Another Drug store http://inrikescs.webs.com/

Having some free time i decided to go after one more off those Drug Store,
Found one pretty fast on  FlashBack using webs.com (free hosting).
I read there TOS and yeah selling/offering drugs where against it so i send a mail.
They did answer pretty fast but sounds more like a automatic answer and the site is still up and running...

Thank you for notifying the Webs Abuse Department regarding a violation on a site hosted by us. Violations and abuses of our services are taken very seriously. With the enormous number of sites hosted by us, we are unable to catch violations before they happen, and at times, even after they have taken place.

All complaints and notifications are investigated and the site manager notified about the complaint and action that may be needed should they be in violation of our Terms-of-Service. Should action not be taken, the site is frozen pending deletion, unless corrective steps are taken.

We do not freeze or delete sites without investigating the complaint or notification since we do receive a large volume of false or incorrect accusations of such abuses.

You should also understand that although Webs does take responsibility for the content on sites that we host, we do not have the authority to investigate all issues, nor to prevent future violations. You should use your best judgment to contact an attorney or local authorities depending on the violation and what actions you feel need to be taken to prevent future violations by the offender.

Thank you for notifying us about the violation. We hope to take the appropriate action as soon as possible.

Best Regards,
Webs Abuse Department

Kindest Regards,

Clark

Adf.ly abused to spread malware

Adf.ly is a little bit like bit.ly not, the different is that you get paid for every click and the visitor have to wait 5 seconds before clicking skip ads. How ever it's quite popular among less talent cyber criminals to abuse it.
Providing warez on Youtube, in description the download link can be masked from being a quite suspicious url to a short and more legit looking url. The only lame thing is that they don't usally provide a direct link after no instead they have to have some shit survey before there i just lose interested.

Enought off that
there you have screen off response off one account i have reported.
Makes me happy :)

Abusing free domain and web hosting to sell drugs [Updated]

For a few days i visited Flashback,
How ever i forgot to print screen the forum post.
And the webpage it self it a little big to be print screened but i added one off the picture to post :).


In Sweden drug's are illegal, but buying them is quite easy. A lot off web based  shops does exist and have been around for long time.

The shop i found used http://www.nick.tk to get a free .tk domain, .tk are also being abused for malware.
Tho not by the big player mostly by noob and poor malware user.

The domain thy have/had where http://spicekungen.tk/,  how ever they did not use DNS  redirct instead just a iframe. Self explaining src="http://kryddor.n.nu" after that it appear that they used n.nu to host the content it self.

<frame frameborder=0 src="http://kryddor.n.nu" name="dot_tk_frame_content" scrolling="auto" noresize>

And it turn out to be true, view-source:http://www.kryddor.n.nu/
Finally i send one mail to abuse@nick.tk and another to abuse@n.nu.
Will update once i receive a answer hope fully it's the end off that store.

According to n.nu they have closed the "site",
and a print screen off website can you view here

Tool BinText from McAfee

Bintext qouted from McAfee website,

A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

Download BinText here http://www.mcafee.com/uk/downloads/free-tools/bintext.aspx.


I have censor-ed the path to the file, since  the path to file else would contain my online nick.

a other notice the bot i Ounk, will share it later beside that u can actually see  it copy it self to P2P sharing folder, as well adding it self to startup :)

Have a nice day.

Creating a Obfuscater using Mono.Cecil [C#]

Short tutorial in two parts how to make a obfuscater for .net, using Mono Cecil and C#. We will use .net 4.0 for the GUI but 3.5 will be fine as well. Mono.Cecil use .net 3.5, the first part will be GUI and second part the 'code'.

 It will have the following feature
 -Drag and Drop, very friendly and easy to use.
 - Some misc feature.
 -Some picture boxes
 -And a menu stripe.

 I am aware that my tutorial about unpacking and packing .net assembly is not done. I lost the sample i had in mind using and will wait until i find a new fresh sample.

 Now back on topic, for the GUI i will use Winform since i know that pretty well compare to WPF. Open Visual Studio express, new project choose Windows Application Form. I will name it MonoObfuscater then a empty Winform should show up. Go to Properties disable the Maximizes Button. Since the Form will be pretty small and not look very good using full screen better off disabling that.

Now we add a Menu Stripe and add one label we change it text to 'About'. If the user click it the idea is that it should popup a second form with some information.

