Friday, December 17, 2010

"My Team Pest Control" - Malaysia Real World Scam?

Well, just a few hours ago a friend of mine has been scammed by local company that introduce them self as a registered pest control for mosquitoes, termite and blah blah blah. As I see from the receipt, the company has nothing to do with Ministry of Health (MoH). If so, they shouldn't force people to pay their services because government already pay their contract. Then, I just tell him to report to the police.

After checking their company registered number at Companies Commission of Malaysia, it seem that it has been registered. But who know what they were working for.

There is a lot of such scam in real world. Sometimes people can't decide which is real or not when they has been scammed in polite way at the first conversation. Base on Google Search, it seem a lot of people is already being scammed by these scammer.

Here it is a few information about these 'legit' look scammer:
L21A-204, Jalan Cheras PSN,
Pandan 4, Pandan Jaya,
55100 Kuala Lumpur
Tel: 019-364 4157, 03-92812914
Just beware if you guys found these scammer coming into your houses and bringing their 'smoking machine' and start fogging into your house without permission. There is few news that already mention about this scam:

NOTE: I will update later for the receipt sample.

Wednesday, November 24, 2010

Malware Analyst’s Cookbook and Website

Just visiting my friend website after long time he never update their blog and I saw he just releasing a new cool books "Malware Analyst's Cookbook" which is suitable for malware analyst to improve and analyze their sample with new or in-depth techniques. There is tons of great information cover all malware analysis things, pentest, tools, honeypots, automation, malicious documents, dynamic analysis, deobfuscating, debugging and a lot more.

Click the following URL to find out more:

These book write up by Micheal Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard. Sure going to buy it.

Sunday, November 7, 2010

MyKotakPasir - Automated Binary Analysis

MyKotakPasir is an advanced automated malware sandbox analysis designed for malware analyst. It is help to simplified and give malware analyst less time to spend on finding malware behavior. MyKotakPasir is a service developed by MyCERT Team from Malware Research Centre unit and uses several tools and external services to provide a comprehensive report from automated malware analysis system.


Monday, October 4, 2010

Stuxnet Quick RE and Demo

Stuxnet is one of sophisticated worm we ever know so far at least for 2010. And this type of worm is rarely can be found and could be a few year at once. Most of malware analyst getting interest to their hardware control functionality which is control the Programming Logic Controller (PLC) and most of it used by factories that attached with machinery.

A Youtube video below show you a demonstrates proof of concept how Stuxnet-like taking over the PLC that changes the air-pump operation during Virus Bulletin 2010 Conference in Vancouver by Liam O'Murchu.

Stuxnet taking me a week to analyze every portion of code since its complexity of code and come with some encrypted form could take several more days to come up any new things. In this blog shows you a quick analysis.

Stuxnet has uses 5 different Windows vulnerabilities which is LNK (MS10-046), Print Spooler (MS10-061), Server Service (MS08-067), Privilege escalation via Keyboard layout file and Privilege escalation via Task Scheduler. Currently there is two vulnerabilities not patched yet.

Found few interesting strings here. Show the directory of the stuxnet source code. 'Myrtus' and 'Guava' is most probably plants that commonly planted in some country used by author. Stuxnet also uses a stolen digital sign from Realtek Semiconductor Corp. to confuse the user or advanced user about valid driver has been installed but too bad the digital sign has been revoke.

Based on RE after being unpacked, the picture above shows some portion of code. This part is attempt to inject its special DLL name into the targeted system processes. It does not exist on the disk and its remain in memory.

There is a lot of speculation and probably a propaganda from various source relating to Israel and Iran. The author of the Stuxnet probably take a big LOL to the analyst due to the inappropriate speculation from the media. Need to check carefully.

There is few rumors that the Stuxnet source code has been release but what I found is just like a decompiled source code and probably using Hexray decompiler. >>

Last Update: 07 Oct 2010, 10:04 AM

Sunday, September 26, 2010

Facebook still can't recognize URL!

