With a dazzling laser show, the 26th Chaos Communication Congress (26c3) in Berlin, the last big security conference of 2009, has ended. If you haven’t been here, you might have missed fewer of the sessions than people on site, thanks to the worldwide availablility of live streams (and recordings). What you did miss was meeting all these people, though!

26c3 has simply outgrown the location it has occupied for the last few years, but this may be offset by a very successful experiment: allowing full remote access to the conference network via VPN for those who couldn’t attend. Other conferences should consider this (hey, Defcon team, are you reading this? ) as well, especially as air travel becomes less and less attractive.

During the last two days a number of the talks were on GSM security (Harald Welte, Dieter Spaar) and tracking phones (L. Aaron Kaplan). In case you missed Dan Kaminisky’s “Black Ops of PKI” earlier this year, we had another chance. Just before the closing ceremony, Frank Rieger and Ron repeated their session “Security Nightmares,” for the 10th time.

Security Nightmares was an entertaining, though a bit scary, summary of this year’s security issues and incidents, and a look at the future coupled with a wish list. Most notably, they’d like to see personal liability of executive management for the misuse of data. They call for a law for all companies to inform a customer or contact once a year about the personal data they have, what they did with it, and whom they shared it with or sold it to. The speakers repeatedly outlined the problem of data that people put online about themselves and their friends. Because pretty much all data leaks to the general public sooner or later, we need to take the utmost care when determining what to put online.

My personal rule: Don’t put anything online if you don’t want to see it on the front page of a newspaper.

I’ll finish with a quote from Security Nightmares (though I think it’s originally from Bruce Schneier): “Data is the pollution [problem] of the information age.” There’s something to think about when all the New Year’s Eve parties are over. Have a happy and secure 2010!

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

Although most people enjoy the days between Christmas and New Year’s Eve with their families, hackers, geeks, security enthusiasts, and privacy activists meet in Berlin for the world’s oldest and Europe’s biggest annual Hacker Conference. Now in its 26th year (I was a 13-year-old kid, trying to figure out what to with a Sharp 1211, when it started), the schedule is quite heavy with political topics, not surprising after a year full of very controversial laws and initiatives. There is so much content that some of the really good tech sessions have been reduced to four-minute “lightning” talks! Check Xonox’s talk on sniffing AES encryption via the CPU cache for a great example.

If you’re not here already, don’t bother to come: The conference is sold out completely. Day tickets will be available at 8 a.m. but it will take only minutes for those to disappear, so instead you might follow the live streams. Actually many people at the con follow them because the rooms are full, sometimes 15 minutes before the talk starts! Like Defcon at the original Alexis Park location, CCC has outgrown its home at the Berlin Conference Center and needs a new location.

For a first conference highlight: Fabian “fabs” Yamaguchi’s talk about various network-related design errors is a must-see. Collin Mulliner’s and FX’s talks are two I wouldn’t want to miss.

Ok, I’m heading over to the event. You enjoy your holiday!

This is my fourth time to attend Xcon (the Xfocus Information Security Conference), and the third time as a speaker. Xcon is the biggest and most influential nongovernmental computer security technical conference in China. Actually for most Chinese security researchers it’s not only a technical event, but also a big party where they can meet old friends, make new friends, and communicate their ideas among a group of security technical geeks.

Xcon 2008 was postponed to November due to the Olympic Games in Beijing; thus the turnout was smaller than usual. Xcon 2009, on August 18-19, was held as expected; but as a consequence of the global economic crisis, I was not able to see many acquaintences, especially some of my foreign friends. Luckily I still met Tomas Lim, Vangelis, and Kana again. They are all well-known organizers of other security conferences, at which I have had the honor to be invited to speak.

This year, there were ten talks in total, which covered almost all the hot topics of computer security (listed below) though there was only one track. The world-famous security researcher Kris Kaspersky was supposed to speak on Linux Rootkits topics, but he didn’t make it due to visa issues. My presentation was the last on the first day, and the presentation was “Go Deep Into The Security of Firmware Update,” which primarily focused on security concerns on firmware updates of various PC components, including system BIOS, embedded controllers in notebooks, Intel AMT, etc. Basically the talk went well, although the demo section had problems because the big LCD projector couldn’t display the BIOS Power-On Self-Update process that was shown on my screen. It worked once the OS kernel and appropriate drivers were loaded, which I didn’t think about beforehand. Interestingly, someone told me this can probably be resolved by pressing a hot key during the BIOS boot phrase.

Presentation Topic Statistics:
Vulnerability/Exploit: 4
Web-Based Security: 2
Firmware/Hardware: 2
Cryptography: 1
Virtualization: 1

There were many honourable mentions in this year’s Xcon, but one of my favorites was the Hardware and Virtualization topic. The presenter, Nguyen Anh Quynh (a Vietnamese researcher who works for AIST Japan), presented for the second time at Xcon, this time talking about VM security in “Detecting Rootkits Inside Virtual Machines.” He ran a new rootkits detector tool called eKimono inside a VM (Xen’s Dom0) and scanned the memory of the guest VM for suspicious things.

This talk brought another recent VM session to mind, a Syscan talk “SADE: Injecting Agents into VM Guest OS,” by Matt Conover. It looks like VM technology as a defensive means is becoming more common than talking about how to exploit VM technology. (One such topic was the super-hot “Virtualized Rootkits” session in the last two years). Antiy Lab’s talk “Rediscovery on the Attack of Equipment and Signal” was also popular; the presenters did a live show on how to remotely intercept and decrypt the keystroking signals emitted by a wireless keyboard device. I can still remember their Xcon 2008 presentation about physical attacks. They demonstrated how to execute arbitrary code by inserting a USB device into a victim’s machine with AutoPlay functionality disabled. While the theory behind it was not disclosed, they declared this is definitely not achieved by physical memory modification through a device’s bus mastering DMA operation. As far as I know unlike Firewire (1394), which is an Expansion Bus Architecture, USB doesn’t have such a capability.

I missed some web-based security talks since I’m not so keen on scripts. (I’m a binary guy ) But I listened carefully to FunnyWei’s “Abnormity Usability Analysis” and Wang Tielei’s “Integer Overflow Vulnerability Auto-Mining,” especially the one by Dr. Wei, who developed a kind of prototype tool that can help in tracking the controllable data and execution flow which would aid in analyzing the usability of an abnormal situation.

