Directions

April 10, 2008

Hi,

In this little post I want to expose, what should be my future works and topics in which I’ll invest my efforst.

Actually I’m developing a Device Driver Fuzzer for Windows 2k, XP, 2k3.

This DeviceDriver Fuzzer that I’ll call Klystron, is similar to Kartoffel Driver Fuzzer, but it has a GUI based on MFC with the possibility to Mantain Trace of the used IOCTLs by hooking DeviceIoControl().

Particular attention will be revolved to IOCTLs with METHOD_NEITHER, this because the major part of device drivers Bugs come from this kind of ControlCodes that does not performs any check on the received buffer. It’s easy to decode what IOCTL use this method, due to the base encoding algorithm we can see that

0x00000003

0x00000007

0x0000000B

0x0000000F

All catched IOCTLs will be saved and next, parsed and loaded into a ListBox that will be the launcher for the Fuzz part.

The fuzz engine will be essentially based over Kartoffel, but I did not exclude that I’ll insert other fuzz options.

With Klystron its all..

In the next month I’ll be also studing, How the Presence of a Rootkits Could Affect Performance Graphics and if good results come out I’ll publish a little paper about that.

Another target will be a study paper + src code of NtSectionDebug() undocumented function

Surely I’ll also write some new Malware Reversing story, actually I’m working on Silent Banker Trojan which is a really intersting subject for a Rce Paper ๐Ÿ˜‰

Frozen (not Dead) projects are:

MultiCryptoProtector

MultiStegoProtector

StegoDetector

I’ve also in plain to Translate my Elgamal Paper, and in the end of year to write A Reverse Engineering Approach to AES.

In this period I’m also a bit bored of people (cause a ligth touch of Socio-Delusion-Depression) and pointless discussions all over the so called New Internet, or better known Web 2.0, so I’ll limit at the maximum my presence on IRC/MSN and Skype.

My sopportation level is over also about Vulgarity and Obscenity that every day I’ve to hear, one of the great things of internet is the Liberty Real, or for less experienced persons, Apparent..

And for liberty I talk about the possibility to choise, the ambient that make you feel more Relaxed and Serene..and the massive vulgarity, arrogance and egoism with heavy touches of egocentrism, make me feel not so Clear not so Serene.

Surely I’m sociopatic, but now STOP, I want to exist on internet but without hearing 24/24 people that thinks to be God and talks as a porky-pig.

Some channels seems to know who you are, only when you have something to give to the others, but in other hands people is truly attentive to disclose you Resources, Sources or Links (links in all acceptions of the term).

Its really frustrating to see that, and to se how people what (implicitly) you to know that you’re not a part of a Group..

So I think the best cure for my 0Tollerance of people is to disappear a bit from all “Chat” Scenes..

See you to the next post..

Evilcry


Banca di Roma Fraud

March 1, 2008

Hi,

Today my Mail-HoneyPot catched a new Fraud, that comes from Japan.

A classical tentive of Bank Fraud, the affected bank is Unicredit Banca di Roma, this is the mail that I’ve received

————————————————————

Gentile CLIENTE,

Nell’ambito di un progetto di verifica dei data anagrafici forniti durante la sottoscrizione dei
servizi di Banca di Roma e stata riscontrata una incongruenza relativa ai dati anagrafici in
oggetto da Lei forniti all momento della sottoscrizione contrattuale.

L’inserimento dei dati alterati puo constituire motivo di interruzione del servizio secondo gli
art. 135 e 137/c da Lei accenttati al momento della sottoscrizione , oltre a constituire reato
penalmente perseguibile secondo il C.P.P. ar. 415 del 2001 relativo alla legge contro il
riciclaggio e la transparenza dei dati forniti in auto certificazione.

Per ovviare al problema e necessaria la verificata e l’aggiornamento dei dati relativi
all’anagrafica dell’Intestatario dei servizi bancari.

Effetuare l’aggiornamento dei dati cliccando sul seguente collegamento sicuro:

Accendi a collegamento sicuro >>

Cordiali Saluti !

| ยฉ Banca di Roma S.P.A 2008 Partita Iva 01114601306

————————————————————-

The mail claims an incongruence into Account, so the victim is inducted to reconfirm his Account.

There is a link, for Secure Access, that points at http://www.rwell.co.jp/{Censored}.htm that obviously does not use any form of Secure Connection, suddenly we are redirected to http://oakadaa1.easyvserver.net/roma/{CENSORED}.html that emulates perfectly the Banca di Roma home page.

As usual there is an UserId and Password field to compile, let’s check the source code to know checks perfomed by the attacker..