At the time I wrote this, it has been more than a years already since I discover Facebook can't recognize the correct URL while user posting a message with URL on their wall. Until now still can't recognize it. As you can see on image below, there is few 'W' letter with a dot in the middle of the word. Once you press 'Share' button you'll see it will automatically turn into hyperlink.

Just been testing on few web browser including latest Internet Explorer, FireFox and Chrome. All does same and absolutely not coming from web browser application. In fact, this is part of Facebook programming mistake.

Wednesday, September 1, 2010

Independence Day Web Defacement!

Got many web defacement last night regarding to Malaysia Independence Day. Most attacker from our neighbor country. Some of the website has been patched and restored. .My domain has been targeted and mostly from non-computer security background website.

Wednesday, August 11, 2010

Embedded Script on Images file allowed Arbitrary Code Execution

Just made testing today that most of image file could cause arbitrary code execution when some simple script embedded into it. As shown below there is a normal PNG image file (adiksinchan.png) that will append with ujian.vbs which is a Visual Basic Scripting file. Once the ujian.vbs file has been appended at the end of image file then rename it into .HTA file extension. After that, just simply run the .HTA file and as you can see (for the demo) the calculator is running without any problem.

The interesting part, the PNG image file (or what ever image format) is still valid and can be viewed as normal if user did not rename it into .HTA extension. In worst cases, all the script can be obfuscate  to make it more undetectable from antivirus software or at least user can't see there is a script in it.

Most antivirus company should update their heuristic detection to detect this from future threat but I guess this issue is not new to the user for years and its not only image file format can do that. It could be all type of file format by just rename it to .HTA extension to execute the embedded script.

It seem none of antivirus detecting it as I got report from VirusTotal >>

Monday, July 19, 2010

Weekend fun with Simplest Pyramid Generator!

I just get bored during this weekend and try to solve some puzzle that my friends mentioned on my email last week. It is making a sort of Pyramid but only with odd numbers. So, what we have to do is try to make a simplest pyramid generator program to generate a pyramid with a single argument given. For example:

C:\pyramid.exe 7

would generate a pyramid like this:

I know that there is some script like Python, Ruby and so on can make a single line of code to generate this pyramid. But the condition is not to use a special function or library. I just solved this puzzle within 3 hours with Visual C++ 6.0. Here it is a single long line of code:

void main(int r,char * g[]){for(int i=((atoi(g[1])+1)/2);i>0;i--){for(int j=i-1;j>0;j--)cout<<" ";for(int k=1; k<=(((atoi(g[1])+1)/2)-i+1);k++)cout<<"*";for(k=(((atoi(g[1])+1)/2)-i+1)-1;k>0;k--)cout<<"*";for(j=i-1;j>0;j--)cout<<" ";cout<<"\n";}}

Thus, this code still need to insert a header file <iostream.h> and <stdlib.h> for print the result and the atoi function for converting ASCII to Integer from the given argument. But this is standard for C programming. All scripting language for sure need all these stuff for the script that communicate with core engine. Coding with C++ might be various depend on your platform and compiler.


Wednesday, June 30, 2010

Twitter controlled by non-human!

Twitter is one of the most loyalty services once you got so many follower. But what I can see here, most of 'user' are not controlled by human. All goes automatically tweet and the real user not even know what their account twitting for. Twitter Bot is one of commonly use to control their account even to send a malicious command to their C&C BotNet. Some of them may send tweet message around 20-30 message per minutes. As the image shown below, there is 26 'user' generated with random name and obviously controlled by bot and keep following anyone including me.

Non of the listed user name above can be pronounces and all their follower and following user are almost equal to each other no wonder whenever user trying to access their account and twitter will said 'Twitter is over capacity. Too many tweets!'. It is not impossible soon twitter could be medium of threat since their API is flexible.

Monday, May 24, 2010

DontPhishMe help you prevent from web phishing on Mozilla Firefox.

DontPhishMe is an initiative of MyCERT, CyberSecurity Malaysia, to provide a security mechanism in preventing online banking phishing threat specifically for local Malaysian banks.

DontPhishMe is an addon to Firefox that alerts you if an online banking web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That's why it's important to browse safely with DontPhishMe. DontPhishMe will automatically warn you when you encounter a page that's trying to trick you into disclosing personal information.


