Love, as they say, is dangerous.

As mentioned previously (and in a Defcon debriefing post that I have yet to actually publish), I've been looking into malware analysis and reverse engineering lately. There is still so much to learn, but what humble little I have learned has whetted my appetite for something more hands-on.

By the way, I have finally discovered and fallen in love with Eldad Eilam's book, Reversing: Secrets of Reverse Engineering. Its collective 624 pages has a good balance of breadth and depth, and though I haven't finished it from cover-to-cover yet, I am already jumping the gun and recommending it to anyone interested in reversing. As the book has a good amount of assembly code, some background knowledge is advised, unless you're the type who likes to be inundated with information about things you can just barely understand, like doing 0 to 60 in 3 seconds flat.

At any rate, in my quest to look for something to analyze, I discovered that one easily accessible treasure trove of malware and fishy (phishy! sorry, that was punny) sites is my spam folder... which is where I found this one:



"I`m in hurry, but i still love you...?" Aw, I feel the warm fuzzies! Especially when said ecard (which has javascript code running in the background, so I don't recommend you going to this link unless you know what you're doing) looks something like this...



Humor aside, I am somewhat surprised by the sloppy effort of the attempt, especially when simple copy-pasting could have made it somewhat more convincing. This was obviously not a particularly brilliant example of social engineering technique, but it was entertaining nevertheless.

iPh0n3: And so it begins...

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

And the answers please...

Over at Nopsr.us the Underminers (aka 1@stPlace, winners of last years Defcon CTF) have put up a follow up to last years CTF quals writeup, which you can find here.

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto's hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you'll learn a bunch.

For those who are curious, Vulnerable Minds did play this year and were quite pleased with our 30 out of 160 finish. In what is the largest Defcon qualification year ever we were stoaked to come the top fifth and had an awesome time. ev3, Narc, LogicX, Bacon, Gpmidi, Bacchus, and myself spent most of the weekend at Akolyte and Saijak's apt, chugging Red Bull, watching Jurassic Park on repeat (seriously Pwnage100 was crap), and hacking to our hearts content. It was a great weekend, the challenges were excellent, tough but enjoyable, and it was one of the most fun and interesting events I've been a part of.

So props to the Kenshoto guys for an fantastic quals round, to the NopsR.Us/Underminers/1@stplace guys for the fantastic writeups, and to the Minds who dedicated their weekend to playing a fantastic game.

And watch out next year because Vulnerable Minds is coming to break all of your plates!

Introduction to Malware Analysis

From JST at Offensive Computing:

I have a folder (just over 300 megabytes/927 files), which contains a lot of malicious software. I uploaded it in case anybody wants to analyze it, or if anybody from anti-virus companies wants to detect it. A lot of it is already detected, but some of it is detected by some anti-viruses but not detected by others. There are all types of executable files, pif/exe/scr etc and also some .jpg/.zip which are really executable files renamed. There are also some HTML files, but a lot of those can just be ignored. Well I uploaded it all anyway.

The password for the rar file is "malware"
http://www.megaupload.com/?d=KE19T9DI

As someone interested in learning malware analysis this is a treasure trove of potential examples. Theory is great, and I love reading a good book, but having a third of a gig of applications to rip apart and find the nastiness really calls out to my "learn by doing" mindset.

I really enjoy the Offensive Computing site. These folks are really dedicated to what they do and have a ton of resources about their chosen specialization. So give their site a read, download their malware, and send me an email to compare notes.

How to most effectively beat a dead horse...

The trend of Month of Bugs continues unabated. Lets look at the history and get my arm chair analyst commentary:

• Month of Browser Bugs
• Leader: HD Moore
  
• Impact: Effective, highlighted the importance of browser security and pointed out a number of noteworthy flaws in a wide range of browsers including IE, Firefox, Camino, Opera, and Safari.
• Positives: Well researched, well orchestrated, spread over multiple vendors, including some vulnerabilities that affected multiple applications.
• Negatives: Hard to say considering this one set the bar, and many since have fallen short.
  
• Site: http://browserfun.blogspot.com/
  
• Month of Kernel Bugs
• Leader: LMH
  
• Impact: Similar to MoBB. Showed that fuzzable flaws weren't purely things found in "trivial" places like browsers, but in serious places like the lowest levels of operating systems.
  
• Positives: Took on an equally, if not even more, prolific area of system security. Lots of tasty PoC code.
  
• Negatives: I didn't play with many of them myself, but I've been told some of the PoCs were a bit unreliable, not to mention many were not remotely exploitable.
  
• Site: http://kernelfun.blogspot.com/
  
• Month of Apple Bugs
• Leader: LMH and Kevin Finisterre
• Impact: Definitely the dark sheep of the "Month's" the MoAB was littered with issues. While it did expose some flaws on Apple hardware/software it did little to dissuade Mac users from a feeling of invincibility and was taken less than seriously, even by information security types. Also the first "Month" to have a concurrent project providing on the fly patches to each days bugs.
  
• Positives: Had it's sights set on a group that needed to understand their vulnerability and went after a wide spread of Mac software.
  
• Negatives: The spread was too wide. Many of the flaws found were shrugged off by Apple users as "not Apple problems" (See: PDF and VLC). Coupled with the fact that PoC was spotty and nothing was ever released about the crowning "Unspecified Kernel Remote Fun" this was thought by many to have not been worth the hype.
  
• Site: http://projects.info-pull.com/moab/
  
• Month of PHP Bugs
• Leader: Stefan Esser
  
• Impact: At first I thought this would be a joke. Vulerabilities are reported every day in various PHP based applications. What is currently making this so effective is that they're only releasing vulnerabilities in the PHP core, not the poorly written Bullitin Board applications that get reported on daily.
  
• Positives: Focused on the real security problems with PHP, not the low hanging fruit in 3rd party PHP applications.
  
• Negatives: Well... this is where that beating a dead horse comment came from. PHP can seem like the majority of all vulnerabilities reported and it can seem like more PHP vulnerabilities are just overkill. Also no word yet on if fixes will be provided.
  
• Site: http://www.php-security.org/

So what's my final take? Well, there's a place for "Months" but they're only effective if well done. What makes an effective Month? Here ya go:

• Chose a relevant technology and make sure your vulnerabilities affect it, not arbitrary related software. If you say it's Apple vulnerabilities then fuzz iTunes, not VLC.
• Going a long with the last point it's also important to deliver what you promise. If you promise a kernel level vulnerability then it better exploit the kernels. If you promise it's remote then it needs to be remote, not remote if you can social engineer someone to run it with Admin privileges.
• Give us proof of concept code, otherwise it's too easy for everyone to say you're makin' it up.
• If you break it then fix it, or at least find someone who will.
• Be fair to the vendors and be fair to the users. Dropping 30 0-days doesn't help users. Being pushed around by a vendor who doesn't wanna fix their problems doesn't help users either.

All that said I welcome the Month of PHP Bugs. While I'm not a huge fan of PHP it is an important language that makes up many sites that are used daily all over the Internet. Stefan Esser has tried to improve security in every way he can, and for my money he's now responsibly using vulnerability disclosure in a way that will hopefully encourage the PHP team to make their language more secure, and that's better for everyone.

DMCA revisions go well with left over turkey...

Unlocked cellphones and legal security research that is. I refrained from any Thanksgiving posts (not totally deliberately, partially because my iBook is somewhere in Texas right now getting repaired). Today though I couldn't help but express my gratitude to the US Copyright Office for two things.

First of all it's been a ludicrous notion that unlocking a cellphone from a particular vendor should be illegal. Now I think that the DMCA is largely ridiculous, but I can see logic, though not necessarily merit, in keeping people from reverse engineering devices that took companies time and resources to create. I can see where that would seem that sane to some. But to threaten people over using a device in a manner that it was deliberately constructed, such as to work with multiple carriers, is just asking too much.

More important to me and far bit closer to home for those in my line of work is the newly set precedent allowing at least some leeway in the DMCA for reversing music formats with potential security holes:

The measure permits researchers to circumvent copyright protection measures - "...when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities."

*cough* Sony *cough*

It strikes me that this should just be the beginning. Security research such as this needs to be protected, but not just after a major company abuses user trust. It's a double edged sword I realize, protecting those searching for vulnerabilities. You could get burned, protecting people who want to find 0-days, but you also would protect those searching for vulnerabilities to protect. The best example for this is the Red Database groups two year fight with Oracle over vulnerabilities that they found and attempted to get fixed. In my opinion they were the epitome of responsible disclosure, which is as much about knowing when to force a companies hand as when to give them time. There needs to be protection for groups such as this who are leveraging their potentially damaging knowledge in a way that's meant to protect those using the product, even when companies themselves can't be bothered. There is such a thing as responsible disclosure, and it deserves to be protected, both for the betterment of the software manufacturers and the users.

So thanks copyright office. I hope your turkey was extra tasty this year.