Skip navigation.
Home

dannyquist's blog

Shmoocon 2008: Malware Software Armoring Circumvention

Val and I will be speaking at Shmoocon 2008 showing off our malware unpacking techniques. The talk is Sunday at 10am during the "Break It!" session. If you can't make it but are in the area let us know, we'll be around for the entire weekend. This talk will be similar to the one we gave at Blackhat USA 2007 however we'll also be talking about building an effective hardware based analysis system.

Abstract

Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this talk we will present our forensically sound debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Tiger Team Premier

Recently our friends from Colorado (hello 303) had a TV show about penetration testing made about them called “Tiger Team”. It was featured on Court TV, now Tru TV, and features them trying to break into various businesses. The two episode pilot showed them breaking into a luxury car dealership as well as a Beverly Hills jewelry store. In each of the episodes the team relies on social engineering, physical security, and computer security techniques to gain complete and total access to the businesses in question and breach their security almost entirely. Delchi, a main contributor at Offensive Computing, designed and built the HID cloner that was used in the jewelry store episode.

I really hope that this TV series takes off for a couple of reasons. First, it is very representative of real-world vulnerabilities which I hope will inspire people to take a deeper look at their security. Second, the show is very entertaining and I know we’ve added a few more tricks to our penetration tests. We at Offensive Computing engage in similar activities, albeit more towards the software side of the house, and it’s good to see this taking a more mainstream appeal. If you have the opportunity to watch the episodes I highly recommend them.

XKCD Is Great

Anti-Debugging Reference Paper

Security Focus is running an article about anti-debugging techniques that is very complete and thorough. Nicolas Falliere has done an excellent job outlining the various techniques that programs can use to detect whether a program is being debugged. The kernel version of Saffron was made to circumvent these methods and provide good dumps for malware.

Covert Debugging: Circumventing Software Armoring

These are the presentation materials we presented at Blackhat USA 2007 and Defcon 15. Thanks to everyone who came to the talks.

Abstract

Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Full Paper
Presentation
SAFFRON ACTUALLY EXECUTES THE MALWARE -- BEWARE
Saffron for Intel PIN

Read more for the release notes for Saffron DI.

Automatic Unpacking and The Summer Conferences

We are finishing putting the final touches on our presentations for next week. Saffron, which will be demoed at Blackhat and Defcon, is in good working order. The results are amazing and we hope you'll be able to make our talk. If you can't feel free to catch us around the conference.

Covert Debugging: Circumventing Software Armoring Techniques is on Thursday at 10am in the Augustus 1+2 Ballroom. We'll be giving the same talk, although somewhat shorter at Defcon on Friday at 2pm in the Track 1 speaking area.

Valsmith and HD Moore will also be giving their Tactical Exploitation talk at 1:45pm on Wednesday in the Tiberius Ballroom 3+4+7+8 and again at Defcon on Friday at 4pm in the Track 1 speaking area.

Valsmith and Delchi will speak on Malware Secrets at Defcon, 11am on Saturday in the Track 2 speaking area.

We hope to see you there!

An Evening of Polite Conversation and Technical Discourse

OC Party at Krave 8/3/2007 on the strip across from the Harley Davidson cafe

Thanks to Delchi for organizing this.

SecurityFocus Interviews the MPack Author

Rob Lemos contacted the MPack author and interviewed them. He writes, "In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites."

Read the article here.

Happy Birthday Computer Virus

From The Register, "The computer virus turns 25 this month. Long-suffering computer users would be forgiven for thinking that the first computer virus appeared in the mid-1980s, but the first virus actually predates the arrival of the first IBM-compatible PC."

To Mr. Rich Skrenta, thank you for spawning a multi-billion dollar a year industry.

Is it Time for the Gloves to Come Off Yet?

Rob Lemos at Security focus wrote about the tendency of malware to use what are called fast-flux DNS to prevent botnet takedowns. These methods use DNS to ensure that there are redundant backups for a series of call-home hosts. The call-home hosts are remote sites that phishers or other malicious people have taken over to collect data. Simply put malware authors are using economies of scale to provide redundant backup to their servers. This lets them stay online for much longer periods of time. The problem is that takedown notices for these affected websites are not very effective as each host owner must be contacted.

With the current ethical thinking there is no other resource available to the burgeoning white-hat trying to fix this problem. The current method for reigning in these problem sites is to contact the site owner, convince them they have a problem, and wait. This causes an unnecessary amount of time to be wasted, while thousands of credit cards are stolen. The massive scale of this creates a situation where there is no other recourse for defensive reaction.

Is it time to start considering a vigilante corp to deal with these problems? It would certainly allow for a quicker more concerted response to the issue. There are companies that are walking the ethical line in gathering and reporting these problems, but perhaps it is time to set the scope wider. Create it as a government sanctioned activity, but get someone in there with a quick response to deal with the problem.

Syndicate content