Netsons Opened

Problem solved, http://evilcry.netsons.org now Up ‘n Running 🙂

End Year – New Year

Hi there people!

Another year seems passed! definitely a Good Year..and I hope a better 2009 🙂

In these last weeks I was quite busy with Study and Research/Coding tasks.

I’m actively coding and researching new tools related to Evilfingers, but I will not leave obviously my Cave or the Blog, all Work that I realize is done principally for my own pleasure and satisfaction, mine is only an Insane Computer Science Passion 🙂

A sad news shadowed this last days, the Big CastleCops Died!

CastleCops was a Great Service for People, and also a great source for Malware Researchers, cause could seems strange..but often its HARD TO CATCH New Virus Samples!

So if you have every kind of Virus Sample feel free to submit me It!

For New Year I’ll release other Mw Analysis/Win Internals Papers and hopefully new tools!

Actually I’m also working on FreeBSD, specifically on ACPI Project, in this moment I’m working on the correction of AcpiOsDerivePciId() function, that is not quit right, hope soon to release patch and for readers a little tech report on it!

Another work in TODO List is a little Coding Paper on Thread Deadlock Barrier (TDB) Implementation to Enhance Hook Stability

Have a nice Year!

Giuseppe ‘Evilcry’ Bonfa’

IDA Pro Enhances Hostile Code Analysis Support

Hi,

IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.

“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”

…

“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”

What to say? is a really great enhancement for Malware Analysis 😉

Here you can watch the first video on Bochs Debugging http://hex-rays.com/video/bochs_video_1.html

Regards,

Giuseppe ‘Evilcry’ Bonfa’ 🙂

My Linkedin Profile

Hi,

Here you can see my Linkedin Profile

Have a nice Day,

Evilcry

PayPal Fraud

Hi,

Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!

——————————–

—– Original Message —–

From: PayPaI Notice!

Sent: Thursday, April 17, 2008 2:21 PM

Subject: THE PAYMENT IS PENDING FOR THE MOMENT

We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show”
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT .

If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)

Thank you for using PayPal!
The PayPal Team

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.

————————————-

The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/

The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:

http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/revalidate.htm?cmd_submitaccess0023044-submit=data_refund

where we’re asked for:

• Card number
• Expiration date
• CVV Code
• Electronic Signature

Card Number, as we can see by the source code:

if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}

if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}

So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,

4111111111111111

CVV Code:

if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2”);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;

Electronic Signature (PIN):

if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;

If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats page 🙂

From DomainTools we obtain this:

IP Location:	United Kingdom Ftip002881171 Capital Enterprise Centres Chelmsford
Resolve Host:	217-33-56-79.capitalchelmsford.mezzonet.net
IP Address:	217.33.56.79
Blacklist Status:	Clear

Whois Record

inetnum:        217.33.56.64 – 217.33.56.127
netname:        CEC-CHELMSFORD
descr:          FTIP002881171 Capital Enterprise Centres Chelmsford
country:        GB
admin-c:        PC6279-RIPE
tech-c:         PC6279-RIPE
status:         ASSIGNED PA
mnt-by:         BTNET-MNT
mnt-lower:        BTNET-MNT
mnt-routes:        BTNET-MNT
remarks:        Please send abuse notification to 

See you to the next post.. 🙂

PS: Thanks Pì 😉

TheGreenBow VPN Client Patch Released

Hi,

TheGreenBowVPN Client Development Team, kindly asked me to publish the link to the Security Patch about my Login Credential Information Disclosure Advisory.

Here the link.

See you to the next post.. 🙂

SPAM Analysis Tools

Hi,

Here a quick list of the most used Tools for Spam Analysis:

• http://www.trimmail.com/news/tools/ – Online Tracing ( Mail Server Profiler, Open Relay Test, DNS Blacklist Check, SMTP Profiler, Traceroute Off-Site, R.E.  Test
• DNSstuff
• Reverse-Whois
• Linkspammers
• Spamlinks

Other tools will be added in the future.

See you to the next post.. 🙂

Directions

Hi,

In this little post I want to expose, what should be my future works and topics in which I’ll invest my efforst.

Actually I’m developing a Device Driver Fuzzer for Windows 2k, XP, 2k3.

This DeviceDriver Fuzzer that I’ll call Klystron, is similar to Kartoffel Driver Fuzzer, but it has a GUI based on MFC with the possibility to Mantain Trace of the used IOCTLs by hooking DeviceIoControl().

Particular attention will be revolved to IOCTLs with METHOD_NEITHER, this because the major part of device drivers Bugs come from this kind of ControlCodes that does not performs any check on the received buffer. It’s easy to decode what IOCTL use this method, due to the base encoding algorithm we can see that

0x00000003

0x00000007

0x0000000B

0x0000000F

All catched IOCTLs will be saved and next, parsed and loaded into a ListBox that will be the launcher for the Fuzz part.

The fuzz engine will be essentially based over Kartoffel, but I did not exclude that I’ll insert other fuzz options.

With Klystron its all..

In the next month I’ll be also studing, How the Presence of a Rootkits Could Affect Performance Graphics and if good results come out I’ll publish a little paper about that.

