News
//10 November 2009 //
I'm not going to explain more regarding this keylogger attack. By the way, the interesting techniques have been introduced by the presenter in blackhat recently, refer to Stoned Bootkit. If you don't like it, still can use backtrack live CD to do that or ntpasswd live CD. And write your own keylogger/trojan :p
Read this:
1. Evil Maid - Credit Joanna Rutkowska [Link] [Local Download]
2. Stoned Bootkit - Credit Peter Kleissner [Link]
//16 October 2009 //
Sometime because of the driver vendors do not properly give the methods 'how to install' in the new operating system make our life suffer. Especially for the super lazy man like me.
os : Windows 7 Ultimate
Spec : XPS M1330
Graphic Chip : Nvidia GeForce 8400 M GS
Driver : [Download]
Driver Sweeper : [Download]
First, you need boot the Windows 7 into safe mode, uninstall the default driver installed by Windows 7 - 'Standard VGA Graphics Adapter' driver. Then use the driver sweeper to clean all the 'Nvidia' driver which installed default by windows 7 but not complete. Funny right!!! Now scan against the hardware change using Device Manager, let the windows 7 install the default driver 'Standard VGA Graphics Adapter' driver, right click and update the driver to Nvidia Driver v191.07 for Windows 7/vista.
Still waiting the problems of the windows 7 graphic card driver problems come back, but untill now it is running smooth. Wasting my time for testing windows 7 :P!!
//10 September 2009 //
A lot of websites injected by malicious links and redirect to malicious program distribution site which is hosting exploit to execute the malware. They called this technique is 'drive-by-download'. For me, this is not the malware codes, totally mis leading the virus scene. Not wonder everyone in cyber vx underground comment that the virus scene died. **sigh**. For example, refer to the following code [code]. To decrypt this javascript is very simple, copy paste to malzilla and let it run. The result refer to [1], Now decode again the result [2].
A lot of attacker even vxer just concentrate in using Web Attack (SQL Injection+IFrame Injection) + Exploit to execute the malware (download from internet and apply packer). I cant see any artwork of this kind of malware code. :(
//24 July 2009 //
After i read this blog [Link], think alot. I do agree on some points like:
//-----------------------------------------------------------------
From Anti-Sec,
And of course we must not forget, it is not just about Full-Disclosure, but
also the people who claim they can protect you,
claim they are a security company, swear by their own security, etc.
Actually cannot provide you with that service, they
cannot protect you, they cannot protect themselves, they don't know the
basics of security, they read a tutorial on installing
CSF/LFD, mod_security, iptable OpenSSH and call it -secure-.
Others thought anti-security is about 0 disclosure of any kind, it is truly
against full disclosure, where
an actual exploit code is posted instead of an advisory to the public...
I understand that disclosure is a must-have, I am not against it, I am
against the people who post and help in
spreading exploit code, Can you please tell me what good (if any) comes out
of posting exploit code?
I am pretty sure it does more harm than good, way more.
//---------------------------------------------------------------------------------------------
I have been an information security consultant or penetration tester before. I also tired to hear again my business manager talk about the "hacker", "cracker" or phracker blah blah...**sigh** But it is just the business.
Last but not least, I respect whoever can code (coders). And pls submit the exploit/worm/virus code or sample to the vendor bfore posting in somewhere.
Download the anti-sec logs from here.
//20 July 2009 //
Recently I reverse and uncompress the conficker worm variant C. The worm used the rdtsc anti virtual environment and anti debug trick. RDTSC is the old technique, anyhow, I come out the code for the newbie to easy understand the concept of RDTSC. of course, it is asm code ^-^!! [Download] [Test in Real Machine] [Test in Vmware]
//30 May 2009 //
I upload another good IDE for Masm32 [Download]. Recently busy on the antivirus design, I am planning using Visual Net+masm32. Friend asked me whether the vx scene still alive? We (skyout, fAMINE and other vxers) discussed a lot in the IRC channel. For me, it's still alive and now will mix with rootkit technique, and some will mix with exploit as my friend from china did.
//12 April 2009 //
fAMINE just founded virus group named F7F [Link]. Welcome to vx scene. :)!!
//18 March 2009 //
Microsoft's VC++ supports asm inline in later versions on x86 and x64 platform. This is a hefty number of intrinsics that are basically equivalents of single instructions.
MSDN [Link]
There are also architecture-specific intrinsics:
x86 [Link]
x64 [Link]
//16 March 2009 //
The latest version of 'The Undocumented Functions' in Microsoft Windows NT/2K/XP/2003 [Link]. It is useful when you want to code the low level program, malware or even develop exploit. Recently I prepare to move back to RND and full time doing virus & antivirus research. Happy :) !!
//17 January 2009 //
No news is good news. Happy New Year :) !!
//16 December 2008 //
If you google the string : "/css/c.js></Script>", most of the websites infected and planted with malicious script. You need to use FreShow (Get the tool from my website, section "Tools") to view the URL for avoid the script running and infect the local host files. Thanks my friend from China informed me. And from this incident, I can see the skill set from china hackers. Expecially they are the one who come out the generator for Adobe Flash player exploit and IE 7.0 exploit. The result view the script [Image 0] [Image 1] [Image 2] [Image 3] [Malware Binary]
For the "Malware Binary", rename the "*.raq" to "*.rar", extract with password=lclee_vx. Please noted that "DuMete.exe" is the malware and dangerous. F-13 Labs not take any reponsibility if you download and run in your PC.
//15 November 2008 //
VMprotect is the emulation software to run the miscellaneous file in simulation environment. Its for virus analysis purpose. Anyhow, we still can use vmware on this. But I can code the virus binary file to detect it is running in vmware. This software I never try. May be you can give it a try. Let me know if you success to code the virus which can detect it is running in vmprotect environment. :) Download from TOOLS SECTION.
//07 November 2008 //
I will publish and upload one simple heuristic engine to detect and cure the virus. Now busy to code the engine for my project :(
And I received alot of email ask the password of PEiD tool. I upload again and it is without password protected. Actually you can get all my tool if you download the F-13 LiveCD.
//02 November 2008 //
Just uploaded the different version of OllyDebug. Total 38. For F-13 Labs Collection.
Get it from Miscellaneous sections. Enjoy!
//26 October 2008 //
The following code will create the false alarms for two antivirus, :)!! It is infinite loop in the code, when the antivirus software detect it, will pop up alerts.
//--------
start:
jmp start
end start
//-----------------
When submitted to virustotal, 2 over 36 antivirus detected as malicious file. [Result] [Sourcecode] [Binary]
Thanks go to bi0n3xt
