Thursday, August 28, 2008

Revelation continues: The "S" and some chars.



I want to show some remarkable chars that I caught while analyzing internet traffic which may stand in a very close relation to A.S.I.Eye, A.S.Eye or S.Eye how some also call it. The S could have several meanings: Seeing, Secret, Shark, Secure. You may have noticed that there exists some specific malware that uses "S". I have seen this "S" in several situations as non existent file, as hidden window, as phantom process, which indicates us that it is not only a hidden interceptor of the internet but stands in several cases in direct relation to a very aggressive remote administration malware. Recent discoveries have shown that a widely appreciated tool called Process Explorer does create such a "S" module too if driver´s directory is locked. How far or if this stands in relation to ASI.Eye is not clear, so beware ambiguity errors. For all who are interested in both picture shown above were made in december 2007 and they appear to be either a sideeffect of A.S.Eye, a kind of subproject of All Seeing Internet Eye or a possible install failure of legitimate Process Explorer´s kernel driver if driver directory is locked down by protection tools.

Remarkable chars and covert info channels that I caught while simply triggering the static vpn tunnel of A.S.E. just by surfing a webside:
..-;Spy~à.”, T.ª.\tãÒ, Ĥ/È¥ED>B, ÐÁT.~�àÀK'£, XécÞâA, 8AM, ‹ž]ËPx7Â0, ÓÄLI“', .@.PM5áš, Z­+bõ.Z, Ñ..ÈÓ., RÙˆåšÒ, .B'݉òE, h..lÑFxj, QJ)åŠS, ƒÊÓÑ, ­çNÆÓö¶k., €ÎÉ.Í.ŸE.¡, ñòN?„, .ZRù\.¬., GgCëm, ×JR.!.‚à•v„., Z®'.$CÔp., .8…Åm., „Hm..²­!…, ¼"L;ªS"à}%.RÓ]., VhÐ.äémÜ, >]êûôë'H�., ....Õ„Ü], .T˜À-RÑÒ?LÀª�Ò.ßD..&, †.ѸÆØ=Q.²XÁ.$Á.YC, ¢@�C~pŠy.:Щ,
3—Šâö, EÑå„QRÅTå.´F ó”·, Vàl/òn€, „O±„!·j­ÛFo>�€], £.È´Þˆžku.Ǫã, ÇeHmu¡.$(â.. , @SE‡.².€?, � gÖ‰@D, ..S.u.b.C.A0...U, Š6Áë~ép], ..–òš.C/{, }‘©ÈÏRQ7, ",�F^+ôù¦Æw, Lé™´d;šP1.$, Z0X03, ›ÇZ.–QRX@HÌ#*ñ , 6dLEÔ, 1Wdú>¤§�G‘À:vZ, Ð�ÌÓ.QÐNA.›±.vÁgáÕ5, ÖÝÇ..„‚r»-TaÏlÀ@Þ–½`, Ø ÙSé.C.FGBòA.;€nRS...n�~...E.….‹P“.�E, )ünÐy>nÊö@E.,Â, "ÁÑͨ.О, 1÷¢èZâÈ#, D¹@ŽÁ.‹ÙM, R˜UQ„æ:Pž¥.;, .®ŸËÑ.„, •-BðTý¸ ´˜Áqæ¨::lQ, $:ÂU.ÐðÀÛM'.à, .ÔïLø?W?, cì Gè.N , n[n7t®T>�9 ÍDIR¯ñêíу¥, !.Ë).î.®Lp�>벉þb., OÑÎVÔC¿, °Ê¶§Æã�.

Furthermore they seem to use kind of coordinate system for "S": ˜s:5970:4:198..,l, s:5972:4:45., s:5973:4:2931, s:5974:4:148, š{*°*.a:22404:4:45., s:20106:4:91...
There you see how they associate enormous importance to the "S" symbol. Did you notice something? The 4 remains static all others change. Conclusion: 4 is a key. Could be e.g. Pid 4 for System and hidden threads inside system sent via udp channels or something like this.

Another significant thing is that they seem to hide messages in images or at least it appears to be an image you will also notice: NETSCAPE2.0.....! and GIF89a.... strings with hidden informations.

No comments: