hunted..yet the hunter :D

Long time ago i posted about Pro-Rat, and how bad guys(!?) use it to hack into others pcs!!
Now what about retrieving information about those evil people :D

according to the rat server i got (1.9 FIX-18):
This Registry :

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings

Inside it resides the info u need, all the info are encrypted by xor!!! in this occasion xored by 01h
You can retrieve sensitive info about the attacker (his email,ip,report victim site..etc).
Then i got one more thing ,if u get to the cgi site(if the attacker setuped one) then replace that cgi file with log.dat and u can get all the victims ips!!
(or you just run the server and monitor its activities it with ethereal)
Enjoy the hunt!

Smilar pages

ProRat Trojan: A lame try to hack PCs on the fly!

Today while I was receiving all these lame tries (from several different forums)to hack people *puters using several well known malwares ,I decided to look inside what these files would carry.
First the file was packed by "Win32 Cabinet Self-Extractor" a simple tool in the hands of all people.
After using "resource hacker" I found the RC_DATA resource which contains the executable file that to be extracted. I saved it on the hdd.
Next I launched OllyDbg and from the first glance seems that this file has been packed!
Using RDG-Packer Detector I found that it has been packed by FSG v2.0 Packer. Googling this FSG for unpacker I found several ways to Unpack that file Manually and Automatically I chose the ready automatic made unpacker.
While all this ,I was uploading the sample to virustotal.com ,since my internet was hell of slow! I continued my research, Launching IDA (Interactive Disassembler) I found few strings on that file " [* ProRat - Trojan Horse - Coded by PRO Group - Made in Turk " -- Funny a well known trojan! used by a lame people..how astonishing.
During that the VirusTotal.com has gave me his result which as I figured out from the sad trip .
Funny thing that made me wonder the file was 451kb Packed with that FSG packer after unpacking the file is more than 2.0 mb and even one unpacker gave me 7.00mb file!!!
And as I noticed and as IDA told me the file import table was damaged,well this happens when dumping a file from memory,seems those unpacker did as (launching the file and debugging to get the file unpacked in mem-not sure till now-) ,so the file get large size from ImageSize(PE header)--The PE file size to be aligned in Virtual Memory-- and also get its import table corrupted, as it is been already mapped by win32 process loader.

For further reading :ProRat virus Definition from Symantec

Smilar pages

StormWorm::SumUp

Who hasn't seen StormWorm in the wild, It reached most of the email addresses in the world ,one of them was my email.

"The malware attacks behind this botnet have been relentless all year, using a wide range of clever social engineering lures to trick Windows users into downloading executable files with rootkit components. By some accounts, the malware has successfully created a massive botnet — between one million and 10 million CPUs — producing computing power to rival the world’s top 10 supercomputers." --from here

Here I have a very interesting link presenting StormWorm Analysis
http://www.cyber-ta.org/pubs/StormWorm/

Smilar pages

BOOT KITS

It is not the Blue pill neither SubVirt ,it is the new rootkit which is coded by indians fellows,They presented VBootKit which works on vista (see security focus Column...)
Unfortunatily the only source code available is a BOOTKits which they are designed for (200,XP,2003) and not the vBootKit(Vista designed one).
The Idea behind boot kit that it doesnt require the Operating System to work , it will simply launches before the OS (NT Subsystems in specific) and then launches the OS , So the OS will work as if in a virtual machine ,the Boot Kit is still a PoC as the developpers said in their site.
Regarding current BootKit Payload Features :
The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.

Obtaining these BootKits from this link http://www.nvlabs.in/?q=node/14

Smilar pages

Ettercap For windows

Etttercap is a powerful Metworking tool and for Man In the Middle Attacks, It is widely installed on Linux systems.
Lately I found links to Ettercap Windows binaries :
SourceForge.net Win32 Binary list(Unofficial)
Pandora-Security Forum Link
Or just Search Google.com for "ettercap-NG-0.7.3-win32"

And you need To Download WinPCap in order to run ettercap on windows
WinPCap Download Page

I tested Ettercap in windows environment using WinPCap 3.1 in combination with ethereal under WinXP and on Vista and to tell the truth nothing better than Linux in that field .

Smilar pages

Symantec Response Youtube Channel

It seems that Symantec Anti-virus company made a youtube channel, I found it in some link in one of their blogging articles.
There is something I regard it lame !!,It may be called PoC(as Circoficus would call it :lol:) it was entitled "Vista Speech Recognition Attack" ... Funny way to attack people's vista installed machines, See the following video .

Smilar pages

Worm Hunting!!

I use YMSGR rarily ..cause I hate it , but once I recieved this message from a friend ,it was a link to Miss world something picture donno, I knew from the first glance(smart me) it was a stupid yahoo messenger now adays worms :)
The funny thing the attacker used a registered domain with .info .And again used a .jpg contained html to redirect the page to the index,where a series of decrypting and script constructing is done which was a javascript then the result will be in VB script to be executed using Microsoft.XMLHTTP vulnerability (not sure about it ,since it a scripting thing) to download and execute "YMworm.exe" and "worm2007.exe" files , well I adownloaded these files from that apparently doomed site :) lately ,and used :
http://virusscan.jotti.org/
to scan for these files resulted in some kind of this:


well after googling W32/Sohand.A I found a description on pspl.com , which seemd that the one I caught was some sort of another variant of it ,for me I regard it as a stupid worm cause it was obviousily programmed useing VB ... although I shouldnt call any worm that was able to reach me through spreading as stupid ,maybe the ppl were stupid clicked on that link I dont know about that too.
I put it in OllyDbg,but hey..I am having mid-year exams these days ,and another thing seriously debugging VB coded stuff is just a pian in the ass thingie :(

To remove the worm ,this link might help Click .

Smilar pages