One thing I noticed this year was that most topics focused on vulnerability mining or analyzing, but there was no talk directly dealing with exploiting vulnerabilities, such as the most popular and expected topic “Memory Protection Bypassing on Windows 7.” I remember that Alexander Sotirov gave such a speech targeting Windows Vista at last year’s event, and I hope there will be some breakthrough in this field in the coming year.

Looking forward to see you at xKungFoo 2009, in Beijing.

Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected.

Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.

Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed.

We have been reporting about FakeAlert Trojans before – you may remember some products named:

- “Virus Remover 2007”
- “Win AntiSpyware 2008”
- “AntiVirus VIP”
- “AntiSpyware Pro2009”
- …

To name just a few, but let’s look at this “2010” example:

Before you think about buying a new product or testing a trial version, you should:

- Use McAfee SiteAdvisor to get a rating of the page you’re looking at.
- Type the product name into your favorite search engine and have a look.
- Check comparative reviews – don’t believe in the awards posted on the page.
- Still unsure? Go to the next store and buy a box. There are no FakeAlert products available as box in a store. They sell online only.

If you are already running an AntiVirus product from a known vendor and you get annoyed by popups, bogus alerts or have a different issue, contact the Technical Support first.

Quote from the bottom of the screen:

According to security experts, most spyware types are not detected by antiviruses because they are disguised as legitimate software installed with the user’s consent.

Actually, ‘PC Antispyware 2010’ is a perfect example for such a “malicious software disguised as legitimate software”.

Of course, we and other major security companies do add detection for those Fake Alert products as Trojan.

McAfee SiteAdvisor rates this page as RED.
McAfee VirusScan detects the installer as Generic FakeAlert.d!gen
McAfee Secure Gateway detects Trojan.Dldr.FraudLo.sxm

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

RSA is pretty much over now and it has been a blurry several days. Some real good sessions, some real good panels. Lots of meetings and interviews and many old friends on hand (shoutouts to Dave Perry, Larry Bridwell, and Lysa Myers), but I digress. …

For me the best event was the “Hacking Exposed” session, by Stuart McClure and George Kurtz. OK, I cop to being biased because I know and work with both these gents/slackers at McAfee, but they did show a really wild hack–they pwned a primary domain controller from an iPhone! Yep, you read that correctly. They hacked a Windows server FROM an iPhone.

For those who were not among the annointed and attended, I have uploaded the slide deck here. Stu and George recorded the hack as well:

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

In this age of botnets, rootkits, spyware, and other bleeding-edge security threats, file infectors are frequently thought of as a dead threat. Yet we continue to see classic file-infecting viruses enjoy a high degree of success in the wild — causing widespread damage to computer systems. This inspired me to revisit traditional countermeasures used against file-infecting viruses and propose new approaches to improving existing systems.

Last month, I got to present my research on this subject at Malware 2008 - the 3rd International Conference on Malicious and Unwanted Software. The paper is titled “Combating File Infectors on Corporate Networks” and presented below is an extract from the paper:

“We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network. And administrators are at their wits’ end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect.

Administrators routinely attend to distress calls from hapless users whenever they have an issue with their workstations. And administrators typically tend to log onto the affected workstation using their own account—which has domain administrative credentials.

For a moment, let us assume the user whose workstation was acting weird was infected with a worm/virus. What could possibly go wrong from here?

Most worms routinely scan for any alive hosts on the network using ICMP or NetBIOS broadcasts and then attempt to connect to the administrative shares of the hosts they find, using the credentials of the currently logged-on user. If the initial login attempt using a regular user account fails, the worm attempts a brute-force attack on the admin account using a predefined list of hard-coded usernames and passwords. Because most corporations have enforced complex password policies these days, brute-forcing is hardly effective.

However, when an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected—by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account.”

Interested readers can download a copy of the paper from the McAfee Avert Labs White Papers page.

Last week, along with 1,200 other attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. In my opinion it was a great success; here are some on-the-spot comments.

On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime, I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets. “The cybercrime industry is still booming,” the speakers explained. “It moves about US$100 billion per year and is the most successful sector of organized crime, growing 40 percent per year.”

Fortunately, the criminals do not win all the time. A supervisory special agent attached to the FBI Cyber Division gave us proof in the next session. Through example of “Alonzo X,” we learned how the police forces work to catch cybercriminals. Organizing and offering to sell parts of his botnet consisting of approximately 100,000 infected computers, Alonzo was responsible for sending thousands of spam between 2004 and 2007.

During this track, we learned that, as they do for drug rings, the FBI investigators infiltrate criminal operations. And they are sometimes on the horns of a dilemma: To help the inquiry, do they have the right to use for themselves a botnet they purchase and can they send themselves spam? We also learned how it was sometimes possible to calculate the fine by considering the expense for a computer repair ($200) and multiplying that amount times the number of infected computers. The police’s role is also to inform the victims that their computers are infected. It is not an easy task when you have a worldwide network of thousands zombie machines. Someone in the audience asked the agent how much Alonzo earned; the response was approximately $80,000 per year.

In the third track I attended, participants learned about the views of the U.S. Department of Homeland Security. To introduce his talk, Brett Lambo, the Director of the Cyber Exercise Program, gave us a brief outline of the situation: Today malicious insiders and cybercriminals have both the capabilities and the intent to use the Internet as a playground. Other nations, which also have the capabilities, may have the intent, while terrorist groups may have the intent but do not possess capability. Then, Lambo explained America’s cyberinfrastructure serves as a vital link among 17 critical infrastructure and key resource sectors, as well as providing a fundamental element of all emergency response operations at the federal, state, and local government levels. Since 85 percent of the critical infrastructure in the United States is owned by the private sector, this unity between the cyber response community in the government and private sector will be essential to effective protection and defense.

On Monday afternoon, I was busy with my own session: “Malware on Second Life–Myth or Reality?” As businesses begin to embrace virtual worlds, there’s more and more money involved. I conducted some research on this platform to demonstrate that Trojans, worms, phishing, and counterfeiting activities were not a myth. Here’s one incident I found: Two teenagers, 15 and 14 years old, have been convicted for virtual theft in the Netherlands. They had stolen a virtual amulet and mask in the multiplayer RuneScape game by forcing another player to transfer the items under the threat of violence. One defendant was sentenced to 200 hours service, the other to 160 hours. Yes, threats in virtual worlds are a new cause for concern.

One of the Wednesday events was the talk by colleagues George Kurtz and Brian Kenyon (”Hacking Exposed Live 2008.”) The conference room was just large enough to accommodate all the people wishing to see the live demonstration of today’s most advanced attacks and exploits. Perhaps some attendees found this report too technical. For my part, I thank the authors for the 140-page booklet they offered to all the participants.

