Virtual memory continues to be one of the things that people have a lot of problems understanding. There are lots of misconceptions about how this fundamental part of the operating system works. Mark Russinovich has done an excellent job, as usual, distilling this information into a very readable form. I suggest you read his blog post titled Pushing the Limits of Windows: Virtual Memory on the technet site.
Here is the Gimmiv worm that was created for the latest Microsoft patch. Kudos to Microsoft for patching the flaw out of band and not sitting on it.
Please comment if you upload other samples and I will update this post.
Thanks to Dobby for these additional samples:
Dark Reading has posted a scandalous article about the end of the Storm worm.
"It’s been nearly a month now since the Storm botnet sent its last spam run -- significantly long enough that botnet researchers now conclude this could be the end of most infamous botnet once and for all."
Malware rockstars Joe Stewart and Paul Royal have weighed in on this and seem to suggest this is the case. I'm sad to hear about this because I had a lot of fun reversing the storm worm. It was one of the great worms, but it's a good thing that it's no longer spreading.
Congratulations to Nick Harbour, Steve Davis, and Peter Silberman from Mandiant were the winners of the Race to Zero contest. I got to talk to some of the team and was really impressed with their technique. Hopefully I can convince the team to do a writeup on how they won here. There were some pretty innovative ideas that were used during the entire contest.
Rob Lemos at Security Focus wrote an article about the event.
Offensive Computing provided the samples for the contest. I tried to pick out a combination of newer viruses with poor detection, along with older ones that should be well detected. Here's a list of the ones provided:
Thanks to everyone that came to the talk. It went really well and the conversations that were had afterwards were absolutely top notch. One of the real treats for me coming to Blackhat is talking with all you smart people. You can find the slides here.
UPDATE (1/1/2009): Much of the code for this project has been integrated into the VERA project.
The Blackhat conference starts tomorrow and it looks like a great show. Val, Colin, and I's talks will be on Wednesday and the content is looking really good. Here's a list of some other talks that I think are worth checking out:
Alternative Medicine: The Malware Analyst's Blue Pill
Paul is one of the leading (if not the leading) researcher in unpacking technology. His new unpacking system looks nothing short of fantastic. This is scheduled at the same time as Val's talk, which is both cruel and unfair.
How to Impress Girls with Browser Memory Protection Bypass
Alexander Sotirov and Mark Dowd
This talk claims to lay waste to Vista's memory protections and should be fantastic. This is certainly not one to miss!
Dan Kaminsky's talk looks great as well. Be sure and catch it.
Nicolas Brulez from Websense has written a good synopsis of the unpacking process for the storm worm. From the article:
"As part of my series of blogs about custom packers, this blog presents techniques to quickly unpack the Storm Worm packer, even if the unpacked code is executed onto the heap, the code is relocated, and the Import Address Table is also on allocated memory.
Storm Worm attackers have been using many different packers, and even if their primary goal isn't to protect against reverse engineering, they have introduced various techniques to slow down analysis. Today's main trick is the execution of code onto the heap. This prevents process dumpers from working, because they dump to disk only the code loader (the actual process you are executing), and not the malicious code."
Good work Nicolas.
Offensive Computing will be appearing at the summer conferences. Danny Quist and Colin Ames will be giving a talk at Blackhat USA 2008 titled Temporal Reverse Engineering. We'll be showing off some of our reverse engineering tools and will have a release ready.
Valsmith and Colin will also be giving a talk called Meta Post-Exploitation that covers escalating privileges, managing passwords, and generally spreading to control other resources in a network.
We'll also be at Defcon; be sure stop by and say hello.
A new contest called Race to Zero is being held at Defcon this year. The premise is that you take a modern virus and modify it to evade detection by antivirus companies. The AV industry is officially crying foul, saying that this only encourages bad behavior. The organizers say it will point out the shortcomings of modern AV engines.
I'm going to ruin part of the contest: It's scandalously easy to circumvent any antivirus engine with a trivial amount of work. There has been evidence of this: The Consumer Reports scandal is one of them. The point is that it is not difficult to apply some seemingly minor and trivial modification that completely evades detection. The AV companies know it, the malware authors know it, the only people who don't have a clue are the consumers. Shaking their confidence of spending $60 per year on updates is something that the AV vendors fear. That's why the lawyers are probably going to get involved very quickly.
In lieu of this sure to be scandalous con drama, I propose a secondary contest. Antivirus vendors all race each other to develop signatures for the new variants as quickly as possible. Bring your best analysts to Defcon, or engage the home analysts, and show the true value of a good AV company: its signature development and reverse engineering teams.