The new version of Offensive Computing is now up and running. If you notice any errors, please contact us as soon as possible so we can fix them ASAP. Bear with us if there are any service outages.
Let me take this time to thank all of our beta testers for helping to find more bugs. Thanks!
Alisa Shevchenko from Kaspersky Labs has written an article about the evolution of self-defense in malware. This article covers in detail the methods used by malware to obfuscate and protect itself. This is a good overview that is worth checking out.
The new version of our malware processing back end is coming along well. We're deep into testing it and are going to start with an expanded private beta test for all invited users. Hopefully the interface will make it even easier to upload files and content to our system. Here is a small feature list that will be included in our new release:
- We will accept non-PE files. This has been a big request.
- Better submission system. Now you can zip, rar, and tar files to be submitted to our scanning system.
- Email submissions with automatic scanning
- Better antivirus scans
- Tagging system so you can add notes to specific samples
- Improved packer detection
- More modular code framework for future growth
- 3x as many samples
Bear with us as we make the transition to the new system and as always let us know about bugs.
Here is an example of the new Mpack malware that has been gaining momentum recently. Mpack gained notoriety as it is a commercial tool being distributed for pay. It is purported to attack the MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow overflows. SANS ISC and Verisign/iDefense have an email that has been circulating about this. The further commercialization of malware is continuing on both sides of the confrontation.
Tavis Ormandy of Google has written a paper on the effect of running hostile code on virtual machines. This is a good paper, and shows that even with VMs you can't be sure that code will be safe.
"As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security exposure to the hosts of hostile virtualized environments."
The FBI and our friends at CMU’s CERT, in a display of impressive bureaucratic maneuvering and ninja-like paperwork prowess, have identified a large botnet. This is really good news as it will hopefully set a precedent to enable further and more swifter action on other malware writers. Good work to all those involved.
The new version of pefile being released by Ero Carrera will have our packer scanning code integrated in. Ero has made a post detailing some of the changes as well as some initial data about his collection of malware. If you have a project that is in need of PE parsing, please look at the pefile module. You won't be sorry.
If you're looking for a good class on reverse engineering, Ero and Pedram Amini are teaching a class called Reverse Engineering on Windows: Application in Malicious Code Analysis Blackhat this year. It's very good and one of the better classes that are offered at Blackhat
Offensive Computing team members will be speaking at both Blackhat 2007 and Defcon 15 in Las Vegas Nevada. Danny Quist (Chamuco) and Valsmith will be giving a talk title Covert Debugging: Circumventing Software Armoring Techniques. This is research we've been working on to automatically and generically unpack software.
HD Moore and Valsmith will be presenting a talk called Tactical Exploitation at Blackhat 2007. It will detail methods for penetrating non-standard methods of network penetration and should be very interesting.
We'll be around for both conferences so be sure to find us and say hello!
The BBC is covering Frank Boldewin's discovery of malware that hijacks the Windows update process. From the BBC webpage "Virus writers may be able to smuggle malicious files onto a computer using Microsoft's security patch updates, experts say."
Ryan Naraine has an article about Mark Russinovich admitting that Vista will get malware. I suppose the news worthy portion of this statement is that Mark is admitting it, which seems to be a change in direction. There have already been reports of spyware working for Vista, so this is not too surprising. All the viruses and malware I've test run on Vista work without trouble.