Articles

In my previous post, I spoke about how automated systems such as the Norman Sandbox and Anubis are easily blinded with simple environment checks. Christopher Kruegel of Secure Systems Lab of the Vienna University of Technology replied with the following:

"This is definitely a valid concern, and a problem that every dynamic analysis environment faces. actually, we have thought quite a bit about this problem, and we have published a paper that presents a possible solution (it has been accepted at the IEEE Symposium on Security and Privacy, check it out at http://www.seclab.tuwien.ac.at/papers/explore.pdf ). in a nutshell, this paper describes a system that allows us to explore multiple executions paths. to this end, we are trying to locate "interesting" checks that the malware performs (e.g., check for the current directory) and explore both paths (one path when the check succeeds, and the alternative path when the check fails). in the case you described above, the first execution path would yield nothing, while the second path would show the malicious activity (together with the information that the current directory must be the Outlook directory to see this behavior)."

This works by taking snapshots of the executable being run for each decision to be made, running through the code and then restoring that previously stored state in order to follow a different execution path. They were able to do this by creating a Qemu extension which is able to identify the memory mapped for the specific executable being analyzed. This extension is currently works in progress and will be included later on as part of Anubis. Personally, I'm really looking forward for this to become publicly available.

Posted by Sandro Gauci

It's not like the first time that we need to know what an executable binary file actually does. Of course, hardened reverse engineers will launch up their trusty hex editor / disassembler / debugger and spend a few days staring at the code. But for the rest of us, we need answers and we need them quick!

Traditionally one would run an AV scan on the unknown binary file and feel pretty comfortable with running it after nothing turns up. However, experience teaches that this is certainly not fool proof and just the fact that an AV reports nothing doesn't mean that the particular program was written with best intentions.

One way of going around this is to scan with multiple AntiVirus scanners. More often than not, it is not feasible to have a machine which has various AV products ready to scan your possibly malicious (but probably not) binaries. Hence a lot of people make use of services like VirusTotal and Jotti's malware scan. These two services provide a very good solution and will generally satisfy most people's needs.

However if, you have a binary which isn't caught by any AntiVirus vendor - then you might still want to decide for yourself if it is indeed malicious or not. It might not be even something that the AV companies will ever catch. Enter Anubis, Norman Sandbox and CWSandbox. The three of them will give you what a binary does based on how it behaved when ran in a virtualized or sandboxed environment. They will list things like the imported modules, files created or written to, sockets opened and so on.

I'm pretty new to Anubis - but I like the approach. They're making use of a patched version of Qemu internally. If anyone's interested in the internals of this project, they're published here. One problem that I guess is obvious with this approach, is when an executable checks for some property. Newer malware is known to check for signs of a virtual machine. Anubis and others should not have this problem.

But (there always has to be a "but") ... what happens when the executable expects a specific path to run the malicious code? For example, it might check to see if it is running from the Outlook temporary files directory before doing anything malicious. My best guess is that the methods that Anubis and other similar projects use, will fail to detect the malicious code simply because it is never run. Of course, by looking at the Outlook directory check, it can be enough indication that the executable might have malicious code.

Posted by Sandro Gauci

Yesterday I learnt that the Shmoocon videos have been made available online, so my immediate reflex action was:

sandro$ wget -m -A mp4 http://www.shmoocon.org/2007/videos/

Gotta love wget. I watched some of the talks and quite a high percentage of them are high quality - I watched (parts of) the following:

• A hacker looks at 50. G. Mark Hardy goes on and talks and talks about how systems were previously much more obscure, security through obscurity and all that. I started watching this one but quickly got distracted - probably because the Johnny Long talk got downloaded by then.
  
• No-Tech Hacking. In this talk, Johnny Long gives examples of how a "hacker" will look at different scenarios and identify security flaws. How easy it is to mark a DoD person who's supposedly not easy to spot .. and stuff like that. A very enjoyable talk and Johnny Long certainly didn't disappoint here.
• Auditing Cached Credentials with Cachedump. This is a talk by two guys who focus on the problem of cached credentials. Basically this talk did a very good job at highlighting how bad the thing is in the enterprise environment. An ok talk.
• Hacking Digital Cameras. I started watching this one - looks pretty amazing what you can do with dirt cheap cameras and some electronics knowledge. Of course, I quickly lost interest as soon as I noticed that h1kari's talk was downloaded.
• Hacking the Airwaves with FPGAs. This is one damn interesting talk. h1kari demonstrates the impressive speed of cracking WEP, WPA, bluetooth and Mac OS X's FileVault by making use of FPGAs, against cracking them on a good pc. Very sexy stuff! .. and the speaker is pretty relaxed about it all.
  
• Backbone fuzzing. This talk is pretty interesting - Raven goes on to tell the crowd her experiences with fuzzing lower level stuff which is usually critical network infrastructure devices. She's quite cool but I got the impression that she makes use of her boy friends to get her fuzzer coding done.
• Attack Detection and Response with Linux Firewalls. I started watching this talk, but it was getting quite late for me .. and didn't find the talk particularly interesting anyway. Maybe I'll give this talk a chance some other day.. but yesterday I decided it was time to sleep.

I still need to watch Major Malfunction's "RFIdiots" talk - which will probably talk about his python library and experience with RFID stuff being done in the UK / passports and such things. He's a very good speaker and never ceases to impress. So I'm looking forward to that. If you're interested there's 2.7gb of videos here. If you're in .mt area and want a copy feel free to ping me.

Posted by Sandro Gauci

Intrusion detection is one of many information security buzzwords that security tool manufacturers use to mean many different things. However is simple terms, the phrase Intrusion Detection System (IDS as more commonly known) refers to an architecture of devices and software that provide real-time monitoring and analysis of network activity for potential vulnerabilities, attacks and malicious activity.

Read on and decide for yourself whether you need to have one of these boxes in place...

Continue reading "The concept of Intrusion Detection Systems"

Posted by Donald Tabone