Deobfuscated

Coloring junk code in IDA Pro

2011-06-21T19:32:00.000+02:00

Especially when reversing malware, junk code is always a pain.
For the sake of readability, I often color junk code with some dark color.
This makes the disassembly much more readable as shown below.

However, coloring instructions in IDA Pro is not very handy.
One has to go through menus ("Edit"->"Other"->"Color instruction...") and pick up a color for every single block to be colored.

That's why I wrote a very simple IDC script which can help with this and save some time. It simply colors the current instruction (at the cursor location) or the selected instructions, if any.
Running the script on an instruction that's been colored already sets its color back to the default value.
Also, a new hotkey ("j" in this case) is defined.

#include <idc.idc>

#define JUNK_COLOR 0x7f5555

static ColorJunkCode()
{
 auto start, end;
 if ((start = SelStart()) == BADADDR)
  start = end = ScreenEA();
 else
  end = SelEnd();
 do {
  if (GetColor(start, CIC_ITEM) == JUNK_COLOR)
   SetColor(start, CIC_ITEM, DEFCOLOR);
  else
   SetColor(start, CIC_ITEM, JUNK_COLOR);
  start = NextAddr (start);
 } while (start < end);
 Refresh();
}

static main()
{
 AddHotkey ("j", "ColorJunkCode");
}

Run the script in IDA ("File"->"Script file...") and you're ready to go.
Hitting <j> will now color current/selected instructions.

If you want IDA to load this script automatically, follow these steps:
- Store this script in IDA/idc (not mandatory but it makes sense to keep all scripts in the same directory)
- Edit IDA/idc/ida.idc:

Add the line "#include <colorjunk.idc>" (or whatever filename you like) at the top of the file
Copy/paste the AddHotkey instruction into the function "main"

- Remove the function "main" from colorjunk.idc

Security Essentials Rogue AV Anti-Debugging

2010-10-20T11:19:00.020+02:00

While Microsoft Security Essentials is a legitimate AV software, there's also a rogue AV going by the same name.
Usual story, fake alerts constantly popping up, enticing the user to "buy" a licence...

With no surprise, the sample I was looking at calls home in Latvia.

whois 85.234.191.185
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '85.234.190.0 - 85.234.191.255'

inetnum: 85.234.190.0 - 85.234.191.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: TMCD111-RIPE
tech-c: TMCD111-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

role: TMCD Admin Contacts
address: Ieriku 67a, Riga, LV-1084
org: ORG-TMDA1-RIPE
e-mail: bkc@bkc.lv
admin-c: AS1606-RIPE
admin-c: TP422-RIPE
tech-c: RF2443-RIPE
tech-c: IR106-RIPE
nic-hdl: TMCD111-RIPE
source: RIPE # Filtered

% Information related to '85.234.160.0/19AS6851'

route: 85.234.160.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

Enough with the boring stuff...

The funny part starts right at the entry point. A quick look at the disassembly reveals that this piece of crap overwrites its own code with the opcode 0x43 (INC EBX) via REP STOSB.

The puzzling detail is that the REP STOSB instruction will be overwritten as well.
And, indeed, if we step trough this code, we end up with that:

Indeed, when single stepping, the debugger executes only one instruction (i.e one iteration of REP) and ends up executing the overwritten bytes.
When the JNZ is reached, ECX equals 1. This is because REP STOSB has been overwritten before the last iteration of STOSB (That's why only half of REP STOSB has been replaced by 0x43).
The jump is taken and the sample quits after showing a dialog box reading "BitDefender". Might be complete crap or a way for the bad guys to underline that BitDefender's emulator cannot handle properly this code. However, I won't bother checking this...

If, instead of single stepping, you set a breakpoint on the JNZ and run the debuggee, the behaviour is different. REP STOSB is executed normally (atomic execution) and ECX equals 0 when the conditional jump is reached.
And malware happily keeps running...

Not very stealth but a nice little anti-debugging and maybe anti-emulation trick.

More on (moron?) packers and anti-debugging

2010-06-23T15:15:00.002+02:00

That's a pretty nice anti-debugging trick I recently ran across.
It actually relies on those API that behave differently depending on whether the current process is being debugged or not.
This snippet comes from a protector that is, as far as I know, only used to hide malware from AV engines.

According to MSDN, FindClose() returns 0 in case of failure, which is true...unless the process is being debugged. Under a debugger, execution stops because of an access violation exception.

Let's quickly check this with the following code:

int _tmain(int argc, _TCHAR* argv[])
{
FindClose (0);
printf ("Lasterror %08x\n", GetLastError());
return 0;
}

Run from the command line, everything goes as expected:

>findclose.exe

Lasterror 000003e6

Same thing but under the VS debugger:

First-chance exception at 0x7c90100b in findclose.exe: 0xC0000005: Access violation reading location 0x00000028.