Also that day I could not miss the report by Joe Telafici (one of my managers and vice president of operations for McAfee Avert Labs) on the “Economics and Finances of Cybercrime.” After a well-documented threat report that demonstrated the business sense of cybercriminals, Telafici explained that we had to “change the equation” by reducing rewards and making the web harder to use for criminals. “We need a multifunctional, cross-discipline, standards-based approach at fixing the protocols and applications [TCP/IP, DNS, SMTP, HTTP(S)] that make up the Internet,” he concluded.

I started Thursday by participating in the Craig Schmugar track on “Sō’shəl Ěn’jə-nîr’ĭng.” Social engineering is one of the most successful tactics attackers can use in committing cybercrime–by enticing a potential victim into performing a distinct action. After some examples, my Avert colleague explained that crimeware defense strategies were rarely discussed in public. First, they concern the trade secrets of the anti-malware industry; and, second, they could help criminals in their bad work if they were circulating. Social engineering defense, however, is a bit different. Schmugar discussed social engineering characteristics (source, destination, circumstance, content type), inspecting metadata (freshness of content, file names, extensions, path, ADS, web domain and site names), considering static binary properties (container, file size, icon, use of “obscure” functionality and digital signatures) and considering the environment (service names and description, registry references).

Also on Thursday, the Dmitri Alperovitch talk grabbed my attention, and I did not hesitate to congratulate him after his presentation. The subject was “Organized Online Criminal Enterprises: Profile of Who, Where, and How.” Alperovitch offered an impressive list of criminals from Eastern countries (with supporting photos) involved in all sorts of cybercrime. It is easy to understand why the Alperovitch presentation now available on the Internet has many deleted sections. Seemingly, the crooks are all Russian or Ukrainian; and of course they use WebMoney. His example of stock manipulation was also very explicit. With some professional spammer tools and an Internet application able to manage “Exact Buy/Sell signals,” Alperovitch demonstrated that it is not difficult for a crook to make money. In his example, the “buy” flag for a peticular penny stock was fixed to $3.45 and the “sell” flag was set between $3.90 and $3.95. When the spammer launched his campaign, the stock cost about $3. The whole deal took just 8 hours, from purchase to sale. By manipulating 100,000 shares, the profit reached $50,000.

Now I am heading home to France preparing to inform my family about all the interesting and festive events I saw. See you next year at FOCUS’09!

During the BlackHat conference, security researcher Dan Kaminsky revealed full details on the DNS cache-poisoning vulnerability that has been all over the media the last couple of weeks. Later on the day he received an award for the “Most Overhyped Bug.”

Was that award really justified? I think not.

DNS cache-poisoning vulnerabilities are nothing new. Such vulnerabilities have been known for more than 10 years. But now we live in a different time: The threat landscape has changed significantly, and there are gangs of criminals trying to get their Trojans installed on as many machines as possible, stealing as much information as they can. We have seen just this year that they would go as far as hacking hundreds of thousands of web pages just to distribute malware. It is safe to assume that they would take advantage of a vulnerability that allows them to route unsuspecting victims to their web sites, and this vulnerability allows them to do just that. And a lot more. Just combine the DNS vulnerability with other vulnerabilities and features, such as routing the emails of the “forgotten password” feature on web sites to them, to steal login details. No one takes seriously their being able to perform all the attacks that require them to act as a man-in-the-middle, because it’s so hard to do.

Considering all this, I don’t think it was overhyped. As of today there are probably still thousands of unpatched DNS servers. So stop shouting “hype,” go patch!

There has been a lot of hush-hush recently regarding a DNS security issue finding by Dan Kaminsky. Industry wide coordinated effort led by Dan ensured that patches were released by multiple vendors. Even though the technical details of the issue were not yet made public by Dan, an inadvertent leak by Matasano Security blog seems to have given out a lot of the information regarding the issue. At this time I cannot confirm that the findings published on the leaked (and subsequently removed) blog are in fact the same details that Dan is to make public at Black Hat, but the scenarios described in there are a very serious threat to the Internet at large. As has been discussed on a number of follow-on blogs and articles, the threat emerges from two different issues with DNS protocol.

1. Prediction of Source Port and Transaction ID: DNS primarily uses UDP packets to send questions and receive answers. The image below depicts a very simple scenario where a Client is trying to look up the IP address for www.bob.com.

Also, a DNS question (request) and answer (response) UDP packets have the following simple structure.

The Client will accept any packet as an answer to its question as long as the packet is coming from the DNS Server, the source & destination ports match the destination & source port of the question packet, and most importantly the Transaction ID and Question match its question. An attacker can spoof such an answer packet as long as he can pretend to be the DNS server and also guess the source port (SP1) and transaction ID (TID1) (the destination port is usually 53). The attacker also needs to make sure his spoofed answer packet reaches the Client before the actual answer packet from the legitimate DNS Server. The image below depicts a very simple attack scenario.

2. Additional Resource Records:  When a DNS server replies to a question, it can also include additional information in the answer to make future process efficient. A typical answer to a question such as “What is the IP for www.bob.com?” from Client DNS server to bob.com DNS server may look like the following image.

So the next time when Client DNS server needs to know the IP for another of bob.com domain, such as mail.bob.com, it will send a question directly to either the DNS server at 1.1.1.254 or 1.1.1.244.

Combining above two issues is what makes it more interesting. If an attacker is successful in predicting the source port and transaction ID (as in Issue 1 described above), and also inserts the additional information into the spoofed answer packet with the DNS servers pointing to the IP of his evil DNS server (as in Issue 2 described above), he can control the traffic directed for bob.com domain. Below is an image showing such a spoofed answer packet. 

Although everything looks simple in theory, the two important keys to successful exploitation lie in the process for guessing the source port and the transaction IDs. In reality a large number of attempts are required by an attacker to guess the source port and the transaction ID of a DNS question before an answer from legitimate DNS server is received by the victim. Some of the DNS implementations do not completely randomize the transaction IDs. They may also use the same source port to connect to the same destination DNS server to resolve a series of questions within a short time period.  Such patterns can be identified by an attacker by sending recon probes to the victim name server to lookup for domains controlled by the attacker. This combined with other strategies such as the birthday attack make it possible to guess the source port and transaction ID in a relatively short number of attempts.

It should be noted that both DNS clients and server are vulnerable to these issues although the potential impact of a successful exploitation is greater when a DNS server cache can be poisoned. If you would like to know whether your DNS server is vulnerable you can check out Dan’s DNS CHECKER or follow some of the suggestion on Sans Dairy. McAfee customers with McAfee Network Security Platform (formerly IntruShield) line of products are protected by the following attack signature id 0×40303200 that was released in sigset4.1.30.4 and sigset 3.1.67.3.

In closing, I think these are very serious issues in DNS protocol and not necessarily the only issues that Dan will be presenting at Black Hat. I guess we can wait a few more days to get complete details.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site – This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error – Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education – This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are – co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

… well, it was over already on Saturday, but I’ve been been busy analyzing malware and have not had the time to write this post earlier

Friday’s presentations showed the same quality as the ones presented during the first day of the conference. The day opened with a couple of interesting talks on how to de-obfuscate scripts: this is actually a rather interesting topic, as scripts are getting more and more to be the way in which machines get originally infected, for example when browsing the web. Several analysis techniques and tools have been presented to effectively decode scripts’ code that could otherwise turn into a researcher’s nightmare.

Then we had an interesting presentation from team members of AV-Team.org, in which they presented the results they obtained while trying to test performances of AV engines while scanning packed or protected code and while taking into consideration several factors, like the capabilities of some engines to use generic unpacking techniques and what happens when blacklisting certain packers.

Blacklisting of packers was also the topic of other two presentations, showing how “hot” this topic is. A presentation from Avert Labs’ own Gaith Taha stepped into this difficult field of trying to create a methodology to estimate the risk associated with packer’s blacklisting and generic detection.

Next, Sophos’ Boris Lau presented his work about dealing with virtualizing packers, which uses virtual machines to make code analysis complex and tiresome. The presented work was excellent, showing how to apply techniques that are usually associated with compiler science to help in the difficult fight against these complex protectors.

To close the day, Avert’s Geok Meng Ong presented his work about a different kind of obfuscation, the one that comes from a closed or partially documented file format, accompanying his speech with several case studies.

Looking to the past days in Amsterdam I can truly anything that it has been a really nice experience, a chance to meet great people and discuss with them some very interesting topics… Thanks for the great time guys!!

Now, back to malware analysis
Signing off…

Hello again, Paolo here. Yesterday afternoon the presentations moved to a more practical level, and the topics that were discussed were definitely interesting.

We started this afternoon’s session with “Hump and Dump” – an interesting study about the possibilities of Original Entry Point (OEP) discovery using a statistical technique based on histograms. The retrieval of the OEP of a packed application is important for several reasons one of which is, for example, that its execution usually marks the end of the unpacking process and that the original binary, previously invisible under the wrapper of the protector/packer/obfuscator, is now available in its rebuilt state. Although the work presented by the authors was still somewhat in the early phases it shows good ideas and it may be that with some modifications it can become effective enough to be used in research tools and Anti-Malware scanning engines.

In the following presentation Mario A. López explained to the audience how he and his coworkers at Frisk did approach some complex problems related to unpacking in their own scanning engine but I won’t go deeper as this information is probably not intended for people not directly in the industry.

Next Robert Neumann from VirusBuster presented a nice set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors – thanks for sharing Robert!

The last presentation was from Ilfak Guilfanov – the author of IDA Pro and Hex-Rays and well known in the security industry for being the developer of the unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system back in December 2005. In his presentation Ilfak did show us a few tricks to use within IDA to approach obfuscated code including one that researchers face when analyzing complex protector code.

I am very eager to see today’s presentations including the ones coming from McAfee Avert Labs researchers – Gaith Taha and Geok Meng Ong!

Stay tuned for the next update!!!

…and from the Crowne plaza hotel – home of the 2nd CARO workshop on “Packers, Decryptors and Obfuscators”.

As you may know, nowadays malware mostly comes in a packed form, in order to thwart Anti-Malware and security products. For this reason it is of great importance to be able to develop technologies that are able to “see through” these executable wrappers and detect the underlying malware in a smart way.

Easy to say – less easy to do. And this is the reason for which this workshop is really interesting

After attending this morning’s part of the workshop I have to say that the presented content has been really excellent – and technical too. Starting from the keynote speech through all the others thus far I’ve been struck by the depth of the information shared. I found Kurt Natvig’s presentation especially interesting as it covered the difficulties emulators face when dealing with modern malware – good job, Kurt!

Hopefully the presentation will be made available online too so I definetely advise anyone interested to monitor the CARO workshop website!

I need to go now as the afternoon’s presentations are starting! Talk to you later!

On the 19th of March 2008 I attended a conference at the Said Business School Oxford University called “ICT Towards low carbon emission”.

Many interesting topics were discussed with regards to the impact that Information Technology has on the consumption of energy and production of CO2. Particular attention was given to the implementation of large data-centres, including the cooling of cabinets of server machines and the utilisation of the respective hardware (storage, processing etc) for a given task. DR. Peter Wagget of IBM Emerging Technology Services was present to discuss new efforts that are put into developing ways to make our machines perform in a more “planet friendly” fashion. Juergen Heidegger, the Director of ICT Infrastructure Products at Fujitsu Siemens Computers presented as well. Martin Chilcott, Founder and CEO of Meltwater Ventures, presented a new approach to social groups on the internet, focusing on “green business innovation” with the, soon to be launched, “2Degrees” g-business network open to participants interested in sharing ideas, products and expertise on anything CO2 friendly.

Two of the most interesting presentations were by Liam Newcombe of the British Computer Society Data Centre Specialist Group and by Daniel Curtis on the Evaluation Lead on the Low Carbon ICT project.

Liam discussed the current situation and possible improvements in Data-centres by making use of better planning and by maximising server throughput. He discussed some very interesting projects such as the Green Grid as well as highlight obvious problems that can no longer be disregarded such as Cooling and use of Air-conditioning systems. Just think that currently with the energy used by just over 100 servers in a poorly designed data-centre you could drive a BMW 750 series approximately 40,000,000 Km, the equivalent of 100 times around the earth or 5 times to the moon … with its air conditioning on!!

Example of the peak consumption of energy using 3 different Data centre approaches over the course of 4 years:

Daniel Curtis discussed a project currently run at the Oxford Environmental Change Institute directed at designing hardware that will enable PCs that are not being used into a much more energy efficient state than current power management solutions are capable of. He also mentioned that the average PC consumes approx. 76W of energy under normal load and approx 114W of energy under full load (for example 100% CPU).

