HiMan EK and CVE-2013-2551

Recently during one of my analysis of URLs from urlquery, I came up with a URL ending in: /ie8910.html. The link, after being opened, returns an index with the following code:   As it can be seen from the “ip-blocked-by-firefox” Google Safe Browsing is already blocking the address, though there is no active service on port 8080 while there’s one running […]

Introduction to ARMv8 64-bit Architecture

Introduction The ARM architecture is a Reduced Instruction Set Computer (RISC) architecture, indeed its originally stood for “Acorn RISC Machine” but now stood for “Advanced RISC Machines”. In the last years, ARM processors, with the diffusion of smartphones and tablets, are beginning very popular: mostly this is due to reduced costs, and a more power […]

Android Fake Вrowser Update Analysis

Recently our colleague N3mes1s found a fake browser updater (password, as usual is: infected) for Android, so I decided to take a look at it. Before we begin I suggest you to download the de-obfuscated java files. The malicious application has the following characteristics: Size: 178111 bytes MD5: 3dcea4358e6229828cfa5a052327088f SHA1: 2f146ea64d5439c243f8e14ecb00b717c60aaacf SHA256: 983e662c5fa649ab25a5209d8996d6ddf581f15ef73d8e14c8360125d2c5f920 Platform: Android Tools: AndroChef Java Decompiler: just to […]

Update 2 – Facebook infection: the fake “Flash Player”

In these days I’ve seen some friends of mine taken a facebook virus: this virus posts a message with ten friends tagged and a link to a bad site; the infection, that came from Turkey (almost on the surface), is OS independent just because it uses firefox and chrome extension: a fake Flash Player. Html code […]

Extracting Objects from a Running Process

Few days ago two new 0-days have been spotted in the wild: CVE-2013-0633 and CVE-2013-0634, both of them involving a .swf file, possibly embedded inside a Word Document. It might be interesting to understand how to dump a similar resource while the attacked process is running,  after all the obfuscation layers are cleared. Clearly this same technique can be expanded to extract […]

Deobfuscating generic BlackHole 2 with JsADO

I wrote this article to describe how to use JsADO (JS-Auto-DeObfuscator), a little project that I’m developing so as automatically deobfuscate javascript code: JsADo hooks a js function as eval to get the code to be executed, or element.appendChild to dump the HTML Object to be inserted into page I’m going to explain how to […]

Guidelines to MFC Reversing

Software developed with MFC may import MFC80U.dll (MFC80U is the name of the last version of the dll, as I’m writing), it depends on the type of compilation: as a static library or as a shared DLL. I’ll analyze a software which imports the dll and has debug infos, just to make the job easier. […]