eatable SPAM

yummy.. SPAM with honey grail..

[Paper] Companion worms on UNIX systems.

http://c-skills.blogspot.com/2009/12/thoughts-on-companion-worms.html

paper by: Sebastian Krahmer

anti-shouldersurfer

Google Chrome for Linux..

Finally, after waiting and waiting.. and after reading the comics in the website i realize why..
It can be seen here

And can be downloaded here


support for Debian/Ubuntu/Fedora/openSUSE

Nepenthes + PHARM - SurfIDS = Test Dulu

PHARM or nepenthes pharm is a client/server tool to manage, report and analyze all your distributed nepenthes instances from one interface. Sounds interesting. Before this I developed nepenthes and OpenVPN plugin for Webmin, looking foward for nepenthes client and integrate them with SurfIDS, but I think it is the end of it :-(

(click image for larger visual)

PHARM has 3 main components:

• Server
• Client (Implement on nepenthe honeypot)
  
• Web Portal (View data collected from sensor)

More info and screenshot are here: http://www.nepenthespharm.com

WINWORD.EXE malware

Some malware become famous because of their behaviour and now I found a malware that hide all your word documents and replace it with their copy of .exe files with the same name and icon as each of the hidden word documents before. It become dangerous when you did not set for not "hiding extensions for known file types" in folder options. It is because you cannot distinguish the changes made by the malware and it become worse when you attach the file in email and spread the malware to other computers by email. So please be aware of this malware by view the properties of the file before executing it. The malware will appear as "Application" rather than as "word documents". I'll post more on the detail of the analysis of this malware later and for this post just how to recover your file back.

First, open your command prompt by start>run and type cmd and press enter. In the command prompt, type your drive letter with double colon. (eg. if your pendrive labeled as I: in your "My Computer", just typed I: and press enter)

Then type:

dir /A:H

This command will view all the hidden files in your drive including the files that been hidden by the malware (if working properly)

Then to remove the hidden attribute of the files just type:

attrib -S -H -R *.doc

This command will remove the System Files (-S), Hidden (-H) and Read Only (-R) attributes for all .doc files int the drive. Please take note that the hidden attribute cannot be remove using properties.

Thats all for now and dont hesititate to ask if having any problems.

Conficker Eye Chart

Quite lame, but still practical maybe..huhu..

"Joe Stewart from SecureWorks has put together an effective "eye chart" that sources its graphics from sites that Conficker would block. If you can't see one or more of the images, you're either infected, or image loading in your browser has been disabled.

Firefox users can check if image loading has been disabled under Tools/Options and the Content tab. Load Images Automatically should be checked. Internet Explorer users will find it under Tools/Internet Options, then the Advanced tab. Scroll down to Multimedia, and Show Pictures should be checked.

It's a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely, so if they can't load, the sites are also likely to be blocked. If you're seeing blocked images, you should check out the CNET guide to removing Conficker--just because the botnet hasn't done much that's demonstrably malicious yet doesn't mean it can't or won't in the future."

original post: http://www.nsaneforums.com/?showtopic=18612

Eye Chart: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

How To Cyberstalk Potential Employers

Zaman pencarian kerja untuk para graduan telah bermula... rasanya inilah masanya untuk implement tutorial dari irongeek.com ni..

How To Cyberstalk Potential Employers

Add new Partitions to Virtualbox OSE Ubuntu

1. Create new Virtual Hard Disk

Open Virtualbox OSE, go to File > Virtual Media Manager(VMM) or just Ctrl + D. Click New button on the Hard Disk Tab. Follow the instructions, until finish. Make sure this time take care about the size of the partition. And finish the procedure (choose the right partition type, name and size. Now we have created a new Virtual Hard Disk (VHD).

2. Add the new VHD to the VCO

Exit the VMM by clicking OK button. On the Virtualbox OSE, Right Click the targeted VCO, go to setting.. (Make sure the VCO is Powered Off) Go to Hard Disks. Click the Add Attachment Button (Button with + ) and your newly created VHD will be inserted automatically and finish it with OK button.

3. Start targeted VCO

The VCO will detect and install the new VHD when startup and wait until it finish and the Right Click on My Computer, choose Manage. Computer Management will be opened and go to Storage > Disk Management. Your new VHD will be in the list but labeled as Unknown. At the time you click the Disk Management, there will be a popup for Disk Initialize and go through the procedure until finish. The new VHD will be detected as Unallocated.

