H e s s a m x

moved !

hessam — Fri, 04 May 2007 14:18:04 +0000

I didn’t post for quite sometime is because I am really busy with my school exams.
and start again next month . and this weblog completely moved to hessamx.net and this weblog closed !
If you added my link in your weblog or website please change it.

Analysis of Malware Spread via SPAM and ANI vulnerability

hessam — Mon, 09 Apr 2007 12:04:56 +0000

i posted about ANI vulnerability malware some days ago and today i saw a paper on websense security labs about analysis of malware spread via spam and ANI vuln.
view this paper on websense

Perl Underground 4

hessam — Mon, 09 Apr 2007 11:59:52 +0000

Perl Underground talk about exploiters perl codes. in this ezine they focused on bad perl codes.
this is really nice .
Read this ezine on milw0rm.com

New worm use the .ani zero day vulnerability

hessam — Mon, 02 Apr 2007 13:01:44 +0000

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
“It’s a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link. “
view analysis on CISRT

http://www.cisrt.org/enblog/read.php?68

Security Links !!

hessam — Wed, 21 Mar 2007 13:05:23 +0000

ArazSamadi have a nice list of security websites and weblog you can view this list here .

FIRST global security

netsec

Mega security

Digg security

Donna’s SecurityFlash

National Vulnerability DB

ONLamp – Security

securiteam

SecurityFocus
(list is long … read more )

FIRST global security

netsec

Mega security

Digg security

Donna’s SecurityFlash

National Vulnerability DB

computerworld – secblogs

CNET news.com – threats

Cpanel BruteForce problems

hessam — Wed, 21 Mar 2007 12:49:29 +0000

some months ago i coded a perl script. this perl script is a Cpanel BruteForce .
some visitors (damn to skidds) mail me about “how to use it ?” or “how can i found password list for it?”.
this script have not special password list and for example you can use milw0rm password list . and if this script have low speed use php script. and can other information about usage in script.

[PLEASE DON'T ASK ME ABOUT THIS SCRIPT ]

=====
Site again started with new desing www.hessamx.net

Exploiting Windows NT 4 Buffer Overruns

hessam — Thu, 15 Mar 2007 07:36:40 +0000

This paper show how to exploiting buffer overruns on windows nt 4.
“This document is for educational purposes only and explains what a
buffer overrun is and shows how they can be exploited on the Windows
NT 4 operating system using RASMAN.EXE as a case study. We will take a
look at Windows NT processes, virtual address space, the dynamics of a
buffer overrun and cover certain key issues such as explaining what a
stack is and what the ESP, EBP and EIP CPU registers are and do. With
these covered we’ll look into the buffer overrun found in RASMAN.EXE.
This document may be freely copied and distributed only in its
entirety and if credit is given.“
View this paper .

Month of PHP Bugs

hessam — Tue, 06 Mar 2007 13:43:31 +0000

Month of PHP Bugs started and now have 13 advisrories :
1 – PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
2 – PHP Executor Deep Recursion Stack Overflow
3 – PHP Variable Destructor Deep Recursion Stack Overflow
4 – PHP 4 unserialize() ZVAL Reference Counter Overflow
5 – PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability
6 – Zend Platform Insecure File Permission Local Root Vulnerability
7 – Zend Platform ini_modifier Local Root Vulnerability
8 – PHP 4 phpinfo() XSS Vulnerability (Deja-vu) (!!)
9 – PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
10 – PHP php_binary Session Deserialization Information Leak Vulnerability
11 – PHP WDDX Session Deserialization Information Leak Vulnerability
12 – mod_security POST Rules Bypass Vulnerability
13 – PHP 4 Ovrimos Extension Multiple Vulnerabilities

malware analysis (Nailuj)

hessam — Sun, 04 Mar 2007 14:02:04 +0000

again analysis a malware .”The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won’t talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad”

Download This paper in pdf format

Analysis of the worm “Tibick.D”

hessam — Fri, 23 Feb 2007 17:40:07 +0000

The aim of this article is to give an introduction to the field of malware analysis. The worm dissected later in this article is neither new nor unknown and has been analyzed already. A very simple and primitive worm has been chosen to make this article most understandable especially to those who never reversed a worm before or are (relatively) new to reverse engineering.
This article might be not very interesting for advanced (malware-)reversers.
view this paper (HTML format)