Oops...

Our friend then goes through the PEB to read the LastError value and uses it to calculate its decryption key.

Nice one...

Anti-Emulation Through Syscalls

2010-04-04T18:49:00.001+02:00

Long time no see, I know.
I was, and still am, very busy, which doesn't allow me to take care of the blog as much as I'd like.

Anyway, I was having a look at a bunch of packed malware and ran into a pretty cool anti-emulation trick. It's, in fact, already known and well documented but still, that's a nice one.
Those samples are packed with something that Kaspersky calls PE_Crypt.pnh (or PE_Patch.pnh for those with a patched EP).

This anti-emulation code is always put a few instructions after the EP. The first technique is really trivial to spot as it's just a bunch of MMX instructions that not all emulators support.
The second one is trickier.

Depending on the debugger you're using, if you step through this code, you're likely to get an access violation exception.
Setting a breakpoint after the interrupt call and running the debuggee should work just fine but you're likely to be surprised when checking registers values...

Indeed, when the interrupt returns, the edx register contains the value of eip. And this is exactly what this piece of code relies on to proceed with decryption.
Because of the fact that emulators often can't handle MMX instructions, special behaviors of interrupts, etc..., the interrupt will be ignored (or worse, emulation will fail) and edx will keep its value. This will lead to a crash since edx doesn't contain the right virtual address.

Question is, why does edx contain the same value as eip when the interrupt returns?
No mystery here, it comes from sysenter / sysexit.
Indeed, when having a look at the Intel instruction set reference doc, you can read the following about sysexit:

The SYSEXIT instruction sets the following registers according to values specified by the oper-
ating system in certain model-specific or general purpose registers.

CS register       set to the sum of (16 plus the value in SYSENTER_CS_MSR)
EIP register      set to the value contained in the EDX register
SS register       set to the sum of (24 plus the value in SYSENTER_CS_MSR)
ESP register      set to the value contained in the ECX register

This is it, the address to jump to when the processor switches back to ring3 is saved into edx.

Easy to implement, but very efficient when it comes to avoid emulation and then detection by AV products.

Happy New Year!!

2010-01-04T11:39:00.000+01:00

Better late than never, I wish you all a happy new year! :)

Splinter(ed)cell...

2009-11-26T17:07:00.001+01:00

Not only security companies and networking websites are targeted by bad guys.
UbiSoft announced on twitter that splintercell.com had been hacked.

Indeed, instead of the usual splintercell's homepage, a "nice" Russian message was there to welcome visitors...

And obvioulsy, the traditional message to be sure that the hacker's name won't be forgotten...

Surely a lot of work ahead for the UbiSoft guys :)

I'm so l33t...when I'm admin

2009-11-03T22:47:00.001+01:00

I initially thought it was a sort of joke and finally realised that it was something supposed to be serious.

The French school ESIEA has organised a challenge called PWN2RM (sounds familiar?).
The goal was to disable some anti-virus software. Mmmm, why not, it's trendy after all :)

The PDF is just amazing.

First, one can say that they surely needed at least 10 minutes to make such beautiful slides...
Just joking, the real fun begins at slide 3.

1. Gain SYSTEM privileges (“at” command)
2. Stop the service (net stop)

Oh man!!! That's l33t.
So, tell me, your target is what, Windows XP? And you can stop a service once you got system privileges. Wow, congratulations!
But hold on, you were talking about disabling AV products, right? What's the link with any product here?

Another really funny bit:

• So far, hasn’t been disabled
• NtOpenSection() is blocked (used to
access PhysicalMemory mapping)
• But XXXXX doesn’t block kernel driver
loading, so it’s only a matter of time

Ok, I'd translate this to "Well, we know it's possible to do cool stuff with a kernel driver but we have no clue whatsoever how to write one"

Slide 5, one can read:

• Disabled through
\Device\PhysicalMemory (an XP-only
trick, wouldn’t work on Vista/7)

Ok, so the target was indeed Windows XP.

Guys, just for your information, one only needs SeDebugPrivileges to read from / write to the kernel memory on WinXP (you know, DKOM, etc... ring a bell?).
So, what's interesting here? What's new? That you ran "at" to get a system shell?
Tell me what one _can't_ do once SYSTEM on an XP box?
Seriously...

I don't even understand why this school accepted to put that *** on its website...

I'm so looking forward to your next slides!
What will it be? "Bypassing Javascript authentication"?

At least you made me smile...

More on (moron) rogue AV...

