First of all, thanks for all the great feedback from everyone about Vera. Keep the feedback coming!
Vera 0.11 is out on the main Vera page. This release fixes a major memory leak for those of you who aren't running video cards with a gig of ram. This should also alleviate problems that were related to running under Windows XP. A future port to a wxWidgets version is underway. This will eventually allow for cross-platform versions, hopefully timed with the IDA QT release.
As always, please report bugs to dquist at this domain.
To make Ether a bit easier to install, we've put together a Debian package with precompiled Ether binaries. This is considered a highly beta install package, so you will want to take care about where you install it. Everything should install into /opt/ and work very closely to how Ether does when you compile via source.
Please note that this package contains the Ether patched Xen package. Other than satisfying the package's dependencies, you shouldn't install anything beyond that. This has been tested with a fresh installation of Debian Lenny. Please note that uninstall is currently not implemented.
Thanks to Chris Collord and Daniel Cox for their work on this.
Download the Ether 0.1 Debian Package here
I've had a few people email me about how to use non-Ether generated trace files in VERA. To help with this, I ran a trace with Ether of the Notepad.exe included with Windows XP.
If you want to generate instruction traces external from Ether, you just need to make sure it follows the same format. First, you should start with the standard instruction trace boilerplate. It looks like this:
After init: shared_page_ptr: 0xffff830000fd9000 shared_page_mfn: 0xfd9 domid_source: 0 event_channel_port: 34 Shared Page va: 0x7fde19b77000 Shared Page test: Page-Sharing is A-OK! Trying to bind to local port... Success, bound to local port: 35 Trying to get first pending notification... Taking off suprious pending notification... Setting filter by name to: notepad.exe Execution of Target detected: Image Base: 0x1000000 Image Size: 0x14000 Entry Point: 0x100739d
After this, all you need to do is have a listing of instructions. Right now the only thing I'm parsing is the instruction address, so there's no need to include the actual instruction. Later versions of VERA will use the disassembly.
100739d: push 0x70 100739d: push 0x70 100739f: push 0x01001898 10073a4: call 0x01007568 1007568: push 0x010075BA 100756d: mov eax, fs:[0x00000000] 1007573: push eax
At the end of the file, after all the instructions make sure you include two "Handling sigint" messages:
1007519: jnz 0x01007522 100751b: push esi 100751c: call [0x1001318] Handling sigint Handling sigint
That should be all you need to use VERA for your own uses. As always, let me know if there are any bugs you observe.
I would like to announce the latest version of VERA, the reverse engineering visualization program. Lots of bugs have been fixed, which I have detailed below. Be sure to read the original VERA release documentation for instructions on how to use it.
Here is the change log:
- View panning has now been fixed so that it follows the mouse.
- Cleaned up display code and made it more portable
- Fixed right-click selection code. Currently a stub function but more will come later
- Center graph on first load. Now the graph isn't out in the middle of nowhere when you first load it.
- The start of execution is highlighted with a big blue box
- Added arrows to show directionality of execution
- Implemented frustum culling for rendering font text. This makes things *much* faster.
If you have any problems, please let me know via dquist SHIFT-2 offensivecomputingDOTnet
Writing or presenting about AV testing and performance is a great way to draw the collective ire of the AV industry. This is a hot button subject that I, personally, have received a lot of grief on. The primary reason that the AV industry is so sensitive about their software is because it is not as effective as they would like you to believe. Case in point is the recent Anti-Malware Testing Standards Organization’s document titled Issues involved in the ‘creation’ of samples for testing. If you want to find a document listing all the hot-button issues that particularly perturb the AV community, here it is.
Without taking a particular side, the document seeks to “frame the debate” of the issue of “creating” malware samples. What follows is a 19 page exploration of all the ways new malware can be created. Here is a short list of modifications that they address:
- Archiving samples using ZIP or tar
- Packing / repacking with a new packer (think UPX or ASPack)
- Using a malware generation kit
- Server-side polymorphic samples - the sample is slightly modified every time it is downloaded from a public website
- Patched versions of an existing file, including PE modifications and actual code changes
- Writing a custom packer
- Writing a new sample using existing techniques
- Writing new samples using unknown techniques
Specifically prohibited is public dissemination of malware samples. These might actually encourage people to test AV software before buying it.
