Thursday, 30 November 2006

Contribute to the Security Community!!

It seems that the number of free software/open-source projects related to Security is decreasing as the time goes by. This is something that surprises me, because there are more and more security professionals out there (just have a look to the normal security mailing lists). Some time ago, almost every month a couple of interesting and innovative security projects were released to the public community, and now it is very strange to see any interesting security project. That is something that is happening with the mailing lists; it is very rare to find an interesing opinion or comment in mailing lists such full-disclosure, bugtraq or any other similar one.

Although that is the current situation in the public mailing lists (there are some exceptions, like the superb daily-dave mailing list), there are some blogs that hold very interesting stuff, so now the interesting issues are migrating from the mailing lists to the blogs (just check my list on the left).

It is important that people related to the information security community start to contribute to it; even though it is something very well known that everybody uses free software/open-source programs (nmap, ethereal, linux, nessus, snort, scapy, ..), very few of them contribute (I mean with contribute, notifying bugs, helping with the documentation, sending patches, new features requests, etc...)

So please, if you think that those nifty tools you are currently using are worth, take a short break and think that there are many hours dedicated from people sometimes in their spare time, so try to help and improve it as it was your own and beloved project.

Monday, 27 November 2006

Can ISPs block outbound connections?

I'm subscribed to a DSL line at my home, and the provider is the biggest one in Spain, Telefonica. The issue I'm having with them is that they block some of my outbound connections and I am not sure if it is something for good or for bad. In fact, I have detected some URLs that I cannot connect to and I need to use a (no)anonymous proxy available in the Internet in order to connect to that URL. It seems that they are only blocking both HTTP and HTTPS connections, but it is something they shouldn't.

Most of those URLs are either malicious URLs or fraud related URLs, but what happens if I want to access those URLs? It could be helpful that they block those URLS, but at least, they could let the user to choose if they want to be "protected" by the ISP or not. I'm supposed to have a not filtered service, am I?

I could even understand that they filter those nasty DNS entries that could lead to a malicious site (I could end up using other DNS server), but please, do not filter my outbound connections.

Saturday, 25 November 2006

First post - Virtual Machine detection

Looking through my colleague webpage, I came across a comment about a very good packer that I'm trying to analyze, Themida. But the comment wasn't about Themida features, but virtual machine detection.

Nowadays, more than 50% of the malware that we analyze has some kind of virtual machine detection in its code (typically the SIDT method), and if they detect any virtual machine, they just do nothing. So, perhaps that's a good idea for our production servers, migrating them to virtual software and in any case they got compromised, the malware code won't run on them.

But the problem is for the analyzers: using tools like vmware is something handy, but you always end up using a real machine (I even use my own laptop to analyze the malware, so my Windows XP has been infected several times). So, what is the solution? It is fairly simple: use some of those hardware cards that restore the OS state (used by example in cybercafes), and IDA Pro with its great remote debugging. When you have finished the analysis, just reboot the box and voilá, your SO is like being just installed.

Anyway, this post was about virtual machine detection, and the guys at intelguardians have some slides about all the different methods, but there is one left, discovered by Alfredo Andrés (my Yersinia colleague and friend) with the STR instruction, check it out at our company address here.