PornoSecurity

Scary monsters (and super creeps)

Posted on 2010-03-03 11:44:53 in PornoSecurity

Hey there, I bet you tought I was dead, don't you? Truth is, again, I'm alive and kicking :>

Since I've been monitoring the SpyEye for a while now, I wanna tell you and show you something.
The toolkit, ready to be bought by cybercriminals all over the world, was discovered in obscure underground forums(it's the black scary market, baby!) early last month by Symantec and Others(tm) taking advantage of their worldwide intellingence gathering systems, of some covert operations..... you know, stuff like that:


SpyEye is actually very similar to Zeus: they share the majority of the functionalities, expose pretty much the same behaviour, and take advantage of the same mechanisms(http for communication, encrypted configuration, kewl web panel etc). SpyEye has some missing features like a ring0 rootkit for example(but you bet it will be added if the toolkit is gonna be popular) and some minor problems.. it still looks pretty young. One of the low-level distinctive signs I found of the spyEye droppers is the following schema used for api calls as well as the use(and hooking) of the LoadrDllLoad function.


The bootstrap configuration file of SpyEye is often brought you by the dropper itself, it is embedded as a PE resource and it is actually an encrypted zip. Just like with Zeus the decryption key can be found within the code but since the code is not obfuscated there's no need to let the dropper run(that is, infect a VM) to extract the plain-text. In the last days I have been monitoring a couple of SpyEye C&C and looking at the number of zombies starting from near-to-zero and increasing day by day. The image below shows the geographic distribution of a growing botnet I am monitoring:




What's the sexy thing in here? Well, look at the picture: blue points are SpyEye infected zombies, red points instead are sandboxes all over the world trying to analyze SpyEye samples ;)

Happy exploit wednesday!

Posted on 2009-10-14 12:49:15 in PornoSecurity

A lot of remote exploitable vulns this time. The first vuln I had time to spend on is ms09-057.

The vulnerability lies in query.dll, and could be triggered by passing a malformed url-encoded url to the DecodeUrlEscapes() and DecodeEscapes() functions. Since query.dll it is used by ixsso.dll that could be loaded in a web page as an activex it is possible to exploit the vulnerability by passing a malformed url-encoded url to the SetQueryFromUrl() function.

But hey, there could be different ways to reach the vulnerable code! Somebody should scan windows dll and exe to look for imports from query.dll :)

All you can spray

Posted on 2009-08-13 12:49:25 in PornoSecurity

Since I'm tired of reinventing the wheel, I decided to write a couple of lines of code an to wrap it in a easy-to-use, single php file.

Just put it in your DocumentRoot and you get ActionScript(flash) heap spraying and/or a wonderful .NET assembly loaded at the address you choose.

 

The script accepts different parameters:

- t: 'd' if you want a .NET assembly, 'f' for SWF

- s: shellcode

- n: nop

- c: number of chunks to spray (for SWF)

- b: base address (for .NET assembly)

 

For example, to request a .NET assembly with base address of 0x41410000, a nopsled of 0x0a and an INT 3 as shellcode:

/spray.php?t=d&s=%cc&n=0x0a&b=4141

if you want to spray the heap with flash instead:

/spray.php?t=f&s=%cc&n=0x0a&c=0x500

 

Here you can find a .tar.gz with the script, an html example and the flash spray sources(to be compiled with haxe).

No, there's no source for the .NET control in the .tar.gz(it's 1Mb, too heavy). To make one, just create a class and put in there a huge static string, it will be loaded in +rx area.

Have fun :)