From paul.goebbels at freemail.hu Sat Dec 1 23:52:01 2007 From: paul.goebbels at freemail.hu (Goebbels Amadeus) Date: Sun, 2 Dec 2007 05:52:01 +0100 (CET) Subject: [Dailydave] Hell Camp: A Terrifying Story of Lies and Middle-Men Message-ID: Despite the misleading subject of my e-mail, I want to bring to attention an important topic which hasn't been discussed enough among the security industry: the exploit and vulnerability research market. Since this might be a vastly secretive community, I will introduce some of the members of this dramatically disturbing tale: Since a few years ago, few companies emerged, who offer rewards for exploit information and vulnerability research. In the beginning, only iDefense (US-based) openly disclosed its activities. In the last 3-7 years we have seen ZDI (TippingPoint, now 3Com and soon its Chinese major shareholder..), WSLabi (the failed attempt on creating an auction market model for these sales) and Netragard (the old DMCA publicity stunt SNOsoft). Now I'll start telling a tale of distrust, lies, middle men and other creatures of the infraworld... Once upon a time, there was an increasingly powerful work force capable of crafting weapons which existed only in a digital world. This force didn't have a name. They didn't pursue certifications. They were anonymous. But some realized they also had the power of influencing people, controlling the flow of information from anywhere at any time. Humanity has seen for ages how the power of controlling information can take down whole nations. Nowadays, in an open and free market, the corporate world is nothing but a battlefield. There's no crimson tie. No blood escaping the bodies of its soldiers. The soldiers are John Does, fighting for a decent paycheck at any cost, selling out their spirits and time for the corporate machine. Selling out their comrades and dignity. Losing the values, principles and matter that make them human. Unknowingly, they are becoming mere tools of few individuals who have a neverending desire for fame and wealth. Have you ever considered your future in their hands? You've been working for 50 years, your liver and kidneys start failing, creating visible symptoms, stains in your skin. You can't handle life in the same way anymore. For what? What have you done in those 50 years but serving another man to become more wealthy and over powered. The approaching day of your death and its mere vision strikes you like a burning iron blade. In this New Age battlefield, you can make a difference. A talented youth started emerging and dedicated passionately to fulfill its curiosity. Day after day, spending countless hours in front of a machine. Understanding it's inner design and details, breaking it apart and reassembling it the way it wasn't meant to be assembled. Some others dedicated painful discipline to physical work and trained themselves for achieving perfection in both intellectual and physical matters. Others fell in the way and never made it to the final round. After realizing they could not let the corporate world exhaust them, they tried another way. The emerging market of digital ammunition seemed to be a potential solution for their problems. But, unbeknown to them, they were wrong. They didn't think at first glance of the impossibly huge amounts of lies and fallacies they were about experience. Because in a world where you can claim something while denying your obligation to prove it, the only power that is left is that of common sense and intuition. The ability to sense the deceitful and know the truthful. Once day, our John Doe decided to approach an independent digital weapons dealer, looking for better offers than those coming from more established business men. He knew that more then business men, they were only middle men. After numerous experiences with these little twerps, he realized they were also abusing their condition. John was also especially disappointed with the fact that in the world of digital ammunitions, there's no real way of providing the goods without turning them instantly useless and vulnerable to abuse. John knew that these middle men were taking cuts far higher than their alleged 10 to 15 percent of the sale. How could John prove it otherwise? There was no way of ensuring that their contacts were getting the very exact figure John demanded. Despite this fact, John also realized that in this market of smoke, the seller is not supposed to set the price of the goods. These middle men, in their great mistake of thinking that wisdom and knowledge are the very same thing, wanted John to believe that they were the ones who set the price of the goods. John's disappointment was growing to incredibly high stakes: "As a child, whenever I tried to tell the candy shop clerk that the chocolate bars cost as much as the peanut butter ones, he simply tried to smack my head down. I wasn't supposed to even swap the labels in a failed attempt to fool this man, who had been making candy bars for more time than I was actually able to barely say my name." John had been crafting digital weapons for so many time, with such a high talent and effectiveness, that he was much less dispensable than this middle men. His personal background, of an extremely tough childhood full of misery and hostility, also gave him the necessary wisdom and experience in this world for quickly spotting the weaknesses of these ego-crazed men. Their weakness lies in the fact that without John and his comrades, they have no business. They lack far more than just knowledge. They lack wisdom, passion and truly devoted dedication to whatever they do. Sooner or later they will make the same mistake of other weapon dealers: getting killed with their own goods. Hypocrisy among these poorly educated middle-men was so high, that they resorted to low tricks and ridiculous attempts to gain the trust of people like John. They went as far as insulting the intelligence of those who provided them with the goods they are unable to produce themselves. No matter how hard the tried, it never brought anything back but silence. The silence that can be clearly understood as a fully precise signal of genuine despise. The fundamental error behind their approach is that trust can't be gained for cheering, boosting the ego, claiming great benefits and wealth. Trust is something sculpted in hard rock, taking years to become an admirable master