Malware is in the air

The more malware I analyze, the more I think that 'the bad guys' do not worry about the work they are doing. In fact, it is something strange, and I cannot understand. Some of the samples show that they have some in-depth knowledge in some areas (windows processes, registry, hiding, etc) but at the same time, they use simple and well known packers (like UPX) or they do not even use any packer at all.

If I were a 'bad guy', and if I have spent some amount of dollars paying a programming expert for developing a complex trojan, I would care myself and I would use some housemade packer in order to complicate its analysis. I'm tired of seeing anti-debugging code (SIDT, INT 3, threads, SEH, ...) that rules, but using UPX sucks. At least if you change some UPX headers (for instance the segment name) you cannot run the UPX normal binary in order to unpack the malware.

The same applies for the encryption method used. I would say that perhaps 75% of the malware if they encrypt something they use a XOR encryption. I know that it is easy to implement, but come on, the public key cryptography is something that we (should) daily use.

In summary, let's have a happy new year 2007 and check out the Mark Russinovich video about detecting malware before the end of the year!!

Old DNS stuff

Today I was trying to test honeysnap (which, by the way, it is a very useful tool) with some DNS data in a pcap file and wanted to test some HINFO and TXT DNS records. But the problem I came across is that it is very rare to find any HINFO record nowadays in the Internet!!!

According to the RFC, HINFO is supposed to be the record for describing the hardware where the DNS server (ISC bind usually) is running on. Almost every security paper and/or manual I can remember say that "you must delete your HINFO record in order not to give strategic information to your attackers" Ouch!!!! Come on, if you do not want to say your real hardware, at least say something funny, like "This is running an illegal version of Windows" or better, "The DNS server hardware is something that came from the outer space"...

Anyway, after looking desperatly for any DNS server with any HINFO I found one in Canada. The domain www.uwo.ca (The University of Western Ontario) has a HINFO record, that is "Sun Ultra Enterprise 2 Solaris 2.6". Pretty clasic, isn't it?

0-days and the Hollywood movies

It is more and more common to see the term '0-day' or 'zero day' in the marketing stuff, most cases from IDS and/or IPS vendors. This is something that they easily claim but they never tell anything more about it. Yes, I know, 0-days is a cool and nifty word and if you say to your customers that your appliance protects from '0-days' in the moment you deploy it, it is something that will increase your sales rate, ooooopppsss!!!

But, what is a 0-day? According to the Wikipedia: 'Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release'. In summary, something that you get even before it gets released. The Wikipedia has also another definition more related to this post subject: 'Zero-Day exploits are released before, or on the same day the vulnerability — and, sometimes, the vendor patch — are released to the public. The term derives from the number of days between the public advisory and the release of the exploit'. So in this case it is a well-known vulnerability (with its exploit) that has not a patch available from the vendor. Hmm, and what about the private vulnerabilities that even the vendors don't know anything about? Not only the individual's exploits, but the companies focused on this market (iDefense, Tippingpoint, ...) Because both those individuals and companies have vulnerabilites during some period of time without notifying the vendors. Do all the IDS/IPS/Anti-XXX protect their customers from those vulns? Come on product managers, try not to make up your statements.

Regarding to the 0-days, there is an innitiative from some known security guys (ZERT) that provides some patches for those vulnerabilities that are public but the vendor hasn't released the patch. Although their effort is something worth, I don't think is something valid. I wouldn't rely on applying those unofficial patches to my boxes, that it is something that I would leave to my vendor (and something that I would complain about and request the support if needed). I'd prefer other workarounds that could protect me against those vulnerabilities, even using those IPS that announces the 0-day protection if they can be customed to protect me (that is another BIG problem nowadays, they can effectively detect a new vulnerability if they have the signature, but they can be easily faked).

Anyway, if you are interested about the public 0-days, there is an interesting page from Eeye that lists them all: Zero day tracker