n1p

Hi,

That just looks like an ini file for the usual fake AVs doing the rounds, as you said. It may be that your AV caught it and failed to remove the ini files if you did not get any notifications saying you are infected..

Was the file called local.ini? Here is a threatexpert report for…[Read more]

Maxe,

Congrats. I am giving some serious thought to taking it. I presume you self-studied? Can you provide info on referenced material/books?

n1p

Not very ethical eh?

Haha, it happens 😛

Update: After more research, it turns out that it is the Blackhole Exploit Kit.

http://malwareint.blogspot.com/2010/09/black-hole-exploits-kit-another.html

First one provided.. extracted the added code in main index.php and reformatted it..

Initial inspection – the initial arguments are set to globals for each function which are extrememly obfuscated:

$x1e="x63u162x6cx5fx69156ix74";            //curl_init
$x1f="143165rl137setx6fpx74";                //curl_setopt
$x20="x63165r154_x65xex63";                  //defined             
$x23="x66143154x6f163e"; …[Read more]

@sil wrote:

I was on a team of 26 professionals from Academia, Government, Private Industry etc., who performed an analysis on Stuxnet (http://www.alienvault.com/docs/CSFI_Stuxnet_Report_V1.pdf also see http://www.isssource.com/stuxnet-mitigation-defense-in-depth-needed/ for suggestions)

Where is the in-depth analysis in these reports or is it provided?

No problem, do let us know how it turns out  😛

Better late than neveer 😉 I normally use the alpha upper encoder which should remove bad characters. I remember having problems with the gai-nai encoder and removing bad characters whilst exploiting a program previously.

msfencode -e x86/alpha_upper -t c

Paste that into your exploit code and see. Also happy to look at your code if…[Read more]

Hey,

Congrats and well deserved!

I use VirtualBox and find it much faster than VMware server or player and suits what I need. Preference really I suppose..

I would certainly echo sils comments about windbg. It is extremely powerful and I would recommend developing the exploit using it to get some experience with it.

Congrats by the way 🙂

Equix3n, take a look at hacking: art of exploitation and dino zovi videos on vimeo, corelan.be,uninformed.org,grey-corner blog. They will provide further valuable links

What’s your fuzzer of choice?

It is not meant to fit in EIP… That is your encoded shellcode, if you are looking for a valid return address i.e. start of your shellcode, it should not contain what can be considered bad characters – x0dx00x0a.

Ensure EIP points to a NOP sled to your shellcode or directly into your shellcode. If you have correctly aligned your offsets, attempt…[Read more]

Sil,

You certainly make some good points! Windbg is awesome and is covered greatly over at corelan, however to some people it can be entirely overwhelming when they start out learning about RE. It has quite a steep learning curve when compared with olly/immunity. Not to mention the interface!

You are right about the lack of docs on using it, so…[Read more]

Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.

Cheers for that. Any questions just shout!

Awesome. Keep them coming 🙂

Nice links. His original VM lab and analysis paper started me on my way to malware reversing.

Congratz guys, well deserved!