2009-10-21T23:26:00.000+02:00

It's one of the most prevalent malware in the wild (often referred to as "scareware").
It's very simple but unfortunately works pretty well.

It looks like a security product (most likely an anti-virus or an anti-spyware) and happily detects hundreds threats / viruses / whatever nasty you can think about when it comes to your computer.
The trick appears when you finally click on "Clean" to get rid of all those viruses. You get redirected to a webpage asking for you credit card details...
Needless to say that those fake AVs exist only for this: stealing your money.

Don't be fooled. If you want a real AV product, go for the well known brands. There are even free AVs.
In the case you are somewhat tech-savvy, check whois databases.
Domain names used for serving malware are never up for a long time.A brand new domain name is always suspicious.

Here's an example of a rogue AV, stupidly called Soft-Cop.
The installer is a NSIS package that is surprisingly small for an AV product (61489 bytes).

Once installed, it happily runs a full scan and obviously finds hundreds of imaginary threats as shown below.

Geez! That's a lot for my freshly installed Windows :)

The guy(s) behind this is(are) so stupid that they even show off the infected file paths. Cool, let's have a look...

Mmmm, am I day-dreaming or what?
Those files do exist on my hard-drive (well, they didn't before the scan)
Ok, nothing to get excited about. That piece of crap just generates random file names, creates these files and fills them up with random bytes.
Not sure what's the purpose of that to be honest...anyway...

Another "hacker" trick is to make users think that running processes are from Microsoft (one can put whatever he wants in PE resources).
Oh man... Ok, why not, but in this case, could you at least give some plausible names to your files?!?!

Do you guys think that anyone could believe that SoftComp.exe is the Windows Calculator? O_o
What the hell are you smoking?

Last but not least, let's scare users a little bit!
Like other rogues, our lame brand new friend displays annoying alerts pushing you to happily give your money...

Rogue AVs are a real threat. Many end-users just can't make the difference between a real security software and a rogue. And unfortunately, some of them end up giving away their credit card details.
That's the sad part of the story.

Now, this is another point of view.
I've seen many rogues. They're all the same...
Shitty code, stupid so-called "tricks", two-cent social engineering...

Yeah, from the bottom of my heart, you guys, writing scarewares, you really suck.
But thank you so much!
Having a look at your shit in a disassembler is even better than reading The Daily WTF. :D

But still, you suck...

Missing milw0rm?

2009-10-13T19:41:00.002+02:00

Well, milw0rm is gone. Sad isn't it?
Some time ago I wrote a quick blog about it and a quite interesting comment just got posted. (cheers!)

Yeah! You can smile again and add inj3ctor.com to your bookmarks :)

EICAR 2010 will be held in France

2009-10-04T17:57:00.000+02:00

Good news for all the French IT-sec dudes out there, EICAR 2010, named "ICT Security: Quo Vadis?" will take place at ESIEA in Paris.
Not cheap at all but usually a really good conference.

Go get your pass! :)

Some apple juice

2009-09-09T11:21:00.003+02:00

It's kinda old now but this write-up about Apple from Ted Dziuba is really cool.

I really like what this guy writes on The Register. Very straightforward :)

If you got a minute, have a look at it, it's worth a read.

"Damn viruses!"...

2009-09-07T23:52:00.004+02:00

...must be what the IT guys at the London Council have been yelling for days.

As reported by The Register, the London Council has been kinda shaken by Conficker.

Well, there are actually three things way to common in the aforementioned article:
- The infection vector is a USB stick plugged in by an employee
- The infection spread over the network, guess why...
- No anti-virus software has blocked the infection, guess why...

Then, once again:
- It is _really_ useful to make anyone using a computer understand that personal and corporate data / media _must_ not be mixed
- Security patches are _truly_ important. Yeah, I heard too many times "You don't understand, it's not that easy to patch on those big heterogeneous networks". People saying that kind of nonsense are just stupid...or lazy...or both...
- AVs exist for a good reason...

Security is often not that hard... but requires a working brain :)

Snow Leopard is out...

2009-08-29T00:09:00.007+02:00

...and comes with plenty of nice stuff for Mac geeks.

Well, the cool thing is that Apple finally got rid of its old PPC code. Snow Leopard is said to be designed for Intel CPUs and will only work on those. Was about time but that's a good thing.

But the real funkiness in this new release is the so-called malware protection. Hey, hold on, some malware protection in MacOS? Sounds cool!
Er...no. In fact, it sounds more like a weird joke.

With virtually no effort on your part, Mac OS X offers a multilayered system of defenses against viruses and other dangerous malware.

Mmm is it not a bit too much?