4. Format the new VHD

Right click the Unallocated drive and choose New Volume. Go through the Procedure until finish depends on your requirement. And now you already have new disk partition on you VCO.

Vitualbox + maltrap == pure wonders..

DLLPath: C:\Documents and Settings\Administrator\Desktop\maltrap_v0.2a\maltrap.dll
Process injected! PID: 3660
PID: 3660, All hooks are now in place!
PID: 3660, 0x00406D6E: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> FAIL
PID: 3660, 0x00406ECB: CopyFileA(existing: C:\Documents and Settings\Administrator\Desktop\G001.exe, new: C:\WINDOWS\system32\qokqe.exe, overwrite: 00000000)
PID: 3660, 0x00406F2F: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025EB58
PID: 3660, 0x00406F64: CreateServiceA(ServiceName: ferst, DisplayName: ces, Type: 00000010, StartType: 00000002, StartName: (null), Path: C:\WINDOWS\system32\qokqe.exe, Password: (null)) -> h:0025E8A0
PID: 3660, --- Service runs in its own process
PID: 3660, --- Is started automatically by the SCM during system startup
PID: 3660, 0x00406FB0: StartServiceA(hService: 0025E8A0, serviceArgs: (null)) -> SUCCESS
PID: 3660, 0x00407027: RegOpenKeyA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> SUCCESS
PID: 3660, --- handle: 00000754
PID: 3660, 0x00407049: RegSetValueExA(keyHandle: 00000754, valueName: Description, data: fsr) -> SUCCESS
PID: 3660, 0x7C81F2AE: GetFileAttributesW(C:\Documents and Settings\Administrator\Desktop\G001.exe)
PID: 3660, 0x7C910A16: CreateProcessA(appName: (null), cmdLine: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\Desktop\G001.exe > nul)
PID: 3660, --- Creating the process in suspended state...
PID: 3660, --- Resulting PID: 3692
PID: 3660, --- Escalating privileges so the process can be opened...
PID: 3660, --- Opening the process...
PID: 3660, --- Allocating memory in the process...
PID: 3660, --- Writing the DLL into memory...
PID: 3660, --- Resuming the suspended process...
PID: 3660, 0x00407548: ExitProcess(exitcode: 0)
[Termination] PID 3660 has terminated!

MalTrap is a research utility that monitors malware behavior by intercepting API calls on Windows and logging results. Though still in it's Alpha release and sparse on features, its a very interesting and useful tool.

Features

* Over 200 API’s are intercepted. Better results and little noise.
* Only relevant API parameters are displayed (highly descriptive).
* Only relevant API return values are displayed (highly descriptive).
* Created processes are monitored
* PID separation – API calls are logged based on the process
* PC shutdown attempts are prevented
* Anti-Debugging attempts are logged (SoftICE, RegMon, FileMon, Generic)
* Key-logging attempts are logged
* Internet traffic is logged and highly detailed (Winsock, FTP, HTTP, IRC, …)

a very cool tools..

download here: http://www.maltrap.com/main/download/

Video Tutorial:

video

Olly SocketTrace 1.0 [OllyDbg Plugin]

Dah banyak review pasal plugin ni dalam bahasa inggeris, jadi ape salahnya kalau ade review versi melayu. Baru terpikir nak tulis pasal plugin ni..

About

OllySocketTrace ni adalah plugin yg digunakan dalam Ollydbg untuk memudahkan analyst atau reverse engineer untuk mengesan aktiviti berkaitan socket di dalam sesebuah process. Aktiviti socket akan dirakam dan kemudian di"highlight" dengan warna2 unik.

Boleh kesan "socket operation":

WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

Cara Install n Guna

Mudah sahaja, copy n paste dll file plugin ni ke dalam folder "plugin" di folder ollydbg, dan run ollydbg.. Ia akan ada di menu plugin. Plugin ni akan buatkan "breakpoint" di mana2 socket function call yg berkaitan dan akan record sgala data yg berkaitan.. Untuk melihat hasilnya, hanya klik di menu Plugin > SocketTrace > Log..

Download: http://www.tuts4you.com/download.php?view.2442

p/s: malas nak capture screenshot la.. try la, snang je nak guna..