Below that we add two picture box, one for drag and drop and the other will be for user that don't like drag and drop and prefer a open FileDialog. Inside them i  choose a blue icon for drag and drop and a green for filedialog.

The Form should ate this moment look like something like this, next we will add code for the green one double click the green picture box and add the following.



Notice that we don't check extension that user choose .exe, This is think you can add later to improve but as off now we want forward.

Drag and Drop

Now we will focus on the drag and drop part,  We will use Event and that pretty easy and  use full.

Even is some thing that tricked under a special condition. We need to add two event doing that by 

selecting the other picture box and right click properties  click the yellow lighting icon and scroll down to DragDrop and DragEnter, in the empty text field double click.  Now Do that for both DragEnter and DragDrop. Once inside "MainForm" viewing the code scroll to 

public FromName()
{
InitializeComponent();
}
Inside that we add the following, this make the form allow drop and event handler for drag and drop.

Now add the following code, this will handle the drag and drop it self.




Misc notice i most off the time use iconspedia for icon's and below are links to the icon i use.
Make sure you download them as '.png'.
http://www.iconspedia.com/icon/inbox-green-icon-34984.html
http://www.iconspedia.com/icon/inbox-blue-icon-34983.html
 And thanks to doublejdesign.co.uk for the icon's :).

Rouge - Ransomware v 2.1 preview/misc

Found this today, a  member made a ransomware and trying to sell it. Looks very basic and have no panel either, payment are build in the ransomware. No landing page threading with law suit and so one.
If you scroll down a little there is a youtube video the author made.

Quick analyse the ransomware accept Paypal and Liberty Reversed.
Paypal is not a good idea i think since they are very global and world video.
Liberty reversed are growing as well, most common so far i know is ukash.

Another essential part for Ransomware is being hard to remove and evade detection and removal.
Etc most user do have a Anti virus, but also prevent user from removing it them self.

That's all so far, i hope i can get my hand one a bin our two pretty soon. Maybe a "test" copy our something :) Edit: found out that it's made in visual basic 6 omg most i have heard off and seen are made in c++ our other more pure native langauge :D.

Unpack Mpress + sample [.NET]

Hello and i hope that you will enjoy this post :), I am also working one a few project i will share later. Now pack to topic, today i will talk about packer. There are a few packer, such as upx and mpress. We will focus since it support .net and upx does not.


 A packer, do the following taking the PE/APP (PE = Portable Executable). And use a compression methood such as gzip,zip our equal.And store the orginal application / .dll as resource. During runtime the Application is decompressed and executed. This is have the following inpact, it lower the since and can be used to bypass Anit Virus solution since the file it self compressed does not contain in most case any bad "data".  How ever it's not fail and can easily be unpacked, just doing the decompression but with out executing the PE.

To be continue, as soon i have more spare time :3




 MPRESS website: http://www.matcode.com/mpress.htm

Napalm Web Auth (Short Review)

Short post about Napalm Web Auth, not much to say ate this moment since it's still in beta.
OnForm Load it try to connect to host, and Check if when loaded contains "Napalm Web Auth"
After that we have the login it self pretty straight forward And Finally the cheese it self once logged in, It Download the program which turn out to be a .dll, as byte[] And invoke it with entry point as "EntryPoint" and Namespace as "NWA_Server.NWA" :) Have a nice day and if there are any thing incorrect i am still learning.

How to Get MD5 checksum off file in C# (Snippet)

Basic Application to get MD5 checksum off a program our file, i used the snippet from http://sharpertutorials.com/calculate-md5-checksum-file/, It use the following namespace


using System.Security.Cryptography;

using System.IO;


All i did was adding a openfile dialog, not much but :)

Download
http://www.sendspace.com/file/h85wfj

VirusTotal Scan (Off compiled Bin)
https://www.virustotal.com/file/a3eaacf713934157e63be6b0949f409148c59bc3875ff42a0686a24d45c5cc47/analysis/

Hades DDOS bot (vb.net) source

Hades DDOS bot a simple IRC bot writen in visual Basic, i am sharing both builder and stub source.
I don't think any one will get far with this.