Bearing in mind that, in order to avoid detection, malware often come in billions of variants, and that this protection is very unlikely to updated as it's part of the OS, I doubt their so-called protection will be really efficient.

On top on this, how many? Two malwares!?!? Is that this "multilayered system of defenses against viruses and other dangerous malware"? You gotta be joking...

Ok, last point, this feature works only with a set of applications shipped with MacOS like Safari, Mail or Entourage. How can we call this a protection system?

No, I'm trying my best but still can't get the point...

If you want to filter network connections, you get a firewall. If you want to get rid of the spam, you get an anti-spam.
You're a Mac user and are scared of malwares? Get an antivirus...

EDIT: more info and links here.

Wanna loose an eye? There's an app for that...

2009-08-28T23:04:00.002+02:00

You surely all heard about those iPhones whose battery tends to blow up unexpectedly. Nice...

Looks like a replay of those Sony batteries that would end up as a stack of ashes after burning like hell...

Anyway, Apple said that the reported incidents were due to an "external force".
Hahaha yeh, I'm sure a Jedi has for mission to break as many iPhones as he can :)

Many iPhone customers have complained about those sudden explosions.
Mainly in France but as well in the UK, Holland and Sweden. But no, they surely all have smashed their iPhone...
One man even got a piece of his iPhone's screen in the eye... Still, no. That dude must have put this piece of screen in his eye himself...

Wanna waste a lot of money in some gadget that might harm you badly? There's the iPhone for that!

Fed up with autorun worms? You might want to patch...

2009-08-28T22:37:00.006+02:00

Microsoft had such a great idea when they introduced the autorun functionality...

From a funky behaviour, it turned out to be a pain for administrators and surely the first thing that Windows users get rid of.

Well, actually, not everyone disables it.

And that's why worms exploiting this functionality to replicate are so successful.
One may know only Visual Basic and be as good at programming as I am at cooking (a real tragedy, I tell you...), she still can rely on the autorun to ensure that her piece of code will have a long life on corporate networks.

But here comes our saviour. A few months ago, Microsoft announced that this functionality would be re-thought in Windows 7, allowing autorun only for optical drives.
Good move men!
Windows XP, 2k3 and Vista users can download and install a (finally available!) patch on their system.

Go admins, patch up!
But hey, don't get too excited.
Why? Mmm here's one example: Many USB sticks present themselves as optical drives and thus, are not affected at all by this patch. And it's just one example...

Anyway, guys, deploy this patch through your network, it's worth it.

Nice report!

2009-08-05T20:17:00.002+02:00

It got a pwnie award and deserves it.

Nice report is a song made by the guys at sophsec.com and it's really funny :)

The lyrics are here.

Mac keyboard firmware rootkit unveiled at BlackHat

2009-08-03T23:29:00.007+02:00

This is really cool stuff that K. Chen from the Georgia Institute of Technology presented at BlackHat.
He tampered with the famous USB Mac keyboard firmware to demonstrate the possibility of injecting a rootkit whose goal is, obviously, to register keystrokes.

Despite the sound is not great, a cool video is available here.

The white paper is also a very good read for rainy Sundays :)

I just can't resist and must paste below a few extracts from Chen's paper that made me smile (and are just true...).
Keep in mind that these are only extracts...

The security posture of a computer can be adversely affected by poorly-designed devices on its USB bus.

Yeah, we all tend to forget that the security of a system is equal to the security of its weakest link.

The decryption routine reads the firmware file in 83 byte chunks with the ith chunk XOR-ed with the 1’s complement of A and then each byte XOR-ed with Bi+16 mod 53 to produce the “plaintext.”
So the first 83 bytes of kbd 0x0069 0x0220.irrxfw are XOR-ed with the complement of A and then each byte is XOR-ed with 0x17.
The next 83 bytes are XOR-ed with the complement of A and then each byte is XOR-ed with 0x2b, and so forth.

Wow, some hardcore crypto here :)

We did not make an attempt to completely understand the algorithm used to obfuscate the firmware image, as it turns out that the tool HIDFirmwareUpdaterTool sends “cleartext” over the USB bus to the keyboard’s bootloader.
The unobfuscated firmware file can be easily obtained from memory.

I actually read that part twice to ensure I understood well... This is bad, seriously...

The time when Apple products were considered secure because not really spread is over.
And this is actually good news as it will hopefully push Apple to take security seriously... before the bad guys take action...

Offvis 1.0beta released

2009-08-03T09:42:00.003+02:00

Despite Office document format has been opened and is publicly available, it's always a pain to look into those documents to ensure they don't contain some exploit.

Microsoft just released a very nice tool called Offvis. It supports Word, Excel and Powepoint files and shows the document into two panels.
The first shows a raw hex dump of the file while the second presents objects as a tree. Really useful.
As well, this tool checks for some known exploits within Office files. Handy :)

Nice one from the Redmond's giant.

