Saturday, August 30, 2008

The Time Mutation Story of Evil Eye


It has made the round that this devilish eye mutates the time of windows you can also observe this action when you start analyzing network packets and when you take a look to the cookie dates. If you see 1990 something is wrong, I don´t know why they have such a affinity to this year as well as to dates that lies far in the future like 2015, 2038, 2096, 2100. One possibility could be their hidden filesystem that probably relies on that date mutation. The other possibility for 1990 is the establishment date of All Seeing Internet Eye according to "MatrixArch", for 18 years in existence. Their allusions to the movie Matrix is clearly to see, as they seem to have chosen me as (one of their) Neo(s;)) there is no wonder that you will see the name many times in this hidden mutant filesystem which also affects advapi32 (known as the ultimate cia backdoor), probably also a sort of HPA(Hidden/Host Protected Area) some may also call it (S-)ATA protected area. FYI: It affects USB drives and sticks too. Beside according to wikipedia DBAN does not delete HPA! Originator of HPA is Phoenix and it is unavailable for all operating systems, such as Windows and Linux, if secure mode is enabled by whatsoever. (usually by bios)

Friday, August 29, 2008

Favicon and Gif Exploit?

Another speciality of the A.S.I.E. criminals seems to be a kind of favicon exploit.










Another simple example of pure internet evil from a few bestialities:

Looks like gif exploitation stego:

Thursday, August 28, 2008

Revelation continues: The "S" and some chars.



I want to show some remarkable chars that I caught while analyzing internet traffic which may stand in a very close relation to A.S.I.Eye, A.S.Eye or S.Eye how some also call it. The S could have several meanings: Seeing, Secret, Shark, Secure. You may have noticed that there exists some specific malware that uses "S". I have seen this "S" in several situations as non existent file, as hidden window, as phantom process, which indicates us that it is not only a hidden interceptor of the internet but stands in several cases in direct relation to a very aggressive remote administration malware. Recent discoveries have shown that a widely appreciated tool called Process Explorer does create such a "S" module too if driver´s directory is locked. How far or if this stands in relation to ASI.Eye is not clear, so beware ambiguity errors. For all who are interested in both picture shown above were made in december 2007 and they appear to be either a sideeffect of A.S.Eye, a kind of subproject of All Seeing Internet Eye or a possible install failure of legitimate Process Explorer´s kernel driver if driver directory is locked down by protection tools.

Remarkable chars and covert info channels that I caught while simply triggering the static vpn tunnel of A.S.E. just by surfing a webside:
..-;Spy~à.”, T.ª.\tãÒ, Ĥ/È¥ED>B, ÐÁT.~�àÀK'£, XécÞâA, 8AM, ‹ž]ËPx7Â0, ÓÄLI“', .@.PM5áš, Z­+bõ.Z, Ñ..ÈÓ., RÙˆåšÒ, .B'݉òE, h..lÑFxj, QJ)åŠS, ƒÊÓÑ, ­çNÆÓö¶k., €ÎÉ.Í.ŸE.¡, ñòN?„, .ZRù\.¬., GgCëm, ×JR.!.‚à•v„., Z®'.$CÔp., .8…Åm., „Hm..²­!…, ¼"L;ªS"à}%.RÓ]., VhÐ.äémÜ, >]êûôë'H�., ....Õ„Ü], .T˜À-RÑÒ?LÀª�Ò.ßD..&, †.ѸÆØ=Q.²XÁ.$Á.YC, ¢@�C~pŠy.:Щ,
3—Šâö, EÑå„QRÅTå.´F ó”·, Vàl/òn€, „O±„!·j­ÛFo>�€], £.È´Þˆžku.Ǫã, ÇeHmu¡.$(â.. , @SE‡.².€?, � gÖ‰@D, ..S.u.b.C.A0...U, Š6Áë~ép], ..–òš.C/{, }‘©ÈÏRQ7, ",�F^+ôù¦Æw, Lé™´d;šP1.$, Z0X03, ›ÇZ.–QRX@HÌ#*ñ , 6dLEÔ, 1Wdú>¤§�G‘À:vZ, Ð�ÌÓ.QÐNA.›±.vÁgáÕ5, ÖÝÇ..„‚r»-TaÏlÀ@Þ–½`, Ø ÙSé.C.FGBòA.;€nRS...n�~...E.….‹P“.�E, )ünÐy>nÊö@E.,Â, "ÁÑͨ.О, 1÷¢èZâÈ#, D¹@ŽÁ.‹ÙM, R˜UQ„æ:Pž¥.;, .®ŸËÑ.„, •-BðTý¸ ´˜Áqæ¨::lQ, $:ÂU.ÐðÀÛM'.à, .ÔïLø?W?, cì Gè.N , n[n7t®T>�9 ÍDIR¯ñêíу¥, !.Ë).î.®Lp�>벉þb., OÑÎVÔC¿, °Ê¶§Æã�.

Furthermore they seem to use kind of coordinate system for "S": ˜s:5970:4:198..,l, s:5972:4:45., s:5973:4:2931, s:5974:4:148, š{*°*.a:22404:4:45., s:20106:4:91...
There you see how they associate enormous importance to the "S" symbol. Did you notice something? The 4 remains static all others change. Conclusion: 4 is a key. Could be e.g. Pid 4 for System and hidden threads inside system sent via udp channels or something like this.

Another significant thing is that they seem to hide messages in images or at least it appears to be an image you will also notice: NETSCAPE2.0.....! and GIF89a.... strings with hidden informations.

Sunday, August 17, 2008

Unveil All Seeing Internet Eye

All Seeing Internet Eye use a multilayered method of obfuscations and commands, sometimes it partially and/or randomly encrypts its multi layered obfuscation so that my offers of de-obfuscation or illumination can´t be set up in all events but they fit in several situations. Let´s start to shed some light by unveiling these little all-pervasive (be like water) network packets. By the way this method can also be used to decipher some subhack related windows internal phenomenons which you find at the end of many executables, drivers and dlls in windows operation system.

Some typical methods of obfuscation:
1. I am here = I/A/M/H/E/R/E
2. Specific codewords like: Exodus = ÈXÐØXŽUŽ,
3. Short messages like: We at ram = WÊ@rA¨m
4. Names like Ru0, Á"Lï, .ÐR.EÜRð, Fu2NL, E;!ÔF¡P, Róñ
5. Permutation in the lines e.g.: Hello lloeH
6. Allocation chars to individuals and/or locations like A <> B
7. Letter replacements through chars: S = $
8. Letter associations to numbers: A=1, B=2,C=3,D=4,E=5,F=6,G=7,H=8,I=9, J=10....
9. Multiple use of different languages such as german, french, english, spanish, italian, turkish, arabic, yugoslav, latin ...
10. Psychopathic, eccentric use of anagrams

There is also a high and excessive use of other words e.g.: DÁÕ›U probably has a relation to TAO, a frequent use of SÚS = SUS. Some know it also as SUS Malware.
Anagrams often refer to bioscience, genetic studies and vet medicine, e.g.: VLdãLd

Other discovered codewords: Pnì^¹, JªVHÛB (evtl relation to Java)

A lot of analyzed packets refer to a japanese network of Tokyo: trip.orz.hm.