New version has been release yesterday (7 June 2010) . To download and install click DontPhishMe banner above or click here!.

Monday, May 10, 2010

Mass email Spam/Scam start to appear from Malaysia!

I was monitoring some of email that consider to be spam and scam that coming from Malaysia a few months ago that doing some business but spoofing their FROM address with various name and email subject. Every time receive this email most of their subject will says 'akan dilancarkan' or 'will be launch'. Below is some of the desperate business email address that considered to be a spam:

[email protected]
[email protected]
[email protected]
[email protected]

and more from the image below:

The spam scam email could be look like this:

Some of the email is desperately uses actress/actor name, political people name, hot issues, and famous people to continuously spamming 4-5 times (maybe more) a day wishing to get a good luck to catch poor peoples. There is a few report from user on the internet:

If you found these email address on your email in-boxes please report to GMail by clicking here! or just simply report to Cyber999@MyCERT.

Thursday, April 15, 2010

IDA Pro: Solving ‘Access Denied’ issue while debugging Windows Mobile Devices

Debugging Windows Mobile application made possible on any phone brand. But when debugging it using IDA Pro might prevent most user from connecting to their devices.

The picture above show you an error log says 'Access is denied'. Connecting to your naked devices make it impossible to connect. Thus, we need some tweak to your phone OS. There is a few thing we need to do before we can proceed to debug the program on Windows Mobile.

1. Make sure your phone is connected to the PC (I just use Microsoft ActiveSync to use with HTC Touch HD).

2. Run your IDA Pro (I use version

3. We need to enable Remote API (RAPI) on your phone first using simple tools. Download here and install it into your phone.

4. On your IDA Pro, click menu Debugger > Attach > and click Remote WinCE Debugger. You should be able to connect into your phone and prompting to select the application you want to debug.

Here it is a little video demonstrate the IDA debugging take places:

Saturday, April 10, 2010

Manual Unpacking UPX Packed file + Fix IAT

UPX utilities is a well-known tools to compress almost any executable file including several type of dynamic and different OS executable. But it just for making your file smaller and not for protection at all. In this tutorial, I will show you an example how to unpack UPX packed file with a few tools. Of course, you can find this kind of tutorial any where on the internet but mostly not complete to make people understand. Before we get started,

Here it is what you need:

1. OllyDbg (or Immunity Debugger, OllyICE, etc.)
2. ImportREC
3. IDA Pro


1. Example UPX Packed file (gms.exe or download here)

Let's get Started:

1. Load your gms.exe (or any UPX packed file) into your OllyDbg. Once you loaded the file, you will get into the first stop of the PUSHAD offset. For gms.exe the offset is 558B40. Other file might be differ but it doesn't matter.

Figure 1

2. Next, scroll down until you find POPAD instruction or just press CTRL+F and type POPAD, hit Enter and you'll be jumped into that instruction as highlighted (A) on Figure 2 below. How do I know

Figure 2

3. Press F7 to step into until JMP as highlighted on the image above (B), so there it is the OEP that we are looking for. For this tutorial it is 406A94. Press F2 to make breakpoint on that offset.

4. Run the program by pressing F9 and wait until it stop to the breakpoint. At this point, right click on CPU window and click Dump debugged process. Why choosing that? This because at this point the program has been decompressed into memory. So, what you need to do, dump the process into a file and save it anywhere. For example: C:\Documents and Settings\User\Desktop\dumped.exe. After doing that, DO NOT CLOSE THE OLLYDBG.

Figure 3

5. If you are try to run the dumped.exe file it might be come up with an error message. This because your program does not point the right IAT address. To fix that, open up Import REConstructor tools. On top, you'll see 'Attach to an open process' section. Open the combo box and choose the path of gms.exe to be attached.

After that, at the 'IAT Infos Needed' section click on AutoSearch button. You probably come out with error message says 'Could not found anything good at this OEP:-('. This mean you are currently not at the right entrypoint to start the application properly that might cause error while executing it. To fix that, change the default OEP value to 0xF5B68. And try hit AutoSearch button again. If you are doing right you should get this message:

How do I know the OEP address?