Lame anti-debugging

2009-07-31T20:12:00.008+02:00

This surely is the worst anti-debugging attempt that I've seen in my whole life.
But yeah, it works.

This sample I ran across is a parasite that uses TEA to encrypt infected files before "swallowing" them. At least, resources are extracted so the infected program will keep the same icon, etc...

Anyway.

When run, the sample creates a new thread and exits. This thread logically opens the file itself to, amongst other things, extract and decrypt the original file.
Obviously, the virus author doesn't really like people chopping up its creation in a debugger so at the very beginning of the thread, you can see the following code:

Did you see the trick?

Looks like a very standard call to CreateFile but if you step into this code in your debugger, you'll be disappointed when CreateFile will actually return INVALID_HANDLE_VALUE.
The thread will then terminate and no infection will occur.

Well, no magic here. Your debugger owns a handle to the debugged program and the virus calls CreateFile with a null dwShareMode argument.
So, basically, if this file has been opened already by another program (no matter it's a debugger or not), the virus just terminates.

So, yeah, you can patch dwShareMode within your debugger or patch the file itself in your favourite hex editor.

I'm still wondering. When it comes to malwares, the bad guys are always very weird.
They think about some crypto, hiding processes and files, etc... but the only trick they found to prevent debugging was a parameter of CreateFile().

Mmmm, no, I don't get it... But at least it gave me a good laugh :)

p0wnage time

2009-07-30T19:10:00.008+02:00

So-called black hats are pretty active these days.

Matasano was the first victim. And according to the "We're still working on bringing content back. Please be patient." on their homepage, they're still struggling with restoring their data...
Was already a big thing to be honest. All the data have been deleted from their server and as it's an IT security company, this incident has been really noisy and reported by pretty much every news website.

The second wild p0wnage occurred a few days ago. As well, a lot of noise as several well-known IT security experts have been targeted. Kevin Mitnick, Dan Kaminsky and Julien Tinnes are a few of them. The attacker(s) published a big log file with file listings, personal emails, passwords, etc..
And I must admit that some bits are really funny... :)

Today, ZDnet published an article about an XSS vulnerability on the MI5 website. Despite this vulnerability has been publicly disclosed on the Team Elite forum, it seems that it hasn't been exploited and is now fixed.

Last but not least, the Apple iPhone is having a tough time. On top of some rumours about the already broken crypto in the iPhone 3Gs, Charlie Miller and Collin Mulliner gave a talk at BlackHat 2009 about vulnerabilities in the iPhone SMS handling...

Funky... ;)

Matasa....p0wn3d...

2009-07-27T16:08:00.005+02:00

Matasano Security is a well-known security company based in the US.

Unfortunately, Matasano is more known because of its different "mistakes" (yeah, I wanna be polite) than its core competencies...
If I were to cite only one example, it'd be the Kaminsky DNS vulnerability leak...

Anyway, now, there's another reason for Matasano to be famous: they've been p0wn3d biiiig time.

Click here for some laughters...

Wanna laugh more? Screenshot here.

And here comes another "secure by design" OS

2009-07-25T19:29:00.023+02:00

It's pretty old news now, but I was catching up with my RSS feeds and ran across (one more time) an article talking about Chome OS, the new OS from Google.
The goal is quite clear, a lightweight OS, designed to run fast, boot-up quickly and focus on web-apps. Rather logical as it will massively use online Google services like Google mail, docs and so on.

Alright, so far, so good. Why not...

But having a look at this introduction to Chrome OS, I can't avoid to... er, not sure whether it's laughing or crying.

Let me comment some bits from this article:

Google Chrome OS is an open source, lightweight operating system that will initially be targeted at netbooks. Later this year we will open-source its code, and netbooks running Google Chrome OS will be available for consumers in the second half of 2010. Because we're already talking to partners about the project, and we'll soon be working with the open source community, we wanted to share our vision now so everyone understands what we are trying to achieve.

Ok, developing a new OS from scratch is just an huge job and costs a lot of money.
So, Google will go for open-source projects (it'll run Linux) and just package them to run Chrome. Why not.
Nothing bad here.
I'd even say that releasing the source code of other components as they plan to do is really cool.

Speed, simplicity and security are the key aspects of Google Chrome OS. We're designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.

