Tuesday, April 29, 2008

Race to STFU

If you're familiar w/ DefCon, then you know that there are always nifty contests and activities. A new one was announced on bugtraq a few days back, called The Race to Zero...

Short version is, contestants get malware samples which are detectable by AV products, and the first cat to get all the samples passed through w/ a zero detection rate wins... So, unsurprisingly the AV vendors came out and were like "bad hackers! bad defcon!!" and have been written up saying how this is adding to the state of insecurity, and encouraging the wrong behavior, blah blah blah.

But are they really thinking this through, or is it just a knee-jerk reaction? The AVG 'chief research officer' says it's hard to see the good in "encouraging people to write more viruses". Maybe I'm splitting hairs, but I'm callin you out here because there is nothing in this contest about creating new viruses. Hell, I'd challenge someone to debate whether or not the outcome of this contest will result in new virus variants. If I understand it correctly, the goal is to have a functionally intact sample obfuscated to escape detection.

This blog from Sophos is where I first heard grumbling about this issue, and it really rubbed me the wrong way...

It seems odd that the focus be on building awareness (that is already present) that signature-based detection is not enough by itself, it has been dead since the early 1990s when utilisation of polymorphic engines became widespread.

Really?!? Wait, can you say that again for me??? Signature based detection has been dead since the 1990s? Geeze, I wanna go to your reality, cause I bet you have flying cars and stuff too. I'm pretty sure that signature detection is still a major component of AV, IDS, WAF, etc in this reality. Yea, people have been talking about anomoly detection for years upon years, but commercial security products (including yours) still rely widely on signature detection. Hell, one reason we ended up picking Sophos for a global rollout a few years back was because their lab seemed to cosistantly turn around really good sigs really quickly. In fact, iirc, there wasn't any anomoly detection in Sophos until the latest release of their client software. It's been a long time, but I think SAV4 was only sig based, SAV5 was vapor, SAV6 was a clusterf*ck from an enterprise deployment standpoint and was sig based. I think it was either SAV7 or 8 where I first saw a blurb about watching for unusual behavior in software...

Essentially Defcon appears to be promoting the development of malicious software ... pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection

That's why you think they're doing this? Have you ever organized a contest at a security con? Do you personally know anyone who has? Cause, you see, it's kinda alot of work and planning and stress, because you want it to work out and you don't want people to be disappointed. The people who do this stuff are generally inquisitive and intelligent people who have some deeper research interest in the subject at hand. So where you assume there is some juvenile malicious intent which doesn't make much sense, I assume there may be legitmate research intenet or commentary on the AV industry...

See, if I was researching how people obfuscate malware to avoid detection, getting a bunch of smart hacker types together to produce examples of obfuscated malware might be a really good way to collect