Latest Artwork

Sambil wat java image processing, layan gambar lame dlm hd n main photoshop jap.. ni lah hasil yg ntah ape2 dariku..

jam kat dinding umah sewa lama

dan ini...

batu kat dataran seremban

dan penjara pudu pun jadi mangsa....

I'm Halal ~ Web browser for Muslims

http://www.imhalal.com/

Alhamdulillah,

Ade juga akhirnya usaha nak mengislamkan search engine.. Tapi still beta version lagi..
untuk lebih maklumat pergi ke : http://imhalal.com/blog/
yang best pasal web browser ni ialah:

1. wow.. leh filter search result ikut tahap keharaman tu.. jeng jeng jeng... (klik gambar utk gambar yg lebih clear)



dan



2. wow.. leh tukar2 background la...

aiyak.. rempah nasik briani..

Virus Giler Glamer

Dari blog McAfee, www.avertlabs.com aku terkesima membaca ade jugak virus maker yg giler glamer.. bese, low profile je.. tapi ade jugak yg tulis dalam code, “HELLO ANTIVIRUS MAKERS! This is XXX! Please call this sh*t YYY! Cheerz!".. macam2 la sekarang ni.. siap dah letak name glamer virus tu.. cayalah!!! aku tgh cari la ape virus tu.. nak tgk dengan mate sendiri..

Combine video.001, video.002 dengan command prompt

Biasenye uploader movie akan splitkan movie diorang kepada beberapa part untuk memudahkan untuk upload movie.. selain untuk cantumkan balik movie2 ni gune tools, kite leh gune command promt. Caranya begini:

copy /b "movie_name.wmv.*" "movie_name.wmv"

tu saja.. yang penting file tu kene letak dalam folder yg sama.. ".wmv" tu leh ganti ngan file type lain yg berkenaan..

[Java] Wake on LAN

On PC di rumah dari ofis adalah idaman aku sekian lama. Dan aku rase aku memang 'n00b' giler sebab baru tau pasal wake on LAN. Jadi tak salah rasenye aku post bende ni untuk panduan aku (kalau save dalam PC confirm tak jumpe cari).

Wake on Lan adalah cara 'on'kan PC remotely dengan menghantar simple UDP packet ke port 9 kat NIC yg support Wake on LAN. Nak tau support ke tak biasenye LED kat LAN socket tu masih menyala walaupun PC dah turn off. Untuk anta packet tu, leh pkai ape2 pun coding n ni aku nak share coding Java:

import java.io.*;
import java.net.*;

public class WakeOnLan {

public static final int PORT = 9;

public static void main(String[] args) {

if (args.length != 2) {
System.out.println("Usage: java WakeOnLan ");
System.out.println("Example: java WakeOnLan 192.168.0.255 00:0D:61:08:22:4A");
System.out.println("Example: java WakeOnLan 192.168.0.255 00-0D-61-08-22-4A");
System.exit(1);
}

String ipStr = args[0];
String macStr = args[1];

try {
byte[] macBytes = getMacBytes(macStr);
byte[] bytes = new byte[6 + 16 * macBytes.length];
for (int i = 0; i <>
bytes[i] = (byte) 0xff;
}
for (int i = 6; i <>
System.arraycopy(macBytes, 0, bytes, i, macBytes.length);
}

InetAddress address = InetAddress.getByName(ipStr);
DatagramPacket packet = new DatagramPacket(bytes, bytes.length, address, PORT);
DatagramSocket socket = new DatagramSocket();
socket.send(packet);
socket.close();

System.out.println("Wake-on-LAN packet sent.");
}
catch (Exception e) {
System.out.println("Failed to send Wake-on-LAN packet: + e");
System.exit(1);
}

}

private static byte[] getMacBytes(String macStr) throws IllegalArgumentException {
byte[] bytes = new byte[6];
String[] hex = macStr.split("(\\:|\\-)");
if (hex.length != 6) {
throw new IllegalArgumentException("Invalid MAC address.");
}
try {
for (int i = 0; i <>
bytes[i] = (byte) Integer.parseInt(hex[i], 16);
}
}
catch (NumberFormatException e) {
throw new IllegalArgumentException("Invalid hex digit in MAC address.");
}
return bytes;
}


}

lepas compile code ni, run code ni dengan due argument tambahan: ip adress n MAC address.
contoh:

java WakeOnLan 192.168.0.20 00:0D:61:08:22:4A

tu saja.. kalau tak success, antar 2, 3 kali sebab UDP ni maklum la.

p/s: kalau PC kat umah tu behind firewall, jgn lupe allow port 9 n jagn lupe port forwarding port 9 ke ip pc kite tu. maknenye, mase run java tu, letak ip luar (WAN IP) pastu kat firewall or adsl router tu foward port 9 ke LAN ip PC kite. (aku taktau la ape instilah sebenar ip luar tu..duhh)

The Right Brain vs Left Brain test

Korang nampak gambar penari tu pusing arah jam or lawan jam?