After the conference a thought came to my mind…. Think of a recent outbreak of a well known worm, -STORM-. In only a few days, 1.6 Million PCs were reported to be infected, resulting in compromised machines running well above “normal operation” loads therefore consuming more energy!

Allow me to speculate a little……

The difference between normal load and heavy load is approximately 38 Watts. So if only 50% of the machines infected were running at “heavy load” due to the nature of the exploit hitting them (for example a PUP running fake AV or loads of advertising pop-ups). This would equate to: 900.000 PCs * 38watts = 32,400,000 watts wasted on some malicious application. Of course I am not even considering the amount of energy used by all the routers and network equipment across the globe going crazy dealing with abnormal increase in unwanted traffic.

Without using complex calculation and just to give an impression of what the potential for this wasted energy could be, with the above 32 megawatts I could end up powering my “small” 3 bedroom house for approximately 8 years without having to pay my current electricity supplier and during this time watching a whole load of wide screen TV with a plentiful supply of hot tea.

Efforts in creating awareness for the problem of carbon emission are being made by companies throughout the world more and more and they are starting to show their value. An interesting example is from Google last week. When summertime kicked in they made their well known white homepage dress in black for the occasion. This is because monitors are known to use less energy while using Black versus White screen (approximately 15 watt less).

Here is an example of a “copycat” search engine called “BLACKLE”:

So the moral is pretty simple: I am going to keep a good AV solution on my black desktop to keep my files safe and at the same time make the planet a little greener. Clean surfing folks!!!

Last night I shared about how Ryan and I went through most of the challenges in Applied Security’s HackIT 2.0 contest at ShmooCon 2008 with the group at AHA! I spoke about how we approached and solved most of the challenges, and I thought I would share the process with whoever else was interested. I posted an informal report describing the methodologies and how to run/use the tools that we employed during the contest. The report is located on AHA!’s wiki, so if you’re interested, it’s located here on the meeting page. There is also a link to a PDF report if you want to take it off line. Also, if you are in Austin, Texas, (or the surrounding area) you should check out AHA! We get together and present as many short DefCon-style talks as we can before we get kicked out of Mangia Pizza. We share a lot of interesting/fun/useful ideas and information with each other. Plus, if you are a remote worker, it’s nice opportunity to get out and meet other “hackers” and shoot the breeze. We are a very welcoming bunch, but if you do come, be prepared to present.

When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.

Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.

A quick analysis of the activity of registrars that are accredited by the ICANN (Internet Corporation for Assigned Names and Numbers) helps to measure the phenomenon. Already in 2006, during an organizational meeting, a workshop called domain name marketplace looked at figures from Verisign, the register for .COM and the one for .NET. Between May 1 and 31, 2006, they listed 616 registrars that had registered at least one name. Only 18 of them were responsible for 98.1% of this type of activity.

The following graph from Nick Ashton-Hart (Director for At-Large at ICANN) makes this clear:

It shows that the phenomenon is continuing to grow and that it involves more than just a few companies speculating on highly attractive domain names.

Welcome, from the capital of Austria and the floor of the second day of the 2007 VirusBulletin conference. Today has proved another exciting day in the Anti-Malware world with presentations from our very own Joe Telafici and Dmitry Gryaznov co-presenting on how the AV community are DoS-ing themselves by collecting and swapping malware.

Joe and Dmitry on stage
In addition Dmitry presented, on behalf of Ahmed Sallam, the topic of “Terminating Hidden Processes”. This topic was very interesting and covered the popular tactic used by rootkits to hide their process from user land applications. A side effect of this is that the termination of this hidden process can cause serious instability in the operating system and often BSODs if a new application is launched post termination. This instability occurs because the pointers to and from one process to another are manipulated by the rootkit. Ahmed’s paper contained suggestions on fixes to this problem and how our Rootkit Detective is not affected.

In some shameless self-promotion my (first VirusBulletin) presentation from yesterday was referenced no less than three times today by other security professionals. Josh Harriman (Symantec) mentioned it this morning when referring to remediation of more complex threats, whilst Roel Schouwenberg (Kaspersky) mentioned it during his last-minute presentation on “Targeted banker malware on demand” (referring to a variant of W32/Alvabrig) as too did Kurt Baumgartner (PC Tools) in his presentation “Storm – Malware 2.0 has arrived”.

Me discussing a patched wininet.dll file
A special event occurred today – the introduction of last-minute presentations! Based on feedback from last year’s VirusBulletin conference it was agreed that, in order to encourage papers and presentations covering up-to-the-minute malware and research topics, security professionals were invited to submit papers just two weeks before the conference itself. Eight presentations (of 20 minutes each) ran back to back in the technical stream of this afternoon’s schedule. All the presentations were good and indeed most were very topical.

Tonight is the gala dinner and cabaret, which should be very entertaining, so until tomorrow it’s goodbye from me!

What could be better than getting paid to travel to the beautiful city of Vienna, Austria, spending the first half of the week perusing museums and admiring the local baroque architecture, then spending the latter portion listening to the many experts of the anti-malware industry presenting on their most recent work and threat landscape? I’m sure many of you can think of better alternatives, but for a computer geek who enjoys history, it rarely gets better than this. 

The day is nearing an end as the sun is beginning to set on this historic city and day 1 of VB2007. The first day adjourned with many interesting presentations ranging from use of automaton in the world of Malware (for the purposes of good and evil), growing use of malware in virtual worlds (MMORPG and Second Life), to low-level malware techniques (rootkits and patching). 

The three day conference will be busy for our McAfee Avert Labs researchers as we have at least one speaker presenting each day in the VB2007 conference agenda. 

• Patching. Is it always with the best intentions? by Alex Hinchliffe 
• What a waste – the AV community DOS-ing itself by Joe Telafici and Dmitry Gryaznov 
• An analysis for the problem of terminating hidden orphan processes on Windows NT by Ahmed Sallam (presented by Dmitry Gryaznov) 
• Apple media files and iPhone by Marius van Oers 

We have been studying the issue of malicious hypervisors for quite some time at McAfee Avert Labs and have come up with several techniques to detect whether the system runs on top of a hypervisor or whether there is a piece of code that is trying to initiate a hypervisor. Our work included, of course, analyzing things like Blue Pill and other similar malicious hypervisors.

Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following:

1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw.
2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill.
3. There is no rootkit that is undetectable even if it installs itself as a hypervisor. The challenge is always in how to repair rootkits once they control some layer in the system architecture
4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions

Now before I go into what happened during the three sessions at BlackHat, I would like to provide our readers with some background and personal thoughts about this topic. Less than two years ago, both Intel and AMD started to provide virtualization support at the processor level. This support is essentially comprised of a set of processor enhancements that improve traditional software-based virtualization solutions. These integrated features give virtualization software, namely Virtual Machine Monitors (VMMs) and Hypervisors, the ability to take advantage of offloading workloads to the system hardware, enabling more streamlined virtualization software stacks and “near native” performance characteristics. For instance, virtualization-enabled processors allow VMMs to rely on the hardware for isolating and mapping memory between virtual machines. This is achieved by adding another level of indirection for mapping VM-based physical address to host-based physical addresses. Both Intel and AMD also provide an additional level of indirection for mapping VM I/O addresses to host I/O physical address. Virtualizing memory addresses and I/O addresses at the processor level is a great extension that would minimize the work done by today’s software hypervisors. However, in doing that neither Intel nor AMD considered the security risk by providing such a powerful facility in the hardware with no restriction to which software piece could take advantage of it. In theory there have been lots of publications about safer computing initiative and how to use TPM technology to authenticate the piece of software that is initializing the processor into the virtualization mode. But in reality, this was not provided in the first release of the virtualization-aware processors as the hypervisors authentication was not provided at the firmware or BIOS level.

Now think of that with me for a moment – we have now a very powerful un-locked facility in the processor that allows any piece of software running in ring zero (like a device driver) to initialize a processor-supported hypervisor and hence take control of the whole computing environment, including the operating system. Yes, this is true, and it was a serious design flaw. Of course both Intel and AMD designers assumed that operating system kernel developers are the only ones who would care about virtualization and would use that facility provided by their processors, which turned out to be untrue. Joanna Rutkowska (the Blue Pill author) and other people have demonstrated some sample code that would initiate a hypervisor, and since it runs outside the operating a system then it can be considered a rootkit. But as the reader may understand now, there are no secrets there. No undocumented stuff; it is all about a powerful hardware feature that was not protected by any security policy.

Now to make the situation worse, both Intel and AMD are competing in that space and I guess both are trying to get software virtualization vendors to rely on their processor native virtualization support. But software-based hypervisors do more than memory and I/O virtualization. They do binary translation for instance which allows them to control programs execution at the instruction level and control programs response to system interrupts. To accommodate that need, both Intel and AMD provide the ability to exit from the VM to the VMM when a certain instruction is executed or a certain condition takes place inside the VM. For hackers this is a very lucrative feature, so not only can they install a thin hypervisor but they can also control the execution of certain instructions and fake many things from below the operating system, like timestamp counters which used to be a very reliable method for measuring elapsed time. When looking at the Intel and AMD virtualization specification, it does not look like they require many things from the hypervisor. In other words, it is up to the hypervisor to decide on what it wants and what it does not want to virtualize. This by itself lowers the cost of making a malicious hypervisor. Let me conclude this introduction by making the following statements:

• Providing a hardware based virtualization support without protecting it with sound security policy is a major flaw in the system design!!!;
• Hardware assisted hypervisors have the freedom to choose which software execution facility to virtualize and control;
• Blue Pill and other types of malicious hypervisors were anticipated by security experts who are well acquainted with the processor architecture.

I think I have provided quite enough background as well as some personal thoughts on the subject, so let’s move on to talk about what happened at Las Vegas last week. As I said there were three sessions that related to virtualization based malware and Blue Pill:

1. “Don’t Tell Joanna, The Virtualized Rootkit Is Dead,” by Thomas Ptacek, Nate Lawson and Peter Ferrie;
2. “IsGameOver(), anyone?,” by Joanna Rutkowska and Alexander Tereshkin; and
3. “Kick Ass Hypervisoring: Windows Server Virtualization,” by Brandon Baker.

The first session was the “Don’t tell Joanna” on Wednesday morning. The main point we got from that session is that it is very easy to detect virtualization rootkits. Speaking from my experience in the anti-rootkit space over twelve years, including my last project/product offered by McAfee “The McAfee Rootkit Detective”, I totally believe that “there is no rootkit that is undetectable”. I also tried to emphasize that fact in a McAfee podcast recorded before Black Hat. In their session Peter, Thomas and Nate focused more on time-based detection methods by calling an instruction that would cause the system to exit from the VM to the VMM, then measure the time elapsed until the execution is back to the VM and compare that with the regular time taken when running without the hypervisor. I have always liked that time-based approach and it was heavily discussed in Avert Labs some time ago, but we thought of using some other non-time based methods that rely on observing changes made to some processor status and cache fields like TLB (Translation Lookaside Buffers). Anyhow, after the session ended I talked for about an hour or more with Peter Ferrie – I told Peter that it was a very nice presentation and that my personal research findings support their conclusions although I use some different non-time based detection methods. Peter and I were wondering how Joanna would respond in her presentation in the afternoon.

Then came the afternoon and I was sitting there in the second row in front of Joanna. Joanna seemed a little bit nervous when she started her presentation. Initially Joanna picked again on Windows Vista by showing some Visa-signed drivers that allow anyone to write to any kernel memory or modify the MSR (Model Specific Register). That was nice but it is something we see every week at Avert Labs so nothing new in it to me at least. Then came the second part of Joanna’s presentation and she started to say how her Blue Pill rootkit can adjust the time stamp counters in such a way that would not allow any code to detect the overhead of running on top of a hypervisor. I made a comment in the form of a question during the presentation but Joanna said questions would be answered only after she finished the presentation. The point I wanted to make and maybe Joanna is reading this now, is that her argument of being able to fix the time stamp counters is not a strong technical argument for the following reasons:

1. This would require Blue Pill to emulate all the processor instructions that cause a VM exit and adjust the time stamp counter. Therefore we are no longer talking about a thin hypervisor that intercepts only specific instruction, interrupt, etc. but rather about a heavy hypervisor that would require significant amount of work from Joanna and her team.
2. The detection code can still issue arbitrary I/O requests to any I/O device that may be doing nothing but causing a VM exit and would then calculate the execution time. This would require Blue Pill to handle requests to I/O devices.
3. Manipulating time stamp counters does not seem to be a wise thing to do and there might be some device drivers that rely on the validity of those time stamp counters to perform correctly.