Any way path to builder '\DDoS Bot\HBuilder\bin\Release' builder is called HBuilder.exe.
Now if you are connect to internet and try starting it, it will fail since it connect to dropbox to check if your HWID match. To get around that in this case just disconnect from internet our reject connection.

Press Continue our Fortsätt in my case,
And the builder will show up.

Pretty simple :) ?


Now we will use ilspy just to check why the above works. When Form is loaded it check if our HWID is in a text file, by "calling" cAntiLeak.Check();



And in cAntiLeak we find this,


What makes it work by just disconnecting is that it it fail connecting it handle that using try catch. Download: http://www.sendspace.com/file/6k69bb Password for Archive is infected. And only for education usage, don't abuse. Have a nice day.

Mono.Cecil Obfuscater [C#]

Obfuscating is quite basic, replace string and other thing such as Namespace,Type and so one.

Making it harder to read and offer protection against thief off the code. Making it harder to read,understand and copy. It's used to prevent cracking off product such as a paide program.

Very recommended to be used in managed application, and also abused in other product such as exploit pack to evade detection and in Malware to once again prevent detection from Anti virus.

Here is a scan off a .net bot, (used .net bot since mono cecil allow you only to obfuscate .net logic).
When  i posted this it had a detection rate off 16 / 43~, after using obfuscater (Self made based on Mono.Cecil our using Cecil what ever.)

We get this result 13/44, we lower it with 3, how ever when comparing the analysis i noticed that some detection dropped.

And if we bother comparing they are 15% similar and 85% different, Now with a more advanced obfuscater the result would be different (lower) since a more complex obfuscate would do more then just rename.

http://en.wikipedia.org/wiki/Obfuscation

Have a nice day :)

C# Compare two files Winform application

Based ona snippet from leetcoders, original source http://leetcoders.org/Thread-c-compare-2-files.
Credit goes to CaptainBri how ever a few small change :)

Download Full project as it
http://www.sendspace.com/file/yzu5dv






Small notice, not sure if the .exe in debug really is latest...
Might been some chance after that :)

VirusTotal Scan
https://www.virustotal.com/file/30c027c5eb5cc43a9dcc0a2b06079e10a45648561a880c39dcdcf23d6e4f8dcd/analysis/1352722288/

Using ILSPY to decompile .NET application

Quick tutorial one how to use ILSPY, notice ILSPY is one off many tools i found during lonely nights in front off a computer screen. In the feature i will hopefully post short tutorials about using other tools from basic to average and so one. ILSPY is a decompilern, when a program our application is compiler interprets your C# or Visual Basic .NET statements, and creates a series of MSIL statements that will be executed by the .NET Framework. What a decompiler does should be quite self explained :) it does what the compiler does reversed. And there by allowing you to inspect source code off a Compiled application.

 How need a decompiler ? Decompiler can be used to find bugs, and sadly be abused to crack software. Keep in mind that copyright laws does exist.  But Decompiler can alos be used for good reasons such as giving a detailed information about how a program works (etc malware).

 Where can i download ILSPY ? Offical website for ilspy, In the menu in the upper right corner "Download Binaries" to download a working binary copy off ILSPY.
Notice that  .NET framwork 4.0 is needed.

 How to start it ? First after unzipping, the folder should contain a few .dlls and a .exe, The content might be different then the screenshot i attached since my version might not be up to date based one when you are reading this. ILSPY.exe is the application it self start it

You will now see something like this, the dropbox showing "C#" repressent what langauge should be used to display the decompile result.
The icon in the menu stripe that looks like a refrehs button from a web browser, allows you to reload a assembly. Now to check out a assembly just Click one "File" and a Open File Dialog should pop up.


If you would like to save a decompiled assembly, go File and then "save code..." How ever the source will most like not be compile able right after being saved some error might exist :)












http://en.wikipedia.org/wiki/Decompiler

C# Matrix Look a like snippet

Made this yesterday if i remember right, i where really bored. Most people rank Matrix as one off the best "geek movies". How ever i have only seen small part off it, and the only thin i remember is the matrix effect, and the name Neo.

C# Get Windows Version Snippet

This snippet will check Windows Version and if x64 our x86 architecture.

The snippet will  use Environment.OSVersion.Version.Minor & Environment.OSVersion.Version.Minor, To find out what Version off Windows running.And Environment.Is64BitOperatingSystem in order to find out if x64 our x86.