Skip navigation.
WARNING: This site contains samples of live malware. Use at your own risk.

Cyber Security Act of 2009

The Cyber Security Act of 2009 submitted by US senators John Jay Rockefeller and Olympia Snowe looks like it is geared up to be some poor US policy. Joe Stewart has written up a response to it. Joe makes some very valid observations.

To recap the criticism of the bill, there are two big complaints: First is that it gives the president the power to turn off the Internet in an emergency. Second it requires mandatory licensing for "Infosec professionals." The second point is the one I take the most issue with.

Requiring mandatory licensing for a field as dynamic and changing as ours is just a bad idea. There are already a couple of government entities that require the CISSP as a condition of employment. Side-stepping a long winded rant about the CISSP, it is not an accurate measure of knowledge. There has been a concerted effort to liken our field to others such as electricians and general contractors. The problem is that things are changing so fast, any certification is basically worthless as soon as it is issued.

So if you're a US citizen please write your senators and encourage them to revise this bill.

Detecting Packers in Network Streams with Pynids and Pefile

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).


Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for Testing Web Application Security Scanners, Testing Static Code Analysis tools (SCA) and Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

More information and download:

Talk on "Analyzing exploitable file formats" at PH-Neutral

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

Reverse Engineering Sub-Reddit

This might be considered old; but Rolf Rolles on OpenRCE has setup a sub-Reddit dedicated to Reverse Engineering.

It's updated pretty often and has a lot of great articles. Just thought I'd pass it along.

Vista Wireless Power Tools

Josh Wright from Inguardians has written a paper on Vista's wireless stack. He describes the NDIS6 command line interfaces and how to use them in a pentest. From the paper:

"With the introduction of Windows Vista, Microsoft has put forth considerable effort in revamping the IEEE 802.11 wireless stack through the Network Driver Interface Specification (NDIS) 6 model. With considerably greater functionality and capability than was provided in Windows XP, Vista's wireless capabilities shine with new freedom for developers, a robust development framework, rich information sources for wireless analysis and end-user tools for analyzing and controlling wireless parameters."

I'm looking forward to doing some wifi research again and this paper certainly provides a healthy kick in the pants to do so.

On the Legitimacy of Obfuscated Code

Chris Wysopal has written an article about different uses of obfuscation inside of executables. Malicious or not, it is a useful tool for hiding or at least raising the bar on reverse engineering effort required. It's a good article and I recommend you read it. It did get me to thinking about a couple of things in reverse engineering.

One thing that Chris mentions is that users should be able to decide whether or not they want obfuscated code on their system. In many ways this is similar to the open vs. closed source debate. I have long argued that having the assembly for a program is equivalent to having the source code for a skilled reverse engineer. Looking at enough assembly and work with different compiler variations and one can work out what the original code looked like.

Regarding the question about whether obfuscation is a bad thing, Rolf Rolles recently commented that Bitdefender decided wholesale that the VMProtect packer is malware and anything obfuscated with it should be removed. Now the Bitdefender developers are smart guys, and maybe they decided that any legitimate software has no need to use this. Other anti-virus software takes a similar tactic. During the Race To Zero contest at Defcon last year, the winning team noticed that removing all the imports from an executable caused multiple AV vendors to automatically flag an executable as being suspicious.

The choice about the legitimacy of packers and obfuscation has already been made for us by the AV community: It's bad. This may be narrow sighted but hey, that's what the industry is all about.

iTunes Anti-debugging Circumvention

David Maynor at Erratasec has written an article about how to circumvent the debugging prevention inside of iTunes.

"..I noticed iTunes kept crashing, predictably and reliably in the same place. I decided to use gdb to see what the hubbub was all about. However I got dissed and iTunes would not allow itself to be debugged."

Code injection

| |

Not a new concept for sure.

A new wave of more difficult to remove malware? A new way of stealing information? Maybe.

In the last 6 months to a year it seems code injection and file infectors have "opened a new door". It's still seems to be the "replicate and destroy" but recently with infections like "Scribble" "sality" "alman" and "virut" some changes have begun to show in this "angle of attack".

Now instead of just replicating out of control the infections are replicating crazily, but also bringing down fake-alerts and other nasty things.

Conficker Causes Global Meltdown and Thermonuclear War

As usual, Brian Krebs from the Washington Post has done some fine reporting bringing us news about the Conficker Worm Strike. Here are some choice excerpts of the horror that is raining down upon the world:

"A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker."

"According to local news reports, shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes."

It's time to auger in with an AR-15 and your favorite dog Will Smith "I Am Legend" style.