A new version of jsunpack has been released with some very cool features. Jsunpack now includes pdf decoding and even includes signatures for known PDF attacks. It is able to deobfuscate javascript within a PDF file, or on the network and match the function call to a known malicious signature. You can check out the blog here.

A few conference acceptances are in so I can now lift the cone of silence and share some of the research I've been doing.

Lately I've been using Artem Dinaburg and Paul Royal's excellent Ether Malware Analysis system they presented at ACM CCS last year. This is some very good work that allows you to instrument a running binary extremely well. The paper they have written is very good. I've submitted some patches to the project and overall it's in good shape. I'll write up a more detailed post about using the Ether framework later. Those of you that have been using Saffron should check out this system. Even though it requires dedicated hardware it's a much more robust system.

Using Ether I've been working on my visualization tool for better dynamic and static analysis integration. I call it VERA: Visualizing Execution for Reversing and Analysis. Using the dynamic trace data and unpacking capabilities of Ether, VERA helps you to better unpack unknown binaries, reduce the reversing time, and generally make the whole process easier. I've shown it to a pretty limited set of people, mainly the students in my Reverse Engineering courses, and it seems to be reasonably well received.

I will be talking about VERA at some conferences and workshops this summer and fall. The first is the Blackhat USA Briefings 2009 and Defcon 17. This talk will show how to integrate the reversing process into using Ether and also demonstrating VERA. I'll be giving a live demo and release the tool here.

A more formal treatment will be at the Workshop on Visualization and Security 2009 (VizSec). This paper will outline the nitty-gritty details of the Reverse Engineering process and how VERA fits into it.

I hope to see you this summer. Several former OC members will be giving talks too so it should be a worthwhile experience.

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.

http://www.reconstructer.org/code/OfficeMalScanner.zip

Enjoy!

The Cyber Security Act of 2009 submitted by US senators John Jay Rockefeller and Olympia Snowe looks like it is geared up to be some poor US policy. Joe Stewart has written up a response to it. Joe makes some very valid observations.

To recap the criticism of the bill, there are two big complaints: First is that it gives the president the power to turn off the Internet in an emergency. Second it requires mandatory licensing for "Infosec professionals." The second point is the one I take the most issue with.

Requiring mandatory licensing for a field as dynamic and changing as ours is just a bad idea. There are already a couple of government entities that require the CISSP as a condition of employment. Side-stepping a long winded rant about the CISSP, it is not an accurate measure of knowledge. There has been a concerted effort to liken our field to others such as electricians and general contractors. The problem is that things are changing so fast, any certification is basically worthless as soon as it is issued.

So if you're a US citizen please write your senators and encourage them to revise this bill.

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).

http://www.malforge.com/node/12

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for Testing Web Application Security Scanners, Testing Static Code Analysis tools (SCA) and Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

More information and download:
http://www.bonsai-sec.com/en/research/moth.php

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

This might be considered old; but Rolf Rolles on OpenRCE has setup a sub-Reddit dedicated to Reverse Engineering.

reddit.com/r/ReverseEngineering

It's updated pretty often and has a lot of great articles. Just thought I'd pass it along.

Josh Wright from Inguardians has written a paper on Vista's wireless stack. He describes the NDIS6 command line interfaces and how to use them in a pentest. From the paper:

"With the introduction of Windows Vista, Microsoft has put forth considerable effort in revamping the IEEE 802.11 wireless stack through the Network Driver Interface Specification (NDIS) 6 model. With considerably greater functionality and capability than was provided in Windows XP, Vista's wireless capabilities shine with new freedom for developers, a robust development framework, rich information sources for wireless analysis and end-user tools for analyzing and controlling wireless parameters."

I'm looking forward to doing some wifi research again and this paper certainly provides a healthy kick in the pants to do so.

Chris Wysopal has written an article about different uses of obfuscation inside of executables. Malicious or not, it is a useful tool for hiding or at least raising the bar on reverse engineering effort required. It's a good article and I recommend you read it. It did get me to thinking about a couple of things in reverse engineering.

One thing that Chris mentions is that users should be able to decide whether or not they want obfuscated code on their system. In many ways this is similar to the open vs. closed source debate. I have long argued that having the assembly for a program is equivalent to having the source code for a skilled reverse engineer. Looking at enough assembly and work with different compiler variations and one can work out what the original code looked like.

Regarding the question about whether obfuscation is a bad thing, Rolf Rolles recently commented that Bitdefender decided wholesale that the VMProtect packer is malware and anything obfuscated with it should be removed. Now the Bitdefender developers are smart guys, and maybe they decided that any legitimate software has no need to use this. Other anti-virus software takes a similar tactic. During the Race To Zero contest at Defcon last year, the winning team noticed that removing all the imports from an executable caused multiple AV vendors to automatically flag an executable as being suspicious.

The choice about the legitimacy of packers and obfuscation has already been made for us by the AV community: It's bad. This may be narrow sighted but hey, that's what the industry is all about.