Kalau ke arah jam, maknenye korang manggunakan otak bahagian kanan lagi banyak dari otak belah kiri dan sebaliknya kalau pusing lawan jam.


p/s: kalau due2 belah gune same banyak, adakah gambar ni tak pusing? taktau la..

http://bit.ly/ pendeknyeeee

Bestnye menggunakan http://bit.ly ni.. tp apekah ia? bit.ly ni pemendek url yg panjang lebar..

contohnye:

url asal: http://example010.blogspot.com/2008/05/how-to-remove-flash10exe-and.html

lepas gune bit.ly: http://bit.ly/Cya6J

wah.. mantapnye..

Bing Vs Google

Nampaknya, google mungkin akan ada pesaing baru bernama Bing.. Bing adalah product baru dari microsoft yg akan dilancarkan 3 Jun ni.. Tak berani nak komen banyak2 psal product microsoft ni, kang bahaye.. tp ikut rekod lame, Blue Screen of Death (BSOD), Red Ring of Death (RROD), adakah akan wujud juga istilah baru dalam produk ni? kite tunggu dan lihat..hehe

Berbanding google yg menggunakan "advertising-based search model" yg mane menghasilkan item yg paling popular mengikut query, Bing ni menggunakan ‘decision engine’ yg katenye bukan maen ikut popular je, die akan serahkan kat user untuk buat keputusan.. camtulah bunyinye..

“We are introducing a new level of organisation to search results, and our differentiator will be the best results for query,” Satya Nadella, senior vice- president (R&D , online services division) Microsoft.

Menurut diorg, sebagai contoh.. kalau kite search British Airways, Bing akan kuarkan nombor talipon service centre, harga tiket dan maklumat2 lain (walaupun kite just nak cari wikipedia..)

die kate.. “Google is great, but I think you still have to run multiple search queries to get that right answer. If Bing can change that, I will surely shift my search engine,”

[Paper] Know Your Enemy: Containing Conficker

Download

By Felix Leder, Tillmann Werner

Paper ni mmg best utk memahami cara conficker infecting, tersebar dan cara mengesan n mengatasinya.

Gimmiv.A analysis~example010

Sorry for any mistake in this simple analysis.

Download

system call table

Windows: http://www.metasploit.com/users/opcode/syscalls.html
Linux : http://example010.googlepages.com/unistd_32.h

Waledac analysis references

http://www.honeynet.org/node/325
http://www.honeynet.org/node/348
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231
http://www.nnl-labs.com/cblog/index.php?/archives/7-Waledacs-Communcation-Protocol.html

"..You gotta love humans. When everything sticks to the scripts, they can put on a great ack, But as soon as something unexpected happens, they react completely true to their nature.."

Interesting Conficker Analysis - Sourcefire VRT

Link

Credit: Sourcefire VRT

how shellcode works.

http://example010.googlepages.com/how_shellcode_work.txt

thanks to SEVIC3

Public key problem when update - Ubuntu

gpg --keyserver keyserver.ubuntu.com --recv-keys $KEY

then

gpg --export --armor $KEY | sudo apt-key add -

$KEY = key value we have missed.

hex to unicode shellcode converter

How to use:

python ushellcode.py hex-file output-file

Download:ushellcode.py.tar.gz

Windows tu yahudi punye??

http://www.stormfront.org/forum/showthread.php?t=557249

Upgrade to OpenOffice 3.0

1. Go to System -> Administration -> Software Sources...
2. Open "Third-Party Software" tab, and click add
3. Paste this: deb http://ppa.launchpad.net/openoffice-pkgs/ubuntu intrepid main
4. Download this: key
5. Open "Authentication" tab and import the downloaded file.
6. Close the Software Source and click reload.