Ok, so, as we said before, this so-called OS will be minimal. Don't expect to do anything else than browsing the web. Mmmm, alright.
But wait, did you read the last sentence?
"Completely redesigning the security architecture". Sorry? Aren't you guys reusing a Linux kernel?
What are you redesigning?
And, hold on... No need to deal with malwares nor security updates?
Well, I'd like to know how to be honest. Google explains that its OS is basically Chrome running on a Linux kernel and, as far as I know, both of them have been (and will surely be) impacted by vulnerabilities.
As well, it's not because malwares targeting Linux are rare that they don't exist (and can't be developed).

So, what's the deal here? No security update at all, or the updating process will be hidden from users?
If I had to choose, I'd go for the second one as I really don't want to be online with an old browser running on top of an old OS (as both are likely to be vulnerable to something...)
But still, as many people, I'm not happy with hidden stuff...

Besides, if this "perfect" security fails, how users will be able to track down viral infection or any other security issue on their machine as the only tool available seems to be the browser?

All web-based applications will automatically work and new applications can be written using your favorite web technologies.

Does this include silverlight? ;)

Google Chrome OS is being created for people who spend most of their time on the web, and is being designed to power computers ranging from small netbooks to full-size desktop systems.

Ok, I see why this kind of minimal system is interesting when it comes to netbooks.
But seriously, who will buy a desktop to run a web browser? I know many people just use computers to check their emails and browse the internet but, still, having a core duo, 4GB of RAM and a 3D graphic accelerator to run Google OS is like buying a Ferrari to go to the hairdresser...
Anyway, just a detail.

Especially when it comes to security, innovation is good. Thinking again about what already exists is vital. Being pro-active and proposing solutions is the way to go.
But I reckon that Chrome OS freaks me out. Just a few details have been published so far, marketing did its job as well to make the announcement, well, like it is, and I hope I'm wrong.
But the whole idea of an OS that is designed not to be administrated sounds bad to me.
This "Secure by design" concept is not new and never really worked so far.

Sounds really like "If you don't see the problem, well, there's no problem".
This is not security...it's all the opposite.

Yeah, I hope I'm wrong...

Die Delphi, die!

2009-07-22T16:13:00.006+02:00

I must run across too many Delphi samples on a daily basis...

My thoughts about that soooo beautiful language are:

Should have been called "Visual Pascal"...
Supposed to be an OOL but it's defintely not (we're far away from smalltalk here...)
A biiiig pain to reverse because of all the code added by Delphi itself which brings us to the next point...
Produces slow and ineffective code
Used almost only for malwares (when you're bad at programming, you go for Delphi...or VB...)

Okey, okey, it might not be fair.

Say I needed badly to spit out my anger ;)

Hey! There's a worm in that apple!

2009-07-21T20:25:00.009+02:00

When it comes to malware, we think right away of Windows.
No surprise here, Windows is and will be for (ever?) a loooong time _the_ OS massively used by companies and end-users.
Well, there are a couple a malwares for other OSes like Linux or MacOS but there are rare and often more some kind of POC than real malwares.

This situation pushes some people (even some so-called professionals...) to think that Linux, BSD or MacOS are more secure or even malware immune. That's obviously wrong. They're just less interesting targets.

MacOs has become trendy recently.
Well, Apple got itself some good marketing people... So good that every geek around feels bound to pay a computer twice its price ;)
Oh yes, I know, I know, the hardware is damn good, blablabla... That's true.
At the same time, MacOS X requires more resources than Vista(!) to run smoothly, so you'd better have some kick-ass hardware if you want to enjoy the super eye-candy Apple's OS...

Anyway, despite MacOS X is based on a BSD kernel, a large part of the OS is undocumented, and so far, not much interesting work has been done on it (as far as I know).
That's why I'm really glad that Dino Dai Zovi will give a talk about MacOS rootkits at the next BlackHat.
That's a really cool area to work on and is pretty new.

MacOS lacks many security features already used in almost all other OSes (stack layout randomization for instance), and it's about time to have a serious look into it...before the bad guys do...

Null pointer dereference vulnerability in the Linux kernel

2009-07-17T21:10:00.009+02:00

This is a really cool vulnerability that has been found by Eugene Kapun in the Linux kernel (2.6.30+).

So, what is it? Just a basic null pointer dereference in tun.c:


static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  
{  
        struct tun_file *tfile = file->private_data;  
        struct tun_struct *tun = __tun_get(tfile);  
        struct sock *sk = tun->sk;  
        unsigned int mask = 0;  
  
        if (!tun)  
                return POLLERR;  
  
        DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);  
  
        poll_wait(file, &tun->socket.wait, wait);  
  
        if (!skb_queue_empty(&tun->readq))  
                mask |= POLLIN | POLLRDNORM;  
  
        if (sock_writeable(sk) ||  
            (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&  
             sock_writeable(sk)))  
                mask |= POLLOUT | POLLWRNORM;  
  
        if (tun->dev->reg_state != NETREG_REGISTERED)  
                mask = POLLERR;  
  
        tun_put(tun);  
        return mask;  
}

Alright, the problem is not hard to spot. The code checks whether tun is null _after_ being initialized.
Not good. But it's not exploitable, huh? You're right, it's not...

