Problem solved, http://evilcry.netsons.org now Up ‘n Running 🙂
IDA Pro Enhances Hostile Code Analysis Support
October 4, 2008Hi,
IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.
“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”
…
“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”
What to say? is a really great enhancement for Malware Analysis 😉
Here you can watch the first video on Bochs Debugging http://hex-rays.com/video/bochs_video_1.html
Regards,
Giuseppe ‘Evilcry’ Bonfa’ 🙂
PayPal Fraud
April 17, 2008Hi,
Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!
——————————–
We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show”
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.
THE PAYMENT IS PENDING FOR THE MOMENT .
If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)
Thank you for using PayPal!
The PayPal Team
Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.
————————————-
The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/
The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:
where we’re asked for:
- Card number
- Expiration date
- CVV Code
- Electronic Signature
Card Number, as we can see by the source code:
if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}
if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,
4111111111111111
CVV Code:
if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2”);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;
Electronic Signature (PIN):
if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;
If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats page 🙂
From DomainTools we obtain this:
IP Location: | ![]() |
Resolve Host: | 217-33-56-79.capitalchelmsford.mezzonet.net |
IP Address: | 217.33.56.79 ![]() ![]() ![]() ![]() ![]() |
Blacklist Status: | Clear |
Whois Record
inetnum:Â Â Â Â Â Â Â Â 217.33.56.64Â –Â 217.33.56.127
netname:Â Â Â Â Â Â Â Â CEC-CHELMSFORD
descr:          FTIP002881171 Capital Enterprise Centres Chelmsford
country:Â Â Â Â Â Â Â Â GB
admin-c:Â Â Â Â Â Â Â Â PC6279-RIPE
tech-c:Â Â Â Â Â Â Â Â Â PC6279-RIPE
status:Â Â Â Â Â Â Â Â Â ASSIGNEDÂ PA
mnt-by:Â Â Â Â Â Â Â Â Â BTNET-MNT
mnt-lower:Â Â Â Â Â Â Â Â BTNET-MNT
mnt-routes:Â Â Â Â Â Â Â Â BTNET-MNT
remarks:        Please send abuse notification toÂ
See you to the next post.. 🙂
PS: Thanks Pì 😉
TheGreenBow VPN Client Patch Released
April 17, 2008Hi,
TheGreenBowVPN Client Development Team, kindly asked me to publish the link to the Security Patch about my Login Credential Information Disclosure Advisory.
Here the link.
See you to the next post.. 🙂
SPAM Analysis Tools
April 16, 2008Hi,
Here a quick list of the most used Tools for Spam Analysis:
- http://www.trimmail.com/news/tools/ – Online Tracing ( Mail Server Profiler, Open Relay Test, DNS Blacklist Check, SMTP Profiler, Traceroute Off-Site, R.E. Test
- DNSstuff
- Reverse-Whois
- Linkspammers
- Spamlinks
Other tools will be added in the future.
See you to the next post.. 🙂