During the session I started questioning the value in spending all that time trying to build a Blue Pill that cannot be detected. There are many factors to consider like:

1. One day soon either hardware systems or operating systems will ship by default with a hypervisor. That hypervisor would have to be the first hypervisor and would not allow nested hypervisors. Intel has already produced the Intel AMT/vPro systems that ship with a hypervisor. Microsoft is soon to release the next version of its server platform that has a built-in hypervisor.
2. There are only a few commercial hypervisors and most provide some interface to the VM to communicate with the hypervisor if it exists. This interface can be used to authenticate the hypervisor. Security software can decide to halt the system if the system is not running on a hypervisor that is trusted by the company security policy. McAfee as a security company certainly encourages hypervisor vendors to pay more attention to those interfaces and make them solid enough to be used by security software running inside the VM.
3. Maybe Joanna can still claim that Blue Pill will emulate that commercial hypervisor interface, which is another layer in the system that would be emulated to hide its presence. Still we have a valid question: “what is this all about”. Eventually and very soon there will be only certain hypervisors that are trusted by the firmware and that’s it.

Anyhow, I felt kind of bored in the middle of the presentation and started to write a simple detection method that is not time-based and would definitely detect if the system is running on top of a hypervisor or not. This technique is based on some research I was doing less than a year ago at Avert Labs. Here is a scanned image of my hand writing of that approach made during Joana’s presentation.

Link to my Blue Pill notes here.

This detection method relies also on another major design flaw in the existing processor architecture. Here is some technical background: processors use TLBs (Translation Lookaside buffers) to cache the mapping from virtual (more accurately linear) addresses to physical addresses. But in doing that processors need to know where to get the address translation or mapping from. Well the mapping is stored inside the PTE (Page Table Entries). But the question is who would fill those entries inside the PTE? Well presumably (at least by the system designer) it’s the operating system of course. But guess what? PTEs themselves are writable and any code running in ring zero (like a device driver) can modify PTEs and hence change the mapping of linear addresses to physical addresses. Hah, this is the trick, and here is how the detection code works:

1. Allocate large contiguous block of non-paged memory;
2. Fill that allocated memory with character ‘A’;
3. Allocate another contiguous block of non-paged memory of the same size like block ‘A’;
4. Fill that second allocated memory with character ‘B’;
5. Freeze the execution of the operating system (do not ask how but we can do it);
6. Invalidate all TLB entries. There are processor instructions for that which could be as simple as moving execution “cr3, system_page_directory_table_address”;
7. Read the first byte of each page in the allocated ‘A’. This would cause those entries to be added to the processor TLB cache;
8. Change the mapping of the allocated ‘A’ pages to point to physical memory holding pages ‘B’. This means that what the processor uses inside the TLBs is not what is there in the PTE;
9. Call any instruction that would cause an exit to the hypervisor if it exists like CPUID. Exiting from the VM to the VMM causes the TLBs to be invalidated or cleared; and
10. Try to read the virtual memory of the first allocated block. If you see character ‘A’ then it means that the processor found entries in the TLBs and hence those entries were not cleared among an exit from the VM to the VMM. If it reads B, then it means that the TLB entries were invalidated due to the existence of the hypervisor and the processor has to use PTEs again to get the mapping from virtual to physical.

I wrote those steps briefly in my BlackHat conference block note and waited for the session to end. Then to my surprise just before the end of the presentation Joanna had a slide that mentioned a detection method similar to mine but without the step that freezes the system. I kind of felt proud of myself, of course, and showed the person next to me that I had it written in my block note. Anyhow, after briefly embracing that detection method Joanna said that it does not work and the people who came up with it did not try it. Well, that was too much! I have been researching that space for quite some time and I know it works!

After Joanna finished her presentation, off course, with no room for asking questions or making comments I felt that maybe I needed to talk with her. I waited until the crowd around Joanna was reduced to few people that included my friend Peter Ferrie, and I went to talk to Joanna. I told her “Joanna, this detection method that you mentioned at the end of your presentation should work and we have tried similar things.” Joanna looked at me and said no it does not. I said well I know it works. She then grabbed my conference ID and looked at my name while asking me who I am. I said Ahmed Sallam from McAfee Avert Labs. Joanna said she did not know that McAfee is working on that and I told her that we have been researching that area for some time. She then asked how it worked, I said that this is not a subject to be discussed in front in a crowd. But in all cases, Joanna, we can detect the Blue Pill so you may stop claiming that it is undetectable.

That was the end of the first day at Black Hat and I started to feel that we have been putting too much energy into something that may not deserve all the time and effort that we have been putting into it.

Now let’s get to the third session which was the “Kick Ass Hypervisoring: Windows Server Virtualization” by Brandon Baker from Microsoft, the following day. I went very excited to the session waiting for Microsoft to outline their plan for how to secure the hypervisor or to leverage the hypervisor for having better security. I heard none of that. As a matter of fact, Microsoft said that they are not utilizing the processor-based DMA remapping feature which allows true isolation of physical memory and hence protect against DMA-based physical memory attacks. We certainly understand that Microsoft is working hard to build its new hypervisor but we need to hear some good answers on Microsoft plans to make its hypervisor truly secured.

I hope that our blog readers now have a better understanding of this serious topic and would like to conclude this post by re-emphasizing on the importance of having an organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions.

So who said that Hackers cannot survive outside closed buildings?

Closing ceremony is just over and the approximately 2000 visitors of Chaos Communication Camp 2007 are packing their electronic gear and camping equipment, as well as assessing the damage caused by yesterday’s heavy rain. Those of you who did not make it here missed 5 days of exciting cultural exchange in a truly unique environment. To get an idea what it was like, check out the picture archive.

The hottest topics discussed all over the camp were a new german law in effect banning hacker tools and the so-called Bundestrojaner, proposed to make online searches of suspect’s computers possible. And then there were talks. A lot of them, covering various technical, cultural, social and legal aspects. For those missing a talk or missing camps altogether there is some hope: All talks in the big speaking areas were recorded and will be made publicly available for download sometime later.

And finaly what I liked most: Powerpoint Karaoke

Speakers and volunteers from the audience get a random powerpoint presentation to present, seeing the slides for the first time while doing so. Just so funny to watch!

Just 3 days after the closing ceremony of Defcon, security enthusiasts from all over the world continue their meetings at the Chaos Communication Camp 2007 at a retired military airport near Finowfurt, close to Berlin. Can you even imagine a camping site with fast ethernet and power in every tent and crowded with some of the world leading security experts? If you’re not on site and witness it yourself, the answer is probably no, so here are some pictures.