But here comes gcc optimization. Because tun has been initialized already, gcc just gets rid of the "if (!tun)[...]" which is correct in terms of optimization but also makes this vulnerability exploitable. Nice... :)

More info and exploit here.

Thanks to artyc for the heads-up!

l0phtcrack 6 and Nmap 5 are out!

2009-07-17T14:19:00.004+02:00

Pen-testers must be happy these days :)

First, l0phtcrack 6 has been released. Yeah, yeah...it's a Windows-only software but it's pretty good at what it does. More info on the l0phtcrack website.

Last but not least, Nmap 5 is out! And believe me, some guys have been working hard!
ZenMap, Ncat (some sort of super netcat), Ndiff and a super-charged NSE are just some bits of what's waiting for you in this new release.
Check out the changelog and this pretty good post from Securiteam.

Happy pen-testing! ;)

R.I.P milw0rm

2009-07-09T10:33:00.004+02:00

It was one of the best public websites to find exploits.

Obviously, many people think that such a website should be taken down as it's heaven for script kiddies... But it was as well really useful for security consultants.

Exploits are and will always be available. The only difference is that you'll find them only within some "private" communities...which just makes the good guys work even harder.

Rest in peace, milw0rm.

Big brother with big vulnerabilities...

2009-06-24T18:58:00.005+02:00

China is well known to be a not so free country, and monitoring (spying on?) network traffic is just one example of its actions aiming to control the Chinese population.

On top of its famous Golden Shield, the Chinese government now provides its own content-control software, called Green Dam Youth Escort.
And it's mandatory to have it installed on any new computer...

The official aim of Green Dam is to protect users, in particular children, from malicious or dodgy content. Sounds nice... but the reality is obviously slightly different, and reversing this piece of software quickly reveals some filtering on political keywords and other stuff not appreciated by the Chinese government.

No big surprise so far... Except that Green Dam comes with stupid vulnerabilities and as it acts as a web proxy, it really puts users at risk.
The problem? The library in charge of the filtering uses fixed-length buffers to process web-sites requests.
You got it, buffer overflow exploitable to remotely run arbitrary code.
Nice...

Well, Green Dam's editor patched it silently. So silently that it's still vulnerable...

Seriously, there're enough botnets in the world, we don't need that s***...

50 ways to inject your SQL

2009-06-21T23:14:00.003+02:00

This is a funny post from the Sunbelt weblog.
Check out the video on youtube and listen to the lyrics.
No doubt all the geeks and pen-testers around will enjoy it! :)

IDA 5.5 is out!

2009-06-17T16:11:00.005+02:00

...and so is Hex-Rays 1.1 :)

No breaking news though, but I got to try this new "dockable user interface" only today.
I have to say, it rocks! :)

The IDA's GUI (on Windows) has always been something very annoying for beginners and still not handy for others.
The nightmare really started when launching the debugger. All those windows overlapping one another...a real mess.

Finally, IDA's got itself a nice and handy GUI. Was about time! :)

There are other improvements in this release, for more information, please check out the changelog and Ilfak's blog.

Phrack 66 is out!

2009-06-11T22:29:00.004+02:00

The new issue of phrack has just been published.

I didn't have the time to look at it yet, but according to the table of contents, I'm sure it's a great issue, like the previous ones...

Wanna read something interesting? There you go.

Malwares targeting ATMs

2009-06-10T22:14:00.004+02:00

This is really scary but finally not that surprising.

It seems that some hackers managed to infect ATMs with a specially crafted card, allowing to replace some Windows system files with malicious binaries.
The malware obviously gathers personal banking details.

So far, attacks have been reported only in Eastern Europe... but let's keep in mind that ATMs aren't that different in other countries...

Well, my question for the moment isn't why this is happening, but why we run Windows XP on ATMs...

More information on the McAfee Avert Labs and Bruce Shneier's weblogs.

T-Mobile got 0wn3d

2009-06-10T12:36:00.004+02:00

T-Mobile acknowledged that some hackers broke in their network.
The initial announce was posted on Full-disclosure on last Saturday but it was impossible to tell if this was fake or not.

Seems that the attackers have been kinda disappointed by T-Mobile reaction and are now trying to sell the stolen data.

By the way, T-Mobile seems to love HP-UX :)

EDIT: T-Mobile confirmed the hack, but says customers data are safe...