The pros and cons of each are presented, followed by a way to frame your debate afterwards. What all of these miss is the central point that malware authors are using every single one of these techniques with spectacular success. The other terrible secret is that these techniques are extremely easy. Continued debate on whether or not these tests are ethical is moot because malware authors are already using them. In order to protect against real threats, you must use the techniques that are being used to evade your protection software.
Consider the NHTSA talking about testing crash performance, but not actually ever smashing any of the cars into a wall. There’s no substitute for the real thing unless you’re trying to hide something. In the case of the AV industry, that thing is their technological irrelevance to the modern malware threat.
Today I was at Best Buy playing with the iPad, when I tried loading Offensive Computing on the web browser. It seems that Best Buy thinks that this site has something to do with hacking. I wonder if some customers were stress testing the demo machines' antivirus products.
The picture is blurry so here is the text:
This Page Cannot Be Displayed Based on your corporate access policies, access to this web site ( http://offensivecomputing.net/ ) has been blocked because the web category "Hacking" is not allowed. Store Network If you have questions, please contact a Best Buy Employee and provide the codes shown below. Notification codes: (1, WEBCAT, BLOCK-WEBCAT, 0x0021ed3a, 1270677200.557, AAAdUAAAAAAAAAAAyf8AEP8AAAA=, http://offensivecomputing.net/)
Vizsec 2010, or the Visualization Security conference, is one of those conferences that I feel strongly could change the nature of security field. If you have any ideas for visualization, especially reverse engineering related visualization, I strongly recommend you submit a paper there. Here are the relevant dates:
April 30, 2010 Full papers
May 21, 2010 Short papers
One of the day-to-day tasks of running this site involves monitoring for spam. Usually it's no problem: I just delete the junk posts, comments, and disable the accounts. I've made some tools to make this pretty easy. The problem is that the spammers and malcontents seem to have ratcheted up their spamming and it's getting to be too much work. I've made a drastic change requiring people to send me an email asking to register their account.
There is a general pattern to the spam. All of the accounts are new and created within 1-10 hours of the spam. They all tend to have Gmail accounts. Others such as Yahoo, Hotmail, etc. have really dropped off. It would be nice if Google could do something to prevent people from taking advantage of their server. If I just banned any accounts from Gmail I could probably get rid of about 90% of the spam. That would affect other people using Gmail legitimately though, so I didn't want to take that step.
I realize there are people out there doing legitimate work  that can't answer the questions truthfully. That's ok, just make something up. I will accept "I work for the Post Office" as an answer , or pretty much anything else. So far it seems to be working too, there haven't been nearly as many spam messages as before.
There also have been some efforts to download our entire collection of malware. While I can understand why someone would want to do this, it does end up using a lot of our resources, bandwidth being one of them. As always I'm happy to work with people but please contact me about it. I'm happy to make trades with people for new samples I can add. If you have nothing to trade drop me a note and we can work something out.
 For some definition of legitimate. :)
 Stolen without shame from Halvar's class
Watching the sample counter, I noticed that we have ticked over the 1 million mark. Ordinarily I'm not one for making a big deal about big round numbers, but I think this one has some special merit. There has been a lot of work to make this happen from a lot of people. Offensive Computing has been running for a little over 4 years now. It started out as a small website with big dreams. That turned into one with more of a focus on large numbers of samples. I can remember conversations with friends about how amazing it was when we had a thousand, ten thousand, and forty thousand samples. Each increment of size added more complexity to the system. There is no better way to learn about scaling issues than to run a public site like this.
It has always been our hope that this site has been a resource to the reverse engineering and malware analysis community. As always we enjoy interacting with everyone whether it be at conferences, training we've taught, twitter, or just email.
Thank you for all your support in creating this resource. Happy 1 million samples!
Artem has created a mailing list for all Ether development related activities. You can find it here in the Google Groups.