Same as with Defcon, meeting people and exchanging information and ideas is really why most participants are here, but there also a number of excellent talks. Many speakers chose to present here and didn’t bother going to Black Hat and Defcon, saving hassle with U.S. immigration, giving their fingerprints at the border, etc. The talks are delivered in two concrete quansit huts, a kind of overground bunker for fighter jets, which is just cool. Having just delivered my talk about Trojans, this is likely to be the most awesome location where I’ve ever spoken. Here is a schedule of the talks and the list of speakers. Besides those talks there are numerous activities, projects and workshops going on all over the camp and there are dozens of small villages set up, including the Hackers on a Plane (Hackers on a Bus, really) and a large tent to hang out by c-base, Berlin’s famous cultural project. Right now there is some thunder on the horizon, so let’s just hope it doesn’t start to rain, or there will be LOTS of mud encrusted electronic devices for sale on your favorite internet auction site!

Now where was I in my ramblings? Oh yeah… presentations and DefCon music.

What I have always admired about DefCon content is that it is not exclusively about computer hacking but rather about hacking more as a way of thinking. In line with that, one of my favorite presentations was by Aaron Higbee entitled Hack Your Car for Boost and Power which discussed numerous ways (yes, some computer-based) of boosting a cars horsepower. He covers many areas of tuning and even touches on privacy concerns with the on-board ECU.

I also very much liked Peter Gutmann’s talk on The Commercial Malware Industry but one of the best talks was by Lukas Grunwald’s Security by Politics – Why it will never work. Lukas, for those who don’t already know, is a quite clever security researcher from Germany who discussed what happens if security is driven by politics and compromise. He also covered additional security risks by the new generation of electronic passports. Lukas is simply brilliant in the areas of RFID and ePassport security. It was a very though provoking talk.

Many of the other talks were great but those really stick out in my mind (aside from our own Toralv and Dirk).

The Black Ball, another DefCon staple, was equally a hoot. Music was great as I have been a fan of Regenerator for quite a while now. They and the other DJs (Patrice, Wintamute, SailorGloom, Great Scott!, Catharsis and Kris Klink) are all worth a Google or two. Dark room, industrial noize, good beer and latex….. Ahh what more couldya want!

I highly recommend everyone bookmark the following sites: DefCon Forum and DefCon Pics as they will do the best job of post convention updates.

Cheers!

McAfee Avert Labs had several presentations this year. One each at BlackHat and DefCon.

John Viega and David Coffey presented on Building an Effective Application Security Practice on a Shoestring Budget at BlackHat. I heard quite a bit of positive feedback on this at the conference itself. Kudos and extra points to both John and Dave to working in beer references!

Toralv Dirro and Dirk Kollberg presented Trojans: A Reality Check at DefCon. This one was also very well received (I actually got to attend this one!) and they were swamped (maybe not the best choice of word but many people came up to the podium anyway) with questions afterward. They gave a great update on trojans in general as well as a technical dive into recent developments on the German malware scene. Dirk even showed a fascinating command and control demo that illustrated the ease of malware creation and control.

Enjoy!

DefCon gets quite a lot right and it is not just great content. Actually the content, IMHO, might be the LEAST important aspect to DefCon.

Let’s be honest here. We are all infosec warriors in the information age. We all keep pretty much up to date on security research, malware developments, game hacking, etc…. on a daily basis. Blogs, forums, podcast and other mediums allow us to stay bleeding edge. We have to. Most information in most presentations at most conferences is a good 6 months old (not always, but usually). This is where DefCon distances itself from the pack.

If you really want to see where security theory and research practicality collide (fueled by Brew and Coffee Wars!) then the floor of DefCon is the place to be. Truthfully, it is the activities of DefCon, not the presentations, that you need to get caffeinated for:

* The Network @ DefCon
* 0wn the b0x
* Phreaking Challenge
* CTF (if you gotta ask…….)
* aCTF
* LPCON5 – Lockpicking Contest
* Hacker Jeopardy (one of my personal favorites)
* TCP/IP Drinking Game
* Wardriving Contest
* Wireless Village – ChurchofWiFi
* Lockpicking Village

No disrespect to the presenters or any of their content but pwning-in-action is what makes DefCon well…….. DefCon. This is where the training, conferences and theory all meets the pavement. Can you get root? Can you stop someone from getting root? Do you really know what you are doing? Hey, is that a custom PWS variant that just pwned my data? Ohhhh, I never saw that evasion before!!! It is events like the above where the real education takes place.

Oh and the the Toxic BBQ! Part 2 later today…..

I have received several requests to post the final versions of John Viega and David Coffey’s BlackHat presentation as well as for Toral Dirro and Dirk Kollberg’s presentation form DefCon. They will be uploaded and available later today as well as updated ramblings and musings from myself…..

Hacker Jeopardy was hilarious and the music at the Black Ball was great!!!

Yesterday was a rather interesting day for several reasons. I had the opportunity to attend several briefings (which I will get to in a moment), schmooze with vendors (always fun), but best of all socialize with old friends from the old skool (translation: act like a pirate).

The vibe has been changing at BlackHat for quite some time now. It has for several years been becoming more mainstream and (dare I say it) even respectable. Don’t get me wrong: So far the presentations have been good and many of the security industry’s best minds put in a good showing; but there is a difference from years past. IMHO many of the topics seem soooo 10 minutes ago. Same people talking about the same stuff. BluPill and Vitriol…100% Detectable vs Nothing is 100% detectable…Pen Testing…Fuzzing…Wireless pwning. … Some new techniques but nothing really that has not been discussed before. So far I have come away with the thought that they are saving the really good stuff for another convention. And the fed has never been easier to spot.

I tend to judge security research by what its impact on malware will be. Will it create more malware? Will it create better malware? How will this hurt users or impact the enterprise? Will this result in easier zero-day creation? Will this allow malware to be more stealthful? That kinda thing…I sometimes wonder if most of the researchers consider that type of impact from their work; or do they ignore that aspect of it?

More in a bit…

Your roving man-on-the-street Dave Marcus here at the middle escalator leading up to BlackHat 2007! I cannot really say that I am overflowing with excitement yet as I am fully un-caffeinated which is a rather disturbing thing considering all the content today.

I am looking forward to many of the briefings over the next several days–virtualization, stealth, fuzzing, etc. My geek cup truly runneth over. Avert Labs has a good showing this year at both BlackHat and DefCon as we have presentations at both. John Viega and Dave Coffey will be presenting on building effective application security at BlackHat, while Dirk Kollberg and Toralv Dirro will be discussing recent changes in Trojan developments at DefCon.

I will be attending briefings, blogging on happenings and cornering the l33tz for interviews for our AudioParasitics podcast. Stay tuned!