———————————

if(signupFORM.userid.value == “”){
alert(“Non avete completato il UserID”);return false;
}

if(signupFORM.password.value == “”){
alert(“Non avete completato il Password”);return false;
}

if(signupFORM.userid.value.length <7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if(signupFORM.userid.value.length >7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if((signupFORM.password.value.length <6)){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI “);
return false;
}

———————————————–

The function, accepts only numbers for both fields, Userid should be minimum 7 digits long, and password 6.

After clicking here we are driven to the second page..

Where we’re asked for Security Card Id, and Coordinates of Security Card (64 fields), let’s see what are the rules of insertion..

——————————-

if(signupFORM.email.value.length <6){
alert(“Il Numero della Tessera di Sicurezza non e corretto.”);return false;}

—————————–

Card Id, is a 6 digit long number, and .64 Input Boxes of Coordinates, expects 2 digit long value.

After compiling that, the information are completely stolen, and we’re automatically redirected to Real Banca di Roma.

…another stupid classical Bank Fraud..

See you to the next post.. ๐Ÿ™‚


Eeye BinDiffing Trick

February 17, 2008

Hi,

Around here exist truly intersting tools for Binary Diffing, useful for Vulnerability Research and or Malware Analysis.

The two most famous tools are:

  • Sabre Security BinDiffv2
  • eEye Binary Diffing Suite (EBDS)

The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis, but has a little problem, seems to be explicitly developed for IDA 5.0, and no other IDA’s versions are supported.

But there is a trick to avoid that an make it working with all IDA’s Versions.

Open with Regedit the following RegKey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Uninstall\IDA Pro_is1

And change the Key Entry DisplayName with the string IDA Pro Standard v5.0 or IDA Pro Professional v5.0

and..

Happy Diffing! ๐Ÿ™‚

See you to the next post.. ๐Ÿ™‚


    Once upon a time..

    January 20, 2008

    Hi,

    Its some week that I don’t write on the blog, this not due a lack of time but essentially because I’ve heavly worked on Reversing and Researching about some rootkit, and Vulnerabilities of these drivers.. such as Kernel_Stack_Overflows and relative exploitation, may be some day I’ll publish it, but is not sure.

    I’ve also finded a particular vulnerability that afflicts a Microsoft Product, I’ll talk with MS “Security Division” about it and next I’ll release the PoC.

    These are also days of heavy coding, the old idea of the Folder Protector, became more complex and changed in DataProtector..or CProtector I’ve to choise a name eheh.. ๐Ÿ™‚ These are some of the features:

    • File/Folder Data Protection
    • Random Password Generator
    • Password Manager
    • Encrypted Instant Messenger

    Surely I’ll add some feature and finally I’ll release a Free Basical Edition and another Full ($) Edition..
    SunOS ICMP Crasher is also ready for the release, I think I’ll release it this friday/saturday.

    See you soon, I Hope.. ๐Ÿ™‚


    First 2008 Thoughts from a Paranoid

    January 1, 2008

    Hi,

    First of all let me wish you an Happy New Year, could be full of peace and serenity!

    This morning, by surfing randomly the web I found, or better remembered a Secure Mail Service provided by safe-mail.net, and as my usual Paranoia I’ve done a Reverse DNS Lookup, and result is truly curious..

    Name Server: EGOZ.GALIAD.CO.IL (has 109 domains)
    Name Server: NS.BARAK.NET.IL (has 2,622 domains)
    Name Server: NSA.SAFE-MAIL.NET

    and..

    Server Type: Apache/2.0.54 (Fedora)
    IP Address: 213.8.161.230

    IP Location ย  ย Israel – Tel Aviv – Tel Aviv – Smile Internet Gold

    Name Server comes from NSA and Server comes from Israel, strange you don’t think?

    See you to the next post.. ๐Ÿ™‚


    Crypto Reverse Engineering Speech

    December 18, 2007

    Hi,

    I’m working for a Chat-Conference Speech, on Cryptography and Reverse Engineering, for the Reversity program promoted by Reteam.

    Obviously i accept suggestions and topics to talk about ๐Ÿ™‚

    First Reversity Session: POSTPONED to Sunday Jan 6 2008 12:00 EST (GMT-5) or 17:00 GMTย 

    On EFNet chan: #reversity

    In the next days I’ll publish here the Talk Index

    See you to the next post.. ๐Ÿ™‚


    RBN (Russian Bank Network) Analysis

    December 7, 2007

    Hi,

    There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and itโ€™s a nebulous organisation which aims to fulfil cyber crime.

    This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and itโ€™s hard to have an exact idea on the goal of some of them and the way theyโ€™re linked with other constituents.
    There are some countermeasures available but they don’t make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.

    http://research-labs.net/news/13-Russian+Business+Network+study.html

    http://www.bizeul.org/files/RBN_study.pdf

    See you to the next post.. ๐Ÿ™‚