Custom Packer on NTOS.EXE

06.28.2007 - 3:50 PM
We have noticed a few different variants of NTOS.EXE, a Trojan/spammer that steals data and uploads it, encrypted, on a remote server. Every time a new variant appears, the packer stub looks different because of the polymorphic junk code generator. The packer itself uses a few tricks to prevent (or try to prevent) reversing, but overall, it's rather trivial. I will present the packer, explain how to bypass the anti-dumping trick, and show how to have a nice disassembly of the executable, even if the application (and I am not talking about the packer here) uses dynamic API function resolution. 1) BPX Check: The packer checks for 0xCC on function entry, but in an "obfuscated" way: A trained eye will spot this check in a second. ESI is pointing to ExitProcess, and the packer fetches the first byte of the function, subtracts 0x34 and checks to see if the result is equal to 0x98. Obviously, 0x98 + 0x34 = 0xCC, which is the int 3, also known as the...
Read more »

eBay-DoubleClick-AOL redirect chain phish

06.28.2007 - 3:24 PM
Websense Security Labs has discovered an eBay phish utilizing a chain of eBay, DoubleClick and AOL redirectors. The initial redirector on eBay will only redirect a user to another site if the correct eBay partner ID is provided. In this incident, the URL provided first redirects the user to the second redirector hosted on DoubleClick's advertisement server at us.ebayobjects.com. The URL looks like this: http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?Re...
Read more »

Conditionally Malicious

06.28.2007 - 10:35 AM
One of our APAC researchers recently came across a potentially malicious URL. The site, hosted in Russia, was serving up a PHP page, which, when downloaded, contained the following code: function dc(x) { var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,34,17,60,7,48,36,37, 8,35,0,0,0,0,0,0,59,39,30,31,51,13,4,15,2,32,52,61,0,44,50,18,40,6,26, 23,9,42,14,19,54,45,46,0,0,0,0,56,0,24,58,41,28,25,27,29,55,5,20,53,49, 38,43,1,33,21,57,16,11,12,22,3,10,47,62); for(j=Math.ceil(l/b);j>0;j--) { r=''; for(i=Math.min(l,b);i>0;i--,l--) { w|=(t[x.charCodeAt(p++)-48])>=8; s-=2 ...
Read more »

Web "Two-Dot-Uh-Oh": User created content and Phishing

06.22.2007 - 12:13 PM
Unless you have been sleeping at the wheel, I am sure you are all aware of the new Web 2.0 world and its benefits. You may have also heard us sometimes refer to it as "Web two dot uh-oh" (see presentation link below). One of the biggest issues reasons for our concern is user-created content. Allowing people to upload their own content to a website obviously is not anything knew, its the added attraction of giving them access to all kinds of new active media, scripting, and social network...
Read more »

Which eBay seller would you buy from?

06.14.2007 - 11:02 AM
You have found that product you wanted on eBay and you open your wallet and get your credit card out. All else being equal, which seller would you purchase from? a seller who is new to eBay with no track record of ever selling anything, or an eBay "Power Seller" with at least 120 unique happy previous customers? The seller with the proven track record of happy customers would surely put you more at ease over the new seller, and your gut feel may swing your decision to purchase from the reputable seller over his competitor. After all, eBay is nothing more than an intermediary for strangers to buy and sell from each other, so a good verifiable reputation does wonders for an eBay merchant. But what happens when the yardstick measuring trust, an important currency on a platform inherently used by strangers, is gamed and artificially inflated? Yesterday, we picked up <a href="http://www.nextbigleap.com/blog/bizarre/am...
Read more »

Crimeware using YouTube deception

06.07.2007 - 2:24 PM
Crimeware using "YouTube Evasion" The other day we ran into a new technique that makes and attempt to distract the user into viewing a new YouTube video. The application uses the movie icon when it gets downloaded to the machine but strictly relies on deception to get you to run it.The file is called YouTube04567.exe and was hosted on a web server in the .SU domain (Soviet ...
Read more »

Anti-Phishing Working Group Meeting 2007 : Phishing Phutures

06.04.2007 - 12:50 PM
Last week I presented at the Anti Phishing Working Group (APWG) meeting held in San Francisco (see: http://www.antiphishing.org/events/2007_operationsSummit.html).&nbsp; This is the fourth time I have presented at this conference which first started in Washington, D.C., in September 2004. Three years later clearly Phishing has become a much more sophisticated problem than once thought and is at the forefront of security companies and technologists globally. The rise in numbers and techniques has simply been staggering during these three years. As a research fellow of the APWG I have always thought it was important to stay on top of what could be the next phase of techniques we may see. I did this three years ago when we discussed smaller targets and two years ago when we started researching the use of malicious code attacks in phishing (what is now called "crimeware"). So, this year I presented something called "Phishing Phutures". It was not...
Read more »