Once upon a time..

January 20, 2008


Its some week that I don’t write on the blog, this not due a lack of time but essentially because I’ve heavly worked on Reversing and Researching about some rootkit, and Vulnerabilities of these drivers.. such as Kernel_Stack_Overflows and relative exploitation, may be some day I’ll publish it, but is not sure.

I’ve also finded a particular vulnerability that afflicts a Microsoft Product, I’ll talk with MS “Security Division” about it and next I’ll release the PoC.

These are also days of heavy coding, the old idea of the Folder Protector, became more complex and changed in DataProtector..or CProtector I’ve to choise a name eheh.. πŸ™‚ These are some of the features:

  • File/Folder Data Protection
  • Random Password Generator
  • Password Manager
  • Encrypted Instant Messenger

Surely I’ll add some feature and finally I’ll release a Free Basical Edition and another Full ($) Edition..
SunOS ICMP Crasher is also ready for the release, I think I’ll release it this friday/saturday.

See you soon, I Hope.. πŸ™‚

First 2008 Thoughts from a Paranoid

January 1, 2008


First of all let me wish you an Happy New Year, could be full of peace and serenity!

This morning, by surfing randomly the web I found, or better remembered a Secure Mail Service provided by safe-mail.net, and as my usual Paranoia I’ve done a Reverse DNS Lookup, and result is truly curious..

Name Server: EGOZ.GALIAD.CO.IL (has 109 domains)
Name Server: NS.BARAK.NET.IL (has 2,622 domains)


Server Type: Apache/2.0.54 (Fedora)
IP Address:

IP Location Β  Β Israel – Tel Aviv – Tel Aviv – Smile Internet Gold

Name Server comes from NSA and Server comes from Israel, strange you don’t think?

See you to the next post.. πŸ™‚

Crypto Reverse Engineering Speech

December 18, 2007


I’m working for a Chat-Conference Speech, on Cryptography and Reverse Engineering, for the Reversity program promoted by Reteam.

Obviously i accept suggestions and topics to talk about πŸ™‚

First Reversity Session: POSTPONED to Sunday Jan 6 2008 12:00 EST (GMT-5) or 17:00 GMTΒ 

On EFNet chan: #reversity

In the next days I’ll publish here the Talk Index

See you to the next post.. πŸ™‚

RBN (Russian Bank Network) Analysis

December 7, 2007


There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and it’s a nebulous organisation which aims to fulfil cyber crime.

This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and it’s hard to have an exact idea on the goal of some of them and the way they’re linked with other constituents.
There are some countermeasures available but they don’t make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.



See you to the next post.. πŸ™‚

[Malware Hunting] Some Considerarion

October 8, 2007


This can sound strange to the people not involved in Malware Analysis, any times one of the big problems for a reverser is to find good live Malware samples.

Out there we have a good Malware DataBase is provided by OffensiveComputing, great source of Live Samples, but as every Community Submitting based reality not updated every time.

As should be clear, is truly important to have Live Material in Time, because malware spreading is truly fast, the only great defence (apart Security Countermeasures) is the Speed Analysis, for fast updated AntiViral Basis/Payloads, this because the basical TimeLife of a malware is directly proportional to the Speed of the Incident Reporting Companies. Home made DataBases are a great example of real life malware, especially for WebBased viruses, because implicitly these boards are a reflection of the most spreaded Social Stream Preferences, and consequently the most common choised WebSites.

About live malware samples, unfortunately this mechanism is not so efficient, for many reasons:

  • Slow Time Reporting
  • Geographycal Malware Density

Slow Time Reporting, is caused by different Fuse Time and obviously by not continue (linear) malware posting.

Geographycal Spreading, means that in some well defined locations we have the expansion of a particular Virus.

As you should understanded for mass malware analysis is necessary to use other technologies, as Malware Collectors and HoneyPots.

Soon I’ll publish something about mwcollection, so stay tuned πŸ˜‰

See you to the next post πŸ™‚

.NET Source Code

October 6, 2007

A great news from Microsoft, in some time will be released .NET Base Class Libraries‘s Source Code πŸ™‚

A great new for Coders and Reversers..

See you to the next post

Various News

October 2, 2007

These are days full of news, good and bad ones πŸ™‚

Bye Bye VirtualBox! Due to several crashes with USB I’ can’t continue tu use VirtualBox, coming back to my dear VMWare ultra Fault Tollerant, old dear VMWare!

Code Development is blocked cause, Notebook Death, but I’ve updated my Todo Code List:

  • Commercial version of FolderProtector, realized in C# using Strong Cryptography and AntiCorruption Checks.
  • MultiSteganer (I think this will be Commercial), realized in C#, will works various file formats. Data Storing will be Protected by a Password frase that Encrypts the content.
  • Free Version of SteganoDetector, based over the previous Tool, but with Forensics Purposes.

Today begins my new work for Investigative Data Recovery Enterprise πŸ™‚ πŸ˜€

See you to the next post πŸ™‚

[Malware] Trojan.DOS.DelIosys.b

September 28, 2007

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post πŸ™‚

[VirtualBox] Xp Installation Problems

September 26, 2007

Today I’ve installed an Xp VM powered by VirtualBox, but initially I’ve encountered a problem that blocked the installation.

As indicated by VBox i’ve choised 192 MB for VM’s Memory, but at the step of NTFS Formattation VBox shuts down with the following error:


So I setted the memory at 125 MB and installation worked fine.

Remember don’t believe to the Indicated Memory Usage πŸ˜‰

See you to the next post πŸ™‚

First Experiments with BouncyCastle CryptoLib

September 25, 2007

In these day I’m experimentig a promising library which implements many Crypto Algorithms, called BouncyCastle (which is for .NET, and I’m coding in C#).

Library, seems to be complete and to have good implementations of Common Algorithms, EllipticCurveCryptography, Certifications, OpenPGP, OpenSSL.

A part a little leak of performances in ECIES algorithm, seems to work great.

The big problem is that Hex Conversion functions have some problem, for example Hex.Decode() , fails when the string passed have an odd lenght.

To dayI’ve sent an email to the coders, hope in a fast reply, if i discover how to solve also other minor problems (actually no time to mention all) i’ll post here the fixed piece of code πŸ˜‰

See you to the next post πŸ™‚