moved !

May 4, 2007

I didn’t post for quite sometime is because I am really busy with my school exams.
and start again next month . and this weblog completely moved to and this weblog closed !
If you added my link in your weblog or website please change it.


Analysis of Malware Spread via SPAM and ANI vulnerability

April 9, 2007

i posted about ANI vulnerability malware some days ago and today i saw a paper on websense security labs about analysis of malware spread via spam and ANI vuln.
view this paper on websense

Perl Underground 4

April 9, 2007

Perl Underground talk about exploiters perl codes. in this ezine they focused on bad perl codes.
this is really nice .
Read this ezine on

New worm use the .ani zero day vulnerability

April 2, 2007

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
“It’s a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link. ”
view analysis on CISRT

Security Links !!

March 21, 2007

ArazSamadi have a nice list of security websites and weblog you can view this list here .

  • FIRST global security
  • netsec
  • Mega security
  • Digg security
  • Donna’s SecurityFlash
  • Symantec SR blog
  • Mike Rothman
  • ISC sans
  • Mike Rothman
  • frsirt
  • osvdb
  • milw0rm
  • secunia
  • security
  • National Vulnerability DB
  • ONLamp – Security
  • securiteam
  • SecurityFocus
    (list is long … read more )

    Read the rest of this entry »

  • Cpanel BruteForce problems

    March 21, 2007

    some months ago i coded a perl script. this perl script is a Cpanel BruteForce .
    some visitors (damn to skidds) mail  me about “how to use it ?” or “how can i found password list for it?”.
    this script have not special password list and for example you can use milw0rm password list . and if this script have low speed use php script. and can other information about usage in script.


    Site again started with new desing

    Exploiting Windows NT 4 Buffer Overruns

    March 15, 2007

    This paper show how to exploiting buffer overruns on windows nt 4.
    This document is for educational purposes only and explains what a
    buffer overrun is and shows how they can be exploited on the Windows
    NT 4 operating system using RASMAN.EXE as a case study. We will take a
    look at Windows NT processes, virtual address space, the dynamics of a
    buffer overrun and cover certain key issues such as explaining what a
    stack is and what the ESP, EBP and EIP CPU registers are and do. With
    these covered we’ll look into the buffer overrun found in RASMAN.EXE.
    This document may be freely copied and distributed only in its
    entirety and if credit is given.

    View this paper .

    Month of PHP Bugs

    March 6, 2007

     Month of PHP Bugs started and now have 13  advisrories :
    1 – PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
    2 – PHP Executor Deep Recursion Stack Overflow
    3 – PHP Variable Destructor Deep Recursion Stack Overflow
    4 – PHP 4 unserialize() ZVAL Reference Counter Overflow 
    5 – PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability
    6 – Zend Platform Insecure File Permission Local Root Vulnerability
    7 – Zend Platform ini_modifier Local Root Vulnerability
    8 – PHP 4 phpinfo() XSS Vulnerability (Deja-vu) (!!)
    9 – PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
    10 – PHP php_binary Session Deserialization Information Leak Vulnerability 
    11 – PHP WDDX Session Deserialization Information Leak Vulnerability
    12 – mod_security POST Rules Bypass Vulnerability 
    13 – PHP 4 Ovrimos Extension Multiple Vulnerabilities

    malware analysis (Nailuj)

    March 4, 2007

    again analysis a malware .”The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won’t talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad”
    Read the rest of this entry »

    Analysis of the worm “Tibick.D”

    February 23, 2007

    The aim of this article is to give an introduction to the field of malware analysis. The worm dissected later in this article is neither new nor unknown and has been analyzed already. A very simple and primitive worm has been chosen to make this article most understandable especially to those who never reversed a worm before or are (relatively) new to reverse engineering.
    This article might be not very interesting for advanced (malware-)reversers.
    Read the rest of this entry »