piece. It doesn't come attached to an email. At the end, John and his comrades found out that wasting their time with these miserable beings was far less than fruitful. It was exhausting them as much as the corporate world did. They realized that any day above ground is a good day. Let the snakes change their skin and show their true colors. In the desert, being unable to match with environment has deadly consequences. It might take years, or decades, but time will set them all where they belong. Life does not forgive and everything has come to an end... because they lack of patience, the end will approach their nefarious activities sooner than they ever thought and John and his comrades will be free again. And this tale has to come to an end itself... the end of a story about middle-men and their madness. Time's striking force. - Paul Amadeus Goebbels Lemondta, de m?g nem k?t?tt ?jat? Vil?gbajnok ?rainkkal k?ss?n OLCS?BB K?TELEZ?T! ________________________________________________________ http://www.biztositas.hu/origo_aloldal/okgfb_rovat From lists at bughunter.ca Mon Dec 3 13:16:59 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Mon, 3 Dec 2007 10:16:59 -0800 Subject: [Dailydave] Build Your Own Botnet with RDP Message-ID: <000001c835d8$b2f221c0$6207a8c0@jseitz> Hey list, I wrote a little blog posting over on OpenRCE.org on how you can compromise client machines that connect to a terminal services server when they enable disk sharing. It's nothing overly groundbreaking, but I hadn't read anything on it before so I thought I would share some observations. http://www.openrce.org/blog/view/981/Build_Your_Own_Botnet_with_RDP Again if there is any prior art on this please let me know, I just couldn't find anything for the life of me. JS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071203/34283099/attachment.htm From elite_netbios at yahoo.com Mon Dec 3 16:57:24 2007 From: elite_netbios at yahoo.com (Hamid . K) Date: Mon, 3 Dec 2007 13:57:24 -0800 (PST) Subject: [Dailydave] Build Your Own Botnet with RDP Message-ID: <844257.89083.qm@web90511.mail.mud.yahoo.com> Hi , What a surprise ! Today I was just thinking about the same topic for wiring, but focusing on Citrix technology , and owning clients through "shadowing" & "drive-mapping" features of Citrix MetaFrame . I think abusing these will affect much more number of users . I`ll update my blog ,covering this topic , as soon as I got some free hours. The scary thing about both "tsclient" maps , and citrix drive-mapping is that they`re both enabled by default . To make things even more interesting , Citrixs mapping implementation is NOT depended to file-sharing service of OS at all . feel free to block inbound /outbound connections , stop related services and even watch for SMB traffic . mapped drives will still pop-up at the remote site :) In case anybody likes to help me on this topic, I`m looking for possible and also reliable methods of detecting drive-mapping in network traffic (maybe finally some snort rules ?) . This is to prevent farther compromises , if citrix server is 0wned. even if admin has disabled drive-mapping , intruder can simply re-enable it and enjoy "tactical exploitation" . First problem is ICA protocol encryption , and second problem is false-positive in detections ... comments ? And, the topic you`ve mentioned is already documented by microsoft , and also have been briefly blogged here : http://www.intelliadmin.com/blog/2007/08/backup-your-files-using-remote-desktop.html Best Regards Hamid.k ----- Original Message ---- From: J.M. Seitz To: dailydave Sent: Monday, December 3, 2007 9:46:59 PM Subject: [Dailydave] Build Your Own Botnet with RDP Hey list, I wrote a little blog posting over on OpenRCE.org on how you can compromise client machines that connect to a terminal services server when they enable disk sharing. It's nothing overly groundbreaking, but I hadn't read anything on it before so I thought I would share some observations. http://www.openrce.org/blog/view/981/Build_Your_Own_Botnet_with_RDP Again if there is any prior art on this please let me know, I just couldn't find anything for the life of me. JS ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071203/7627a0f3/attachment-0001.htm From dave at immunityinc.com Mon Dec 3 17:53:30 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 03 Dec 2007 22:53:30 +0000 Subject: [Dailydave] Fluffy Bunny and Banksy. Message-ID: <475488EA.50008@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Image parsing is the gift that keeps on giving, like herpes. On that note, http://picasaweb.google.com/dave.aitel/UK2007 . I spent some time hanging out in Bristol checking out Banksy's latest graffiti and the local pubs. For what it's worth, the London cabbies who came from Bristol and know Banksy "personally" all think he's become a big prick now that he's rich and famous. I think this means they met him once and he didn't give them a free painting now that Angelina Jolie is buying them all for 400K a piece. If you ask me, that's pretty silly since the whole point of graffiti is that it's on the wall for everyone to see. Can you copyright your vandalism? Where is fluffy bunny when you need him? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHVIjqtehAhL0gheoRAksfAJ4yBspfgsRaUYXt17bodXyW8mqRvwCeM8+L xnBuwPUGziGalhb2vAZOhmA= =KFiz -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Dec 4 16:01:06 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 04 Dec 2007 21:01:06 +0000 Subject: [Dailydave] Defend the Flag in Blackhat Federal Message-ID: <4755C012.7000900@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today was the last day of the Unethical Hacking class I taught here in London. The consistent thing I love about these classes is that students realize just how easy it can be. At the beginning of class they've last done assembly language 15 years ago in school. By the end of the class, they're doing binary analysis and writing overflows. It surprises them most of all. The world is sometimes a surprising place. Microsoft have kindly invited Immunity to supply the attack technology for the "Defend the Flag" competition at Blackhat Federal in Washington DC, February 16-21. So come learn how to attack things with CANVAS. I promise it will surprise you. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHVcAStehAhL0gheoRAqWjAJ0cEPHS/jgqO7ENCjUQsiRFyvJrDACdEe19 GgS+YhfDWr3msk4JbNheodc= =RNLf -----END PGP SIGNATURE----- From prabu at hackinthebox.org Thu Dec 6 00:26:31 2007 From: prabu at hackinthebox.org (Praburaajan) Date: Thu, 06 Dec 2007 13:26:31 +0800 Subject: [Dailydave] HITBSecConf2007 Malaysia Videos Now Available Message-ID: <47578807.9070806@hackinthebox.org> The videos from Hack In The Box Security Conference 2007 Malaysia is now available for download! The files were created in Quicktime, however if you're having trouble playing them on your platform, please ensure you have the latest 3IVX codec installed. Time to fire up your favorite Bit Torrent clients and please remember to seed! go to http://video.hitb.org/2007.html to download the torrents On a related note, the Call for Papers for HITBSecConf2008 - Dubai is still open. If you're interested in speaking at the upcoming event in the UAE, please take a look at the CFP page for details on how to submit. We are especially looking for more submissions from the EMEA region. From dami at immunityinc.com Wed Dec 5 13:29:39 2007 From: dami at immunityinc.com (Damian Gomez) Date: Wed, 05 Dec 2007 15:29:39 -0300 Subject: [Dailydave] Immunity Debugger 1.3 released Message-ID: <4756EE13.3000805@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This month's release is all about the debuggee's flow! With huge core changes, Immunity Debugger and its API now have much more control over process execution. Opening a process, running it, pausing it, and restarting it is now available via your chosen scripting method (check the processflow PyCommand to see how it works). This will allow us, without a doubt, to automate even more our scripts and commands. The other big improvement in 1.3 is regarding hooks: Hooks has a few more features now, among them the ability to specify a time to live in memory for a hook. A pseudo-code example to show how this works: #Creating a hook with ttl = 15 seconds customhook = MyOwnHook() customhook.add("CREATETHREAD",timeout=15) #And MyOwnHook class class MyOwnHook(): def run(): #execute when the hook is hit def runTimeout(): #execute if the TTL expires The new method runTimeout() will be your bridge to executing code when the hook ttl expires, and it wasnt hit. After runTimeout is executed, the customhook will remove itself from memory. In order to use these new features, we have also added a new type of hook: The RunUntilAV hook. This will hook into AccessViolation events. Once it is added it will run the process waiting for the AV or the TTL to expire. Stay tunned to see how Immunity uses these new features over the next few weeks. One more thing you may want to take a look into this release is the new season sensation combo: listener and hookers, shipping with 1.30: sql_listener+sqlhooker, work made in conjunction by Dave Aitel and JMS. For all the script coders that exist out there who want to get their hands on a SILICA unit (http://www.immunityinc.com/products-silica.shtml), remember our PLUGIN AWARDS deadline: December 10th. So hurry up and finish that beauty piece of code you are working on, results will be posted before December 20th. A complete list of changes: 1.30 Build 0 December 5, 2007 New Features: - - Immunity Debugger API o Hooks - Hooks can receive force flag to overwrite previously placed hooks - Hooks can receive time to live in memory parameter when adding (After the TTL expires, the hook is automatically removed from memory) - Hooks has a runTimeout method to execute code after TTL expires o Choose thread enviroment to execute the ttl code - Added special kind of AccessViolation hook: RunUntilAV() class o Added setHardwareBreakpoint method o Address deleteBreakpoint method o Process flow: o Improved methods: - stepOver - stepIn - Run - Attach o Added methods: - openProcess - restartProcess - pause - runTillReturn - - PyCommands o search allows multiple line searching: !search add esp,const\nret o Added sql_listener and sqlhooker o Added Example processflow script Bug Fixes: - - Fixed imm.ps() to correctly fetch udp port list http://forum.immunityinc.com/index.php?topic=84.0 - - Fixed Get references methods Happy debugging everyone! Team Immunity. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFHVu4SchUpv2oeW9gRAgsYAKCLvicCgph2wBZcXlLiN+AWhUrQhwCglcbh q2NuGMeOsJGIE5GkoluZrt0= =TMhl -----END PGP SIGNATURE----- From lists at bughunter.ca Fri Dec 7 16:53:03 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Fri, 7 Dec 2007 13:53:03 -0800 Subject: [Dailydave] IOCTL Fuzzer Message-ID: <002601c8391b$8b342610$6207a8c0@jseitz> Hey All, I have released a quick BETA version of my Win32 IOCTL fuzzer. A quick overview: ioctlizer is an attempt at fuzzing Windows IOCTL requests. It is split into two separate tools, ioctltrap.py and ioctlizer.py. ioctltrap - used to spawn or attach to a user-mode process that interacts with a device (i.e. wireshark.exe). By hooking the Win32 system calls that are required to interact with a device driver, it builds a global test case list to be used when fuzzing the device(s). ioctlizer - used to import the trapped IOCTL/Read/Write test cases, and begin mutating them. Easily extended mutators, as only the most basic of mutations is included in the fuzzer itself. A usage example is available in the source package's README. The tool is available from Google Code: http://code.google.com/p/ioctlizer/downloads/list Send me some feedback, bugs, etc. JS jms at bughunter.ca ps. Please be patient as I get everything checked into SVN, and do some wiki pages. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071207/8a5d4a5a/attachment.htm From dave at immunityinc.com Sat Dec 8 12:44:16 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sat, 08 Dec 2007 12:44:16 -0500 Subject: [Dailydave] Mutating to avoid structural analysis Message-ID: <475AD7F0.5000708@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So flying home from JFK I was wondering this... Given that avoiding "behavioral signatures" is a matter of calling random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), Halvar's program classification techniques involve a structural differencing engine. This has advantages (see his talk for details) in that program structure closely reflects the semantic meaning of a program, as interpreted by a compiler. So the obvious way, from what I can tell, to defeat a structural differencing algorithm would be to do a static or dynamic analysis of your target program, and for each CALL opcode, change the destination to a dispatcher function. This dispatcher function can then be built to do a O(1) table lookup to find the true destination of the call. So now all your functions call one function D. Your call graph is meaningless without reverse engineering the dispatcher function and reconstructing it, or doing dynamic analysis of the whole program (assuming you can get decent code coverage). For bonus points you could mutate your dispatcher function by putting it as a never-used basic block in lots of other functions. You'd probably also want to do some other easy obfuscation. So my question is this: is defeating a structural based fingerprint of a program more difficult to do than defeating behavioral based fingerprints. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHWtfuB8JNm+PA+iURAgkTAJ9SvFTyihlTarCATljKl+9wd7paBwCfW5Ih xf7/T5wTHaPEFuyVO4X5Px0= =7/Tb -----END PGP SIGNATURE----- From sw at alldas.org Sat Dec 8 19:51:14 2007 From: sw at alldas.org (Stefan Wagner) Date: Sun, 09 Dec 2007 01:51:14 +0100 Subject: [Dailydave] Mutating to avoid structural analysis In-Reply-To: <475AD7F0.5000708@immunityinc.com> References: <475AD7F0.5000708@immunityinc.com> Message-ID: <475B3C02.6070207@alldas.org> Hi, > So my question is this: is defeating a structural based fingerprint of > a program more difficult to do than defeating behavioral based > fingerprints? Yiha! Works excellent over here :D Keythingy (for me) is to 'crypt' the Libcalls while you smuggle 'em in. Just to make sure IDS/AV kids won't get lucky with their static pattern bs... Reserve 1K of space within' your code for the main (superspeedy) decrypting code and hide the main eor-thing (or xor-omgzomg) in crapcalls, like: moveq #0,d0 sub.l d0,d0 add.l #, d0 to replace NOP calls and make the code look legit In this random mess it's perfectly fine to hide your very own code to decrypt the mainlib and other stuff (the main decrypt thingy is a 6 cmd one (wh00h00) 2 be executed during the initial call). Cheers, Stefan From etd at nomejortu.com Mon Dec 10 15:49:03 2007 From: etd at nomejortu.com (daniel martin gomez) Date: Mon, 10 Dec 2007 20:49:03 +0000 Subject: [Dailydave] [tool] Announcing dradis Message-ID: <475DA63F.204@nomejortu.com> Hi all, I've decided to release the first beta version (1.0) of dradis, a tool for sharing information during Security Testing written in Ruby under the GPL licence. While plenty of tools exist to help in the different stages of the test (information gathering, discovery, exploitation, etc.) not so many exist to share interesting information captured. dradis can be extend by creating modules to add new functionality or to connect dradis to other tools and systems that are part of your current security testing methodology. Please take a look and tell me any thoughts you may have. Any feedback will be much appreciated. You can download everything at http://dradis.nomejortu.com/ hope you'll enjoy it! From nish at securitycompass.com Mon Dec 10 21:09:51 2007 From: nish at securitycompass.com (Bhalla, Nishchal) Date: Mon, 10 Dec 2007 20:09:51 -0600 Subject: [Dailydave] ExploitMe Series XSS-Me and SQLInject-Me (Firefox Plugins) Message-ID: <693B941D8F09684880FFC29C0E2EF11334F0E8@mail-36ps.atlarge.net> Hi, Security Compass is proud to announce the release of the first two tools in its Exploit Me series of application penetration testing tools for Mozilla FireFox: XSS-Me and SQL Inject-Me. Currently in their beta release stage, these open source (GPL v3) FireFox plug-ins search through web applications for vulnerable visible and hidden form fields to perform input validation attacks. We believe that these tools will be invaluable not only to penetration testers and QA testers, but also to developers as a light-weight method to check for common application security vulnerabilities during the development process. Please visit http://www.securitycompass.com/ to download these plugins. As the tool is still the beta stage, we appreciate feedback on existing functionality, desired features, and bugs encountered. Please send any feedback to tools (at) securitycompass (dot) com [email concealed] and bugs to bugs (at) securitycompass (dot) com. [email concealed] Thank you for your interest and we hope you are able to benefit from this new tool! Kind regards, Nish. From dave at immunityinc.com Tue Dec 11 17:09:32 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 11 Dec 2007 17:09:32 -0500 Subject: [Dailydave] Bugs bugs bugs Message-ID: <475F0A9C.60006@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some minor editing on today's MSMQ vulnerability http://www.microsoft.com/technet/security/Bulletin/MS07-065.mspx . The introduction says this: """ This important security update resolves a privately reported vulnerability in Message Queuing Service (MSMQ) that could allow remote code execution in implementations on Microsoft Windows 2000 Server, or elevation of privilege in implementations on Microsoft Windows 2000 Professional and Windows XP. An attacker must have valid logon credentials to exploit this vulnerability. """ The mitigations section correctly states that you do not need valid login credentials for Windows 2000 Server. That doesn't look like a bug someone fuzzed to us. Cool bug though. One weird thing about the UAC stuff in Vista is it assumes there won't be a steady stream of kernel 0days. I'm not sure why that assumption was made. In the balance of "Really annoy user" versus "Provide security" I think they made the wrong choice here. Once you're running code on a box you're assumed to be Ring0 until proven otherwise. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHXwqaB8JNm+PA+iURAtvuAJ92q6hCOSH/lLfhLCVByJ/e4nJvowCfSAut cJyP/cR1VEX3Si03ksBN8TA= =kQxe -----END PGP SIGNATURE----- From jmoss at blackhat.com Tue Dec 11 17:42:27 2007 From: jmoss at blackhat.com (jmoss) Date: Tue, 11 Dec 2007 14:42:27 -0800 Subject: [Dailydave] Black Hat Briefings Call for Papers Message-ID: <004101c83c47$1b5b4510$5211cf30$@com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey Daily Dave readers, I'd like to say Happy Holidays from Black Hat! Before the silly season enters full swing I'd like to make a couple announcements: BRIEFINGS AND TRAININGS http://www.blackhat.com/ Black Hat is proud to be holding Trainings and Briefings in Washington D.C., Amsterdam, Las Vegas, Japan, and a mystery location in 2008. Please mark your calendars! NEW: An enhancement to all Black Hat Briefings allows all attendees greater access to each presenter. Immediately following each session the presenters are available for an additional hour to take questions in a break out room. This allows you to not only have in depth conversations but also meet other attendees interested in the same topics you are. DC 2008 Briefings & Training February 18-21, Westin Washington DC City Center Focusing on Wireless and Offensive security techniques with a larger training lineup. New trainings include Defend the Flag by Microsoft (With an instructor from Immunity!), Side Channel Analysis and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition by TaoSecurity. Europe 2008 Briefings & Training Now with three tracks per day of presentations and larger training lineup. March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New trainings include Understanding Stealth Malware by Joanna Rutkowska and Alexander Tereshkin, Side Channel Analysis and Countermeasures by Riscure, and Exploits 101 by Allen Harper. USA 2008 Briefings & Training This is the big one, thousands of people, 25+ training classes, seven tracks of presentations, BoF break outs, and more! August 2-7, Caesars Palace Las Vegas CALL for PAPERS https://cfp.blackhat.com/ Black Hat is always looking for new and unique research, demonstrations and tools. If you have something you or your team would like to present please keep the following dates in mind. D.C. 2008 Briefings CfP closes January 4 Europe 2008 Briefings CfP closes February 1 USA 2008 Briefings CfP will open February 1 Japan 2008 Briefings CfP will open May 1 RSS Announcements and Updates, News and more: http://www.blackhat.com/BlackHatRSS.xml TO REGISTER: https://www.blackhat.com/html/bh-registration/bh-registration.html To register for trainings or briefings please visit our registration site. Register early to take advantage of price discounts! We are working to launch the new Black Hat site this weekend, as well as release audio and video of several past conferences before the new year. Lots of changes are in the works for the new year! Jeff Moss Black Hat -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: us-ascii wsBVAwUBR18SU0qsDNqTZ/G1AQjalAgAjFirZa/MclbLJVfcv9aFdBvrKXZm2ma0 pLZLoOta0BqxyfqCBDqldsKHmp/yHOvCRqjGQa/jxAcic8uxAqq7Dlpt8SzQ4KNt civDNRGWh0IbBAbqzaOB6zddujHfmvLcpv16kFyk0EUjPnzNDoI2evuIZBxMH++9 DHvBOFW321zAyOYyPNaAenEKhuwe3IoueJwL2+tywKQd+7Pp4uxLEXjN8KUfyehs y6qifJvfbYwp12XREy+wbr8cRHqijPpwkr1DuZvLU6miM1UAr8Z/I6WiFzAL8hS7 Ung9dF6RN/dcRGDQQOPJILIYKcq4WKR8M2mjJ+gGWMIdLvinntoAfQ== =TQnU -----END PGP SIGNATURE----- From joanna at invisiblethings.org Wed Dec 12 13:20:25 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Wed, 12 Dec 2007 19:20:25 +0100 Subject: [Dailydave] Bugs bugs bugs In-Reply-To: <475F0A9C.60006@immunityinc.com> References: <475F0A9C.60006@immunityinc.com> Message-ID: <47602669.2090908@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Aitel wrote: > > One weird thing about the UAC stuff in Vista is it assumes there won't > be a steady stream of kernel 0days. I'm not sure why that assumption > was made. In the balance of "Really annoy user" versus "Provide > security" I think they made the wrong choice here. Once you're running > code on a box you're assumed to be Ring0 until proven otherwise. > I disagree. Even though we all know (heck, go ask Alex about it!) that there is a lot of exploitable bugs in all those Vista (signed and WHQL-certified) drivers, it still doesn't mean that we should not try to work on improving the usermode security. Otherwise, we could very well resign from all the ACLs, separate address spaces, and separate accounts! We could very well go back to the MS-DOS era :) True, we have the "MS-DOS" in the kernel these days (this is true not only for Windows, but also for Linux and any other OS based on a monolithic kernel), but at least we don't have it in usermode anymore. A little bit of improvement, at least from the design point of view. Maybe in the next 10 years we will also see the mainstream OSes moving towards "somewhat-microkernel-based-OS" as well. So, at least they would be able to use the then (hopefully) already-polished usermode security mechanisms (+ developers and user will eventually know how to use them). So, don't laugh at UAC, because of the kernel bugs -- you could very well laugh at any other OS-provided security mechanism, if you took this line of reasoning. But, it's still true there are other problems with UAC, that should make you laugh :) The default "admin-for-every-instaler" rule, just to name the most obvious. Sorry, MS ;) But you know guys, I actually like the idea of introducing UAC, it's just I don't like the details. joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBR2AmZ8wG7MOLAMOlAQK3lwf+PpouthB1VZP2Ai8D5pFayQJmLwQ92Ses u1RZFYVewPvOq8RBxOM8B+rO43iQVb8clC7Hz7F0sHRyo+5Z8JxDsJcL5EtmvQg4 UIgrjHMtmllxtWyTZEKOq86jffKVoFz3DVZJdTrtGJL88jwg/PDYS5a00+D9utPr j1IQFagZmCOaAVeY6DGUJx3+sNHvQ0hHWpgwhG007qjcodvJCsY25gQbv6RmqWBp DkVNdITMwG/04omOHrjKNOxv84KKmSW4ESBqkGPVjiuG498apHZqns+2sa7NVfDG Rdy/CpxUfN6JsAWoPxP64RaxGHwUp6eV8nltSb/voLJkQ/b8vbsZFw== =/Yg+ -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Dec 14 10:41:05 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 14 Dec 2007 10:41:05 -0500 Subject: [Dailydave] Beyond Fast Flux Message-ID: <4762A411.9000502@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.immunityinc.com/resources-papers.shtml Immunity has released a presentation regarding CANVAS's next-generation client-side attack framework available at the above URL. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHYqQMB8JNm+PA+iURAhJOAJ0Roh6DwQQcP4sfSrtfJoeTlKsz2wCgwHZe XlCO25tUjooeX23ehhEImDM= =Ia2F -----END PGP SIGNATURE----- From ge at linuxbox.org Fri Dec 14 14:03:56 2007 From: ge at linuxbox.org (Gadi Evron) Date: Fri, 14 Dec 2007 13:03:56 -0600 (CST) Subject: [Dailydave] Beyond Fast Flux In-Reply-To: <4762A411.9000502@immunityinc.com> References: <4762A411.9000502@immunityinc.com> Message-ID: On Fri, 14 Dec 2007, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://www.immunityinc.com/resources-papers.shtml > > Immunity has released a presentation regarding CANVAS's > next-generation client-side attack framework available at the above URL. Good work and interesting presentation, however, you guys should consider clueing up on what's out there before you make assumptions, as your C&C ideas, although neat, are light-years behind the criminals. Which side of the fence are you on again? Gadi. From fosforo at gmail.com Fri Dec 14 19:23:09 2007 From: fosforo at gmail.com (Fosforo) Date: Sat, 15 Dec 2007 00:23:09 +0000 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: <4762A411.9000502@immunityinc.com> References: <4762A411.9000502@immunityinc.com> Message-ID: <6e285e810712141623i106077b9o81b093d5cd7fd1e7@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >P2P is reliable, not covert dont agree with you... i've tested my solution on some big companies... http://insanenetworks.blogspot.com/2007/06/poc-tool-fofus-botnet-related.html []s Fosforo - -- - ---------------------------------------------------------------------------- F?sforo Blog: http://insanenetworks.blogspot.com - ---------------------------------------------------------------------------- Bcz sex is like hacking.. you get in, you get out, and you hope you didn't leave something behind that can be traced back to you.. - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHYwHTXgBHd2NudWERAqP3AJ9l6+feCOoMj8YuOaOnxjGe9jFvnQCff58b /Lir3AV+XOjL+lH5IawHMl0= =+FY2 -----END PGP SIGNATURE----- From bmenrigh at ucsd.edu Fri Dec 14 20:58:40 2007 From: bmenrigh at ucsd.edu (Brandon Enright) Date: Sat, 15 Dec 2007 01:58:40 +0000 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: References: <4762A411.9000502@immunityinc.com> Message-ID: <20071215015840.3c6bac1d@gamma> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 14 Dec 2007 13:03:56 -0600 (CST) Gadi Evron wrote: > On Fri, 14 Dec 2007, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > http://www.immunityinc.com/resources-papers.shtml > > > > Immunity has released a presentation regarding CANVAS's > > next-generation client-side attack framework available at the above > > URL. > > Good work and interesting presentation, however, you guys should > consider clueing up on what's out there before you make assumptions, > as your C&C ideas, although neat, are light-years behind the > criminals. > > Which side of the fence are you on again? > > Gadi. Gadi, If you're going to attack something you should back your argument up with a little evidence. The C&C methods mentioned in the paper are: * IRC * HTTP to single server * Fast-Flux of DNS Servers * Storm P2P protocols * PINK About the only thing they missed was DHT, which is arguably covered by Storm. PINK is a good idea. If it really is light-years behind the criminals show us the papers, presentations, and discussions of more advanced C&C. If your argument is that PINK is primitive or that it won't work, respond with a paper, a countermeasure, or at the very least a detailed email of possible flaws in it. C'mon, Gadi, you know better. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHYzTQqaGPzAsl94IRApqWAJ9Vh90WStxKVsiz2cBwJX3JgEJMtgCbB5ms tOhDuAU2XR9FnRjlxRTHG4Y= =PVAw -----END PGP SIGNATURE----- From fergdawg at netzero.net Fri Dec 14 21:44:30 2007 From: fergdawg at netzero.net (Paul Ferguson) Date: Sat, 15 Dec 2007 02:44:30 GMT Subject: [Dailydave] Beyond Fast Flux Message-ID: <20071214.184430.18139.2@webmail07.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Brandon Enright wrote: >If you're going to attack something you should back your argument up >with a little evidence. The C&C methods mentioned in the paper are: > >* IRC >* HTTP to single server >* Fast-Flux of DNS Servers >* Storm P2P protocols >* PINK > >About the only thing they missed was DHT, which is arguably covered by >Storm. > >PINK is a good idea. If it really is light-years behind the criminals >show us the papers, presentations, and discussions of more advanced >C&C. >If your argument is that PINK is primitive or that it won't work, >respond with a paper, a countermeasure, or at the very least a detailed >email of possible flaws in it. C'mon, Gadi, you know better. > What about Open DNS resolvers, using double-flux, combined with the Storm Overnet? :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH yTozjLY3oGFre6ntmOtKwQs= =8fSS -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From mwollenweber at gmail.com Fri Dec 14 23:20:30 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Fri, 14 Dec 2007 23:20:30 -0500 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: <20071214.184430.18139.2@webmail07.vgs.untd.com> References: <20071214.184430.18139.2@webmail07.vgs.untd.com> Message-ID: <42210a440712142020n12f414dg16b22c1393ddb87a@mail.gmail.com> Having spent some time writing network sensors for the government and time trying to get tools to connect outbound during pen tests I've seen nothing more effective than clever HTTP traffic embedded in real webpages using tags and simple encoding. Abusing DNS whether with tunnels, fastflux, or open resolvers sticks out as anomalous behaviour -- it's not all too difficult to detect. Yes it's costs money and labor but it can be done. What can you do about PINK type communication? I'm not going to claim to have all the answers, but I spent about 9 months writing network sensors and I can't fathom how you can detect that traffic on any scale. Fast flux is the current sexy thing but Trickler (govt software) and Tenable's PVS can be tweaked to pick it up (even on large OC-3+) pipes. On Dec 14, 2007 9:44 PM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -- Brandon Enright wrote: > > >If you're going to attack something you should back your argument up > >with a little evidence. The C&C methods mentioned in the paper are: > > > >* IRC > >* HTTP to single server > >* Fast-Flux of DNS Servers > >* Storm P2P protocols > >* PINK > > > >About the only thing they missed was DHT, which is arguably covered by > >Storm. > > > >PINK is a good idea. If it really is light-years behind the criminals > >show us the papers, presentations, and discussions of more advanced >C&C. > >If your argument is that PINK is primitive or that it won't work, > >respond with a paper, a countermeasure, or at the very least a detailed > >email of possible flaws in it. C'mon, Gadi, you know better. > > > > What about Open DNS resolvers, using double-flux, combined with the > Storm Overnet? > > :-) > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFHYz+Nq1pz9mNUZTMRAv6HAJ9ImdXXvj2bFKn3g45Mo236RjAF3QCg8ohH > yTozjLY3oGFre6ntmOtKwQs= > =8fSS > -----END PGP SIGNATURE----- > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071214/7803f4a8/attachment-0001.htm From chromesilver at gmx.net Sat Dec 15 13:20:56 2007 From: chromesilver at gmx.net (ChromeSilver) Date: Sat, 15 Dec 2007 19:20:56 +0100 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: References: <4762A411.9000502@immunityinc.com> Message-ID: <47641B08.2040702@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Gadi, > Which side of the fence are you on again? For the best available overview you have to get on top of the fence. ChromeSilver - --- "If light be the only light, wherfore then doth it shadows cast?" R. Rohonyi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHZBsIDZBprASGxfQRAmwKAKDFE5Up+SyA9p1GR1uJtSX6dcaZfACgtpaX xhYonqqV3x/aMvqFY/yydzA= =7V/9 -----END PGP SIGNATURE----- From lmh at info-pull.com Sun Dec 16 10:42:05 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Sun, 16 Dec 2007 16:42:05 +0100 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: References: <4762A411.9000502@immunityinc.com> Message-ID: Gadi, the fence will show you fear in a handful of dust. > Good work and interesting presentation, however, you guys should consider > clueing up on what's out there before you make assumptions, as your C&C > ideas, although neat, are light-years behind the criminals. Because I do not hope to know The infirm glory of the positive hour Because I do not think Because I know I shall not know The one veritable transitory power ... Because these _wings_ are no longer wings to _fly_ But merely vans to beat the air The air which is now thoroughly small and dry Smaller and dryer than the will Teach us to care and not to care Teach us to sit still. Wavering between the profit and the loss In this brief transit where the dreams cross The dreamcrossed twilight between birth and dying ... The token of the word unheard, unspoken Till the wind shake a thousand whispers from the jew And after this our exile... Full fathom five your Bleistein lies Under the flatfish and the squids. Graves' Disease in a dead Jew's eyes! Where the _crabs_ have eat the lids. My house is a decayed house, and the jew squats on the window sill, the owner, Spawned in some estaminet of Antwerp, Blistered in Brussels, patched and peeled in London. The goat coughs at night in the field overhead; Rocks, moss, stonecrop, iron, merds. > Which side of the fence are you on again? Once upon a time, a wise man said to Abraham Lincoln: "Tits or quit.", and Lincoln answered in despise: "Tits". And the American dream started. Oh, you don't know my friend T S. Nevermind, you would probably dislike his elegant, morbidly sharp style. Goddamn it, goddamn it! God bless you, Gadi. P.S. And you haven't seen even the simplest forms of cryptovirology, yet! From dudevanwinkle at gmail.com Sun Dec 16 21:39:42 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Sun, 16 Dec 2007 21:39:42 -0500 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: References: <4762A411.9000502@immunityinc.com> Message-ID: On Dec 14, 2007 2:03 PM, Gadi Evron wrote: > On Fri, 14 Dec 2007, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > http://www.immunityinc.com/resources-papers.shtml > > > > Immunity has released a presentation regarding CANVAS's > > next-generation client-side attack framework available at the above URL. > > Good work and interesting presentation, however, you guys should consider > clueing up on what's out there before you make assumptions, as your C&C > ideas, although neat, are light-years behind the criminals. By mentinoing out-of-date code, you are implying that the above methods are not still applicable. I guess the enforcement branch of infosec is pretty useless if things that are light-years out of date are still used to control 1/[4/5] of Internet connected workstation pc's.... If mainstream tools are available, maybe more things will be done to make them less viable... Me? I just want a 10Gbps inline IDS that can do pre-processing.... -JP From dave at immunityinc.com Mon Dec 17 10:56:12 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 17 Dec 2007 10:56:12 -0500 Subject: [Dailydave] Beyond Fast Flux In-Reply-To: <42210a440712142020n12f414dg16b22c1393ddb87a@mail.gmail.com> References: <20071214.184430.18139.2@webmail07.vgs.untd.com> <42210a440712142020n12f414dg16b22c1393ddb87a@mail.gmail.com> Message-ID: <47669C1C.3050307@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I uploaded a PDF version http://www.immunityinc.com/downloads/BeyondFastFlux.pdf for those of you without an ODF viewer installed. I agree - DNS doesn't normally change a lot. It's easy to find hosts where DNS is changing all the time, which is why we eschew any name service as our locater, essentially. In designing a covert C&C that's parasitic, you also have to consider the indexer. You don't want your entire network to go silent because an engineer on Google's search team has found a way to fingerprint your commands. It would probably be better to replace the with because it's a lot harder to fingerprint, until Google starts doing expensive Bayesian signatures on every Blog posting in their index. At which point you switch to Technorati or something. The goal is to make it extremely expensive on their end, and cheap as dirt on your end. You could just have a link to a file, rather than embedding the commands in the post itself. A thousand options. But all of them better than messing with DNS all day, imho. I didn't do this design, of course. I'm just the VP of Marketing. People commented about stenography to me: You could steg into an image/video with a keyphrase in the comment field, for example. But images get indexed a lot less often than blog postings, and writing the unsteg code would be a pain in the rear. It's good to keep Dildog's Tao of Buffer Overflows comment in mind - "What are you writing, an MFC trojan?!?" Playing the steg game is expensive. It's likely someone else is better than you and will be able to hunt you out. __________________________ Dave Aitel VP Marketing and Publishing Immunity, Inc. matthew wollenweber wrote: > Having spent some time writing network sensors for the government > and time trying to get tools to connect outbound during pen tests > I've seen nothing more effective than clever HTTP traffic embedded > in real webpages using tags and simple encoding. Abusing DNS > whether