Threat Alert: May 2011

May 26, 2011

Facebook SCAM – “this woman has a orgasm on a roller coaster! LOL”

Few days back I found this link posted on few of my friend’s wall.

The moment I saw the site “youtube.com-dmv.in” I was able to conform it as bogus video because here the name “youtube” is sub domain of “com-dmv.in” which is the main domain so; it clearly says us the video is posted in some other site not the famous “youtube.com”

When you click on the video post it will redirect you to some other fake domain where it says you can freely customize our Face Book profiles,

It asks you to complete the 3 steps. Once you do that it will display a gif file saying activating and behind the screen it will contact the s.php file located in the remote server and execute the JavaScript.

When examined the JavaScript found below code to check whether you are pasting the script on the facebook.com window. If not it will alert you with a message.

Without your permission it will post fake links on our wall,

It can hide chat box from you and send messages to your friends without your knowledge.

To avoid this when you come across any link don’t click them immediately think twice before you click on it. Also if you confirm the post as spam report it by marking it spam.

May 24, 2011

Patching exe files

This post is a continuation to the previous post based on the user comments. Here I will explain how to patch an exe file and also the other method to bypass Isdebuggerpresent API.

In the previous post I have bypassed the Isdebuggerpresent API by changing the return value in the EAX registet. You can also bypass the API by filling it with Nop(No Operation) or you can use Hide Debugger plugin available in the internet.

Here I have filled the code with NOP instructions so that nothing happens it just passes the control to next instruction,

To patch the file so that next time you can debug without any interrupt you have to select the modified code area like shown below and right click select selection from copy to executable.

Next, it will open memory map in that right click and select save file,

Now the file is patched and ready to debug. Thanks:)

May 22, 2011

Bypass IsDebuggerPresent API

In this post I will explain how to bypass IsDebuggerPresent API which is a common Anti debugging technique used by many malware.

parcela0405.pdf.exe is the sample I have used for this example.

Dropped file in Olly Debugger and started traversing till I find something interesting. The file looks like compiled using Autoit Script becoz it searches for Autoit related registry keys. You can see that below,

After traversing several calls I reached at IsDebuggerPresent API in the address 0040D6F1,

First let’s see what happens if we execute the IsDebuggerPresent API Call,

See the jump to address 00431A9D has taken and it displays a message box. Also, the process will be terminated once you click OK.

To avoid this press F7 in OllyDbg and step into the call seen in the address 0040D6F1 (IsDebuggerPresent API) you will see something like shown below,