/Win Internals Papers and hopefully new tools!
Actually I’m also working on FreeBSD, specifically on ACPI Project, in this moment I’m working on the correction of AcpiOsDerivePciId() function, that is not quit right, hope soon to release patch and for readers a little tech report on it!
Another work in TODO List is a little Coding Paper on Thread Deadlock Barrier (TDB) Implementation to Enhance Hook Stability
Have a nice Year!
Giuseppe ‘Evilcry’ Bonfa’
1 Comment | Driver Coding, Reverse Code Engineering, TechLife | Tagged: ACPI Project, AcpiOsDerivePciId, FreeBSD, New Year 2009, Submit Virus Samples, Thread Deadlock Barrier ( TDB) Implementation to Enhance Hook Stability | Permalink
Posted by evilcodecave
IDA Pro Enhances Hostile Code Analysis Support
October 4, 2008Hi,
IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.
“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”
…
“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”
What to say? is a really great enhancement for Malware Analysis ;)
Here you can watch the first video on Bochs Debugging http://hex-rays.com/video/bochs_video_1.html
Regards,
Giuseppe ‘Evilcry’ Bonfa’ :)
2 Comments | Reverse Code Engineering, TechLife | Tagged: Bochs Debugger, Hostile Code Analysis, IDA, Malware | Permalink
Posted by evilcodecave
My Linkedin Profile
July 30, 2008
Leave a Comment » | TechLife | Tagged: Giuseppe Bonfa, Linkedin Profile | Permalink
Posted by evilcodecave
PayPal Fraud
April 17, 2008Hi,
Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!
——————————–
—– Original Message —–
From: PayPaI Notice!
Sent: Thursday, April 17, 2008 2:21 PM
Subject: THE PAYMENT IS PENDING FOR THE MOMENT
We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show”
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.
THE PAYMENT IS PENDING FOR THE MOMENT .
If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)
Thank you for using PayPal!
The PayPal Team
Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.
————————————-
The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/
The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:
where we’re asked for:
- Card number
- Expiration date
- CVV Code
- Electronic Signature
Card Number, as we can see by the source code:
if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}
if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,
4111111111111111
CVV Code:
if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2″);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;
Electronic Signature (PIN):
if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;
If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats page :)
From DomainTools we obtain this:
| IP Location: |  United Kingdom Ftip002881171 Capital Enterprise Centres Chelmsford |
| Resolve Host: | 217-33-56-79.capitalchelmsford.mezzonet.net |
| IP Address: | 217.33.56.79      |
| Blacklist Status: | Clear |
Whois Record
inetnum: 217.33.56.64 – 217.33.56.127
netname: CEC-CHELMSFORD
descr: FTIP002881171 Capital Enterprise Centres Chelmsford
country: GB
admin-c: PC6279-RIPE
tech-c: PC6279-RIPE
status: ASSIGNED PA
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
remarks: Please send abuse notification to
See you to the next post.. :)
PS: Thanks Pì ;)
9 Comments | (In)Security, TechLife | Tagged: PayPal Fraud | Permalink
Posted by evilcodecave
TheGreenBow VPN Client Patch Released
April 17, 2008Hi,
TheGreenBowVPN Client Development Team, kindly asked me to publish the link to the Security Patch about my Login Credential Information Disclosure Advisory.
Here the link.
See you to the next post.. :)
Leave a Comment » | (In)Security, TechLife | Tagged: Login Credential Information Disclosure., Security Patch, TheGreenBowVPN | Permalink
Posted by evilcodecave
SPAM Analysis Tools
April 16, 2008Hi,
Here a quick list of the most used Tools for Spam Analysis:
- http://www.trimmail.com/news/tools/ – Online Tracing ( Mail Server Profiler, Open Relay Test, DNS Blacklist Check, SMTP Profiler, Traceroute Off-Site, R.E. Test
- DNSstuff
- Reverse-Whois
- Linkspammers
- Spamlinks
Other tools will be added in the future.
See you to the next post.. :)
Leave a Comment » | TechLife | Tagged: Spam Analysis Tools, Spam Techniques | Permalink
Posted by evilcodecave