with tunnels, fastflux, or open resolvers sticks out as > anomalous behaviour -- it's not all too difficult to detect. Yes > it's costs money and labor but it can be done. What can you do > about PINK type communication? > > I'm not going to claim to have all the answers, but I spent about 9 > months writing network sensors and I can't fathom how you can > detect that traffic on any scale. Fast flux is the current sexy > thing but Trickler (govt software) and Tenable's PVS can be tweaked > to pick it up (even on large OC-3+) pipes. > > On Dec 14, 2007 9:44 PM, Paul Ferguson > wrote: > > -- Brandon Enright wrote: > >>>> If you're going to attack something you should back your >>>> argument up with a little evidence. The C&C methods >>>> mentioned in the paper are: >>>> >>>> * IRC * HTTP to single server * Fast-Flux of DNS Servers * >>>> Storm P2P protocols * PINK >>>> >>>> About the only thing they missed was DHT, which is arguably > covered by >>>> Storm. >>>> >>>> PINK is a good idea. If it really is light-years behind the > criminals >>>> show us the papers, presentations, and discussions of more > advanced >C&C. >>>> If your argument is that PINK is primitive or that it won't >>>> work, respond with a paper, a countermeasure, or at the very >>>> least a > detailed >>>> email of possible flaws in it. C'mon, Gadi, you know better. >>>> >>>> > What about Open DNS resolvers, using double-flux, combined with the > Storm Overnet? > > :-) > > - ferg > >> >> >> - -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ >> _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave >> > ------------------------- > _______________________________________________ Dailydave mailing > list Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHZpwaB8JNm+PA+iURAhd7AKC+KwgGeWfwchBmprNmJyAHYw8NAwCgzjxe qIFvJOynLsByBZ/8P2ZQ6mU= =YukG -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Dec 18 15:24:42 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 18 Dec 2007 15:24:42 -0500 Subject: [Dailydave] D2 Exploitation Pack Message-ID: <47682C8A.8070901@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Immunity is happy to announce the immediate availability of the D2 Exploitation pack from D Square Security. This new exploit bundle has reliable exploits for known vulnerabilities for which there are no known exploits, and exploits for which no patch is available. These more than 50 new exploits will plug right into the Immunity CANVAS Attack Framework, allowing you to use the advanced automation features of CANVAS with each new D2 exploit. Pricing is USD $1950 for a five user license which includes three months of updates and support. For more information see http://d2sec.com/products.htm or call 212-534-0857 today to order! Thanks, Dave Aitel Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHaCyGB8JNm+PA+iURAnkeAKCgas8rAX18qozRKJZ9NKncus+d+QCfZmKd douPez3t9/HQamWQKasFyRM= =bHiw -----END PGP SIGNATURE----- From halvar at gmx.de Tue Dec 18 19:05:26 2007 From: halvar at gmx.de (Halvar Flake) Date: Wed, 19 Dec 2007 01:05:26 +0100 Subject: [Dailydave] Mutating to avoid structural analysis In-Reply-To: <475AD7F0.5000708@immunityinc.com> References: <475AD7F0.5000708@immunityinc.com> Message-ID: <47686046.9030102@gmx.de> Hey Dave, all, I am kinda busy at the moment, so replies will be late / brief. 1. Obfuscation on the callgraph alone will break _some_ part of the diffing, without rendering it useless -- you still have a ton of structure on the flowgraphs. 2. Breaking structural comparison is possible, but requires more than inserting 4 lines of C code into your existing codebase (which is sufficient for breaking behavioral classification). 3. Even for a 'modest' obfuscation such as the one proposed, one needs to go through some binary rewriting or at least major preprocessing voodoo. 4. You should make your dispatcher NP-hard to analyze. And quick to dispatch. Constant table lookups are likely to be optimized away. So I guess what I am saying is: I think that in order to break structural classification, you have to do some 'real' work -- rewrite your binary, build an obfuscating compiler back-end or something along the lines. Which is more than for most other approahces. Cheers, Halvar > So flying home from JFK I was wondering this... > > Given that avoiding "behavioral signatures" is a matter of calling > random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), > Halvar's program classification techniques involve a structural > differencing engine. This has advantages (see his talk for details) in > that program structure closely reflects the semantic meaning of a > program, as interpreted by a compiler. > > So the obvious way, from what I can tell, to defeat a structural > differencing algorithm would be to do a static or dynamic analysis of > your target program, and for each CALL opcode, change the destination > to a dispatcher function. This dispatcher function can then be built > to do a O(1) table lookup to find the true destination of the call. > > So now all your functions call one function D. Your call graph is > meaningless without reverse engineering the dispatcher function and > reconstructing it, or doing dynamic analysis of the whole program > (assuming you can get decent code coverage). > > For bonus points you could mutate your dispatcher function by putting > it as a never-used basic block in lots of other functions. You'd > probably also want to do some other easy obfuscation. > > So my question is this: is defeating a structural based fingerprint of > a program more difficult to do than defeating behavioral based > fingerprints. > > -dave _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From dailydave at digitaloffense.net Thu Dec 20 00:42:34 2007 From: dailydave at digitaloffense.net (H D Moore) Date: Wed, 19 Dec 2007 23:42:34 -0600 Subject: [Dailydave] Windows XP SP3 Message-ID: <200712192342.34335.dailydave@digitaloffense.net> A couple XP SP3 related posts to full-disclosure: Windows XP SP3 - DCERPC Changes http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0471.html Windows XP SP2 - SP3 Compatible Return Addresses http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0473.html This doesn't really scratch the surface, but its a starting point. Running a full-on BinDiff between a fully-updated SP2 and the SP3 candidate will be a lot more useful (and time consuming). Any takers? :) -HD