/*This is strictly for beginners */ Starting with my own story, I will continue blogging on how Reverse Engineering helped me to better understand the code. When I started learning C Language in the initial days, my trainer gave me below program and said it will print Alphabets#include <stdio.h> void main() { char alpha[256]; int i; for(i=0; i<26; i++) alpha[i] = 'A' + i; alpha[i] = NULL; printf("The Alphabets are %s", alpha); } Though it was a very simple

Introduction: Recently security researchers has found a smallest stealer Trojan that targets certain Financial Institutions through process injection and then injecting web inject module into the browsers, specifically in Net banking pages, similar to Zeus/SpyEye. The samples I have used to describe Tinba is from Contagio (Thank you Mila). Technical Details: The size of the Tinba files are between 19 KB to 20 KB. The sample was not packed, however looking at the sample in PEID revealed, the compiler

I am blogging this post after 2 years of break. I should definitely say that my knowledge level has broadened in-terms of Security. I should thank my colleagues and Managers. In my free time at home I monitor certain websites to understand various Malware families and specifically Bots, stealers, crimewares, etc. One of such website is Malware Domain List (MDL) and I should definitely appreciate MDL for sharing such malicious domains which helps Security vendors, researchers, beginners, and others. This

INTRODUCTION: I guess the Title would say what this post will contain. This post explains how an Exploit code embedded in PDF uses a Vulnerability and installs a Zeus Trojan in a victims machine and what banks the Trojan targets to steal user credential. THE FLOW: In the above Diagram, the user is either Social Engineered or visits malicious website and happen to view a malicious PDF doc which contains the exploit code. Based on the version of Adobe Reader used by the user,

Check this Vulnerability. Interesting, though scary. http://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspx

Traversing or Reversing a DLL is ever challenging (For Beginners and Intermediates). If a DLL comes with an EXE, its EXE’s job to load the DLL in the memory. But what if you get just a DLL alone to reverse. It’s cool rite ;-) Here I am going to Traverse a Financial Crimeware Trojan in the form of DLL. Step 1: Lets see the strings to guess what the DLL behaviour is. haa.. Don't see readable strings ? So it should be a packed file. Next step is to identify which packer.  Step 2: To

Thanks for my friend from Linkedin Network for sharing a Blogspot link (Link 1) where Orkut phishing page is created. And another one was found when I did a research on this. Link 1: hxxp://sispicx.blogspot.com Link2: hxxp://sis-picx.blogspot.com/ When we enter the username and password in the page when Link 1 is visited, it posts the user information to below address specified in the Source code of the page Link 2 page posts the information to the same Server but the file responsible

Introduction: Cyber Criminals use different ways to compromise users. One of the best way they use is Social Engineering. They use people innocence to fool them and make them to download malicious file and thereby stealing user information or downloading fake products. Though we use different Antivirus to keep our system secured few Malware escapes from the detection. Such analysis which uses Twitter for social Engineering is below. Analysis: I was surprised when I received a mail from Google

Before I could proceed this analysis I would like to thank my friend who forwarded this mail. So what does the mail contain? This mail targets Indian users to steal the Bank credentials by using Tax Refund scam technique. As this is a season for tax submission and receiving Tax refunds from Tax department of India, such Cyber criminals use this period to steal money by fooling innocent people. Here is the screen shot of the mail, In the above mail the sender has used proper email address of

I am posting a Scam mail which prompts user to update account information, which gives a link where Chase Bank phishing contents are hosted. This email was forwarded by one of my friend. Intention of such phish analysis posting is to create awareness among the innocent people. Below screen shot shows the scam mail received, No Bank in this world will address Dear Client, instead they address by Customers name as they have it in their database. The given link of-course points to the legitimate

Here I am going to ‘Traverse’ a Financial Crimeware which uses a simple Proxy technique. Intension of this analysis is to share my analysis for the beginners. But what is Financial Crimeware? The Malware or an Exploit are made to steal financial information such as Bank account number, password, credit card number, etc with an intension of making unauthorized transactions using the stolen information. This Crimeware is packed using UPX packer so I did not have much challenge in unpacking.

Here comes a 1st Rogue Mail in 2010 that I’ve analyzed. When I saw this mail in my Inbox I felt like the sender gifted me for New Year ;-) You can see the Guy wishing me Happy New Year and given a link and even the URL carries the word ‘newyear’.   Now let us click on the link to check my Gift. Hey, the URL redirects me to another website, “hxxp://scanonlinesiteblog.com /index.php?affid=92600”. As I expected it displayed a fake scanning page with infection warning as shown in the

Introduction: Zeus is a well known Trojan which steals Bank user credentials, passwords, Transaction Authentication Number, etc intercepting a fake form by injecting the HTML code when visiting the Targeted Financial websites. The target websites are downloaded from the C&C server as encrypted config file. But how do we find the targets by decrypting this config file? Let’s see how. Traversing svchost.exe: Zeus on execution injects its code in the address space of services.exe, svchost.exe

Introduction:When we say ‘Internet’ the word that immediately strikes our mind is ‘Browser’. Browser acts as a Major component in the Cyber world. From layman to professionals use browser for different needs. Checking mails, online banking transactions, browsing forums, booking tickets, online shopping, ordering pizza, etc are done using browser. When we talk about banking transactions, online tickets, online shopping we’ve to understand how secured we are without exposing our sensitive

Introduction: This Analysis report will explain in detail on how a Malscript is used to infect users and how this code is injected in the web server. It explains a tricky technique used by the Malware writer. Analysis of Malscript Injected website: Screen shot of the Website: When users view the above website it loads all the contents of the page, more likely it loads CSS (Cascading Style Sheets) which carries the encoded malicious code. This doesn’t mean that CSS itself is malicious,