OEP = RVA Address - Image Base

Image Base = 00400000 <-- PE Header image address
How do I get Image Base address?
Just simply press ALT-M on OllyDbg and find 'PE header' text on 'Contains' column. You'll find the Offset address over there.

RVA Address = 004F5B68 <-- where the last disassemble analysis end up.

How do I get RVA address? Lets take a look with IDA Pro. If you load gms.exe on IDA you will see the program flow and at the end of flow it will end up with unexpected stack pointer.

If you see at JMP (same on OllyDbg), it is clearly jump to the address where the value is RVA address before it end with unexpected end point. All UPX packed file flow should be look like that.

Original Entry Point = 0xF5B68 <-- where the OEP is the address to the decompression routine done.

How do I get the OEP?
To get OEP, RVA address minus Image base address then you will get the value for UPX packed OEP. Use formula as given above.

6. Once you get this message, click Get Imports button to extract all Import table information. Make sure all listed import function should be marked as valid=YES at the end of every list line. If there is a thunks marked as valid=NO, you need to remove it all by right click on the thunk and choose Delete thunk(s).

7. After doing that, you can click on Fix dump button and choose where your dumped.exe is located. ImportREC will fix the dumped.exe automatically. Then you can try to execute the program and it should be running correctly and you can continue for further analysis.

That's all. If you got any question about this tutorial feel free to leave a comment.

Thursday, March 25, 2010

Youtube down?

At the time I was writing, Youtube appear to be down. Its rarely to find this giant video streaming site down. It was 3.25PM at Malaysian time. I'm pretty sure all over the world could see this error. 3.42PM, they restore the functionality.

p/s: Maybe youtube hired a practical student to take care the rest of PHP service and try their hello world pages.. LoL..

Monday, March 15, 2010

Move to Visual Basic 2008

Microsoft Visual Basic and C++ 2008 is very powerful IDE for VB fans. After developing a few tools, I decided to change my Portable Antivirus code to VB2008 make it much stable and powerful. 50% of the code has been converted so far. No more VB6, its too old and almost 12 years already.

Friday, January 8, 2010

Unpacking AutoIt Script

AutoIt is a known BASIC-like scripting and self-contained into UPX packed executable file. AutoIt also has been known to be used by virus author to create malicious program and spread it through all over network or media storages.

Here it is I show a sample that I've got from somebody who sent it to me. Most antivirus is already detected as W32/Almanahe.B. It seem this virus is still in the wild on some country. Ok, let focus on the topics. On this tutorial, let assume that you already have a sample of application or malware sample that compiled with AutoIt.

How do we know that it is an AutoIt file?
Its pretty simple to detect this kind of file. For me, just load up your sample with Notepad.exe. and search for 'AU3!EA' keyword. It will jump to the bottom of the file and there is some 'garbage' thing started with 'AU3!EA' character. And that was an encrypted AutoIt script that we want to decrypt. Lame way but fast to detect it.

The tools that we need for this dynamic analysis/reverse:
1. PEiD
2. myAutToExe.exe

All you need to do, download the tools above. Run PEiD and load-up your AutoIt sample file into it. You will see something similar with the picture below:

I use the sample malware from the people sent it to me. The PEiD will look show you some basic information and said it was compiled with Microsoft Visual C++ 7.0.

Next, run your�myAutToExe.exe and drag and drop your sample AutoIt file into the top textbox. It will automatically start analyzing the file and extracting the script.

After the process it will look like this (picture above). All processing data will be saved as log, source code and resources file.

There it is, a sort file with the source code of the malware (or program). The source code file will be saved as .au3 extension file and can be viewed with any text editor. Starting from this point we can analize this piece of malware easily without needed to using complicated way (static analysis).

Here it is a screen shot of the source code that we already have. Seem like this people trying to expose itself by inserting their information into the source code. LoL.

Since this AutoIt script can be readable by any one, there is a few AutoIt script malware that I found that already obfuscated� to prevent analyzer from easily trace their code. I'll explain this type on next blogpost...