Conficker Downup analysis

Episode 1
Episode 2
Episode 3

Python: Simple URL extractor

def url_finder(data):

all =re.findall("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",data)

for i in all:
outpt = i.strip('"').strip("'") + "\n"
print outpt


inpt = "aaaaaaaaaaaaaa http://www.google.com bbbbbbbbb http://example010.blogspot.com ccccccccc http://google.com dddd http://a.b/a/a/a/index.html"

url_finder(inpt)

This code will simply find url using regular expression and output it.

Python: UCS2 shellcode to hex converter

When analyzing javascript that contain shellcode, I really need a UCS2 to Hex converter before running the shellcode via libemu's sctest because the shellcode are in UCS2 format when directly convert the hex into ascii, it means nothing, for example:

UCS2 : %u3341

if i remove the %u and directly convert the 3341 to ascii, it will produce 3A in ascii. But this may bring a false meaning if we run the shellcode. Because the real hex is 4133. So, before we convert the ucs2 into hex, we need to remove the %u and swap the 33 and 41. To make our life easier, we a have python code that automate our job:


def ucs2hex(self, match):
s = match.group()
return "".join([s[4]+s[5],s[2]+s[3]]) # swap the 4th and 5th char with 2nd and 3rd char

def find_word(self,data):
p = re.compile(r'\%u(\w{4})') #regular expression to search for %u and 4 char after it
return p.sub(self.ucs2hex, data)

ucs2_string = "%u3341"
hex_string = self.find_word(ucs2_string)

print hex_string

this code will simply sear the string for %u and 4 chars after it, swap the char no 4 and 5 with char no 2 and 3.

Turning off GCC Stack Smashing Protection

When trying to test my code against stack smashing, I'm stuck when the stack smashing protection always disturb me and terminate the program. Thats really frustrated because I'm just want to learn buffer overflow attack. After a short research and googling, I wrote this short tutorial for my own reminder if i forgot it in the next time.

What is stack Smashing protection?

From http://www.trl.ibm.com/projects/security/ssp/ .

It is a GCC (Gnu Compiler Collection) extension for protecting applications from stack-smashing attacks. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers. The basic idea of buffer overflow detection comes from StackGuard system.

How to Bypass SSP?

Let say our program named unprotect.c. To bypass the stack smashing protection, we just compile it with -fno-stack-protector option.

for example:

user@user:~$ gcc -fno-stack-protector unprotect.c -o unprotect


so, when we text the code, the SSP is not activated when we smash the stack.

for example:


user@user:~$printf "%0516x" | ./unprotect
user@user:~$Segmentation fault


yahoo.. we did it..

Detect and Bypass Packer

Sometimes, when doing RCE (Reverse Code Engineering) using ollydbg, we got a message tell that the source are encrypted. And that make our life harder if the code are encrypted but ollydbg did not alert to us. Both of them because the code had been encrypted using "packer". Packer are used for reducing the size of file and at the same time it encrypt the code. It is one of anti-reverse engineering method. One of the commonly used is UPX but it was already known and easily unpackt it.

In this post I will demonstrate how easy you can bypass the the packer in our code. For this example, i used UPX for the packer and I'm packing calc.exe and rrenamed it to kalc.exe. Tutorial on how to pack using UPX is out of scope of this post but trust me, there're lots of tuts in google.

First thing is of course load the code in ollydbg and the first thing you see on EP was the PUSHAD instruction. PUSHAD was used to PUSH all the registers (eg: EAX,EBX ...) to the stack. This make the the backup af the data before the packing process occured. So, they did not fear of changing the data during packing.

So, the second thing is we step into the instruction by pressing F8. This is for making the all the data PUSHed into the stack.


After we step into the instruction, we can see ESP at the right side had filled with something. ESP is stack pointer and point to the top of the stack.

Then we right-click at the ESP and choose follow in Dump. We will see that something chnaging in the hexdump below the ollydbg.



Then, we will make a hardware breakpoint. Highlight the first dword value (thats are the first 4 pair hex value) and then right-click > Breakpoint > Harware on access > Dword.


After that, run the code and it will stop at the hardware breakpoint that we made before. If you notice, there are POPAD instruction. This instruction is calling or POP all the data in stack. It is opposite with PUSHAD. Thats mean, we are at the end of the packing process. But we need to step a little bit by pressing F8 and after we step after the JMP, we will arrive at the start point of the unpack file or we called Original Entry Point (OEP).