Another target will be a study paper + src code of NtSectionDebug() undocumented function

Surely I’ll also write some new Malware Reversing story, actually I’m working on Silent Banker Trojan which is a really intersting subject for a Rce Paper 😉

Frozen (not Dead) projects are:

MultiCryptoProtector

MultiStegoProtector

StegoDetector

I’ve also in plain to Translate my Elgamal Paper, and in the end of year to write A Reverse Engineering Approach to AES.

In this period I’m also a bit bored of people (cause a ligth touch of Socio-Delusion-Depression) and pointless discussions all over the so called New Internet, or better known Web 2.0, so I’ll limit at the maximum my presence on IRC/MSN and Skype.

My sopportation level is over also about Vulgarity and Obscenity that every day I’ve to hear, one of the great things of internet is the Liberty Real, or for less experienced persons, Apparent..

And for liberty I talk about the possibility to choise, the ambient that make you feel more Relaxed and Serene..and the massive vulgarity, arrogance and egoism with heavy touches of egocentrism, make me feel not so Clear not so Serene.

Surely I’m sociopatic, but now STOP, I want to exist on internet but without hearing 24/24 people that thinks to be God and talks as a porky-pig.

Some channels seems to know who you are, only when you have something to give to the others, but in other hands people is truly attentive to disclose you Resources, Sources or Links (links in all acceptions of the term).

Its really frustrating to see that, and to se how people what (implicitly) you to know that you’re not a part of a Group..

So I think the best cure for my 0Tollerance of people is to disappear a bit from all “Chat” Scenes..

See you to the next post..

Evilcry

Banca di Roma Fraud

Hi,

Today my Mail-HoneyPot catched a new Fraud, that comes from Japan.

A classical tentive of Bank Fraud, the affected bank is Unicredit Banca di Roma, this is the mail that I’ve received

————————————————————

Gentile CLIENTE,

Nell’ambito di un progetto di verifica dei data anagrafici forniti durante la sottoscrizione dei
servizi di Banca di Roma e stata riscontrata una incongruenza relativa ai dati anagrafici in
oggetto da Lei forniti all momento della sottoscrizione contrattuale.

L’inserimento dei dati alterati puo constituire motivo di interruzione del servizio secondo gli
art. 135 e 137/c da Lei accenttati al momento della sottoscrizione , oltre a constituire reato
penalmente perseguibile secondo il C.P.P. ar. 415 del 2001 relativo alla legge contro il
riciclaggio e la transparenza dei dati forniti in auto certificazione.

Per ovviare al problema e necessaria la verificata e l’aggiornamento dei dati relativi
all’anagrafica dell’Intestatario dei servizi bancari.

Effetuare l’aggiornamento dei dati cliccando sul seguente collegamento sicuro:

Accendi a collegamento sicuro >>

Cordiali Saluti !

| © Banca di Roma S.P.A 2008 Partita Iva 01114601306

————————————————————-

The mail claims an incongruence into Account, so the victim is inducted to reconfirm his Account.

There is a link, for Secure Access, that points at http://www.rwell.co.jp/{Censored}.htm that obviously does not use any form of Secure Connection, suddenly we are redirected to http://oakadaa1.easyvserver.net/roma/{CENSORED}.html that emulates perfectly the Banca di Roma home page.

As usual there is an UserId and Password field to compile, let’s check the source code to know checks perfomed by the attacker..

———————————

if(signupFORM.userid.value == “”){
alert(“Non avete completato il UserID”);return false;
}

if(signupFORM.password.value == “”){
alert(“Non avete completato il Password”);return false;
}

if(signupFORM.userid.value.length <7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if(signupFORM.userid.value.length >7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if((signupFORM.password.value.length <6)){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI “);
return false;
}

———————————————–

The function, accepts only numbers for both fields, Userid should be minimum 7 digits long, and password 6.

After clicking here we are driven to the second page..

Where we’re asked for Security Card Id, and Coordinates of Security Card (64 fields), let’s see what are the rules of insertion..

——————————-

if(signupFORM.email.value.length <6){
alert(“Il Numero della Tessera di Sicurezza non e corretto.”);return false;}

—————————–

Card Id, is a 6 digit long number, and .64 Input Boxes of Coordinates, expects 2 digit long value.

After compiling that, the information are completely stolen, and we’re automatically redirected to Real Banca di Roma.

…another stupid classical Bank Fraud..

See you to the next post.. 🙂

Eeye BinDiffing Trick

Hi,

Around here exist truly intersting tools for Binary Diffing, useful for Vulnerability Research and or Malware Analysis.

The two most famous tools are:

• Sabre Security BinDiffv2
• eEye Binary Diffing Suite (EBDS)

The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis, but has a little problem, seems to be explicitly developed for IDA 5.0, and no other IDA’s versions are supported.

But there is a trick to avoid that an make it working with all IDA’s Versions.

Open with Regedit the following RegKey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Uninstall\IDA Pro_is1

And change the Key Entry DisplayName with the string IDA Pro Standard v5.0 or IDA Pro Professional v5.0

and..

Happy Diffing! 🙂

See you to the next post.. 🙂