Hasta la vista...Astalavista

2009-06-07T17:19:00.003+02:00

Hard to tell if this is fake or not, but still, it's kinda funny to read.

Really looks like a wild p0wnage of astalavista.com...

A bit long but if you have 10min free, go ahead til the end, where the juicy bits are...no mercy whatsoever!

http://zone-h.org/mirror/id/8961233

SSTIC 2009 is over

2009-06-06T18:37:00.007+02:00

That's it. SSTIC 2009 is over and it was really cool.

Some really really good talks. (And obviously a few that were not that good...)

I particularly enjoyed:
- Data tainting for malware analysis by F. Marceau (well done dude! ;) )
- Attacking through the PCI bus by C. Devine and G. Vissian
- Compromising electromagnetic emanations of wired and wireless keyboard by M. Vuagnoux and S. Pasini (Amazing slides!!)

Was nice to see some friends / colleagues there and I'm really looking forward to attending SSTIC 2010.

Now guys, it's about time to get some rest. We really all need it... ;)

Secrets, lies, but no paranoia...

2009-06-01T18:00:00.006+02:00

... is what Secrets & Lies from Bruce Schneier is all about.

Not the first book from Bruce Schneier I read and I haven't been disappointed so far.
A sensible point of view about security, privacy and all the myths and FUD around.
It's well written and really goes to the point.

I'd recommend anyone interested in, or just curious about security, and how it really steps in our lives on a daily basis, to have a look at this very good book.

SSTIC is coming up!

2009-05-28T11:37:00.006+02:00

Next week, I will be attending the SSTIC, a French security conference, over 3 days, taking place in Rennes.

There will be some really nice talks and I'm really looking forward to being there!
Some friends and colleagues will be there as well. It's going to be big fun!

Hope to see you there and grab a beer after the talks! :)

Microsoft gets rid of another unsafe function call

2009-05-16T21:57:00.005+02:00

Microsoft recently announced they'd add the calls memcpy, CopyMemory and RtlCopyMemory to the SDL list of banned function Calls.

Programmers (should) know for a long time that those functions are unsafe and shouldn't be used. Nevertheless, they're still widely utilized and responsible of many buffer-overflow vulnerabilities.

Good move that hopefully will help with getting rid of bad programming habits.

More on (moron?) FakeAlert

2009-05-15T17:49:00.002+02:00

Being a bad guy doesn't mean you are a smart guy.

No mate, I tell you, nobody's trying to get my private data from this IP address... and by the way, email addresses often come with an at sign. Just my two cents.

Virtual machine detection: the easy way

2009-05-14T22:15:00.004+02:00

In an attempt to prevent their analysis, many malwares try to detect whether they run in a virtual machine.
Needless to say that there are lots of ways to detect virtual machines, especially VMWare.

However, as often, the simpler, the better, and a very common way to detect VMWare, VirtualPC or VirtualBox is to check the string stored in the value "0" from the following reg key:
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum

The substring "VMWARE", "VBOX" or "VIRTUAL" will be present if the code runs in, respectively, VMWare, VirtualBox or VirtualPC.

Not really stealth nor reliable as bypassing this check is a child play.
But it's easy to implement and, the bad guys and rarely genius... ;)

Anyway, keep this in mind when you are reversing a piece of malware.

Once again, you'll get into trouble because of a sexy woman :)

2009-05-10T22:46:00.005+02:00

As usual, breaking news are (ab)used to push malwares. You surely remember how major events like the Superbowl had been used by the infamous Storm worm to spread.

Some news website reported that a few pictures of the singer Rihanna, naked, were published on the internet on last Friday.
As reported by Sunbelt on its weblog, a google search on that topic leads to some malicious links...
Let's go ahead and download the binary served by those websites.

It's a 2MB Nullsoft installer with an icon suggesting some multimedia software.
A simple dropper saving its files in Program Files\PC and Documents and Settings\<username>\PCenter.
No real surprise, it's a rogue security application calling itself "Privacy Center". Same trick as usual, the rogue application detects imaginary threats and entices the user to buy a licence to get rid of them.
Another badly written Delphi malware...

Detection by AV products is still poor according to Virus total, however, the URLs pointing to the bad file are already blacklisted and any (good) web browser shows a warning or even denies access to those domains.

Welcome to Deobfuscated!

2009-05-02T13:05:00.006+02:00

Deobfuscated is up.

Don't expect too many posts as I'm kinda busy but I'll try to focus on quality and will do my best to come up with interesting topics.
As the title suggests, it'll be all about IT security and reverse engineering, mainly in the (anti)malware field.
Well, you can expect some words about more general things as well. You know, news, the universe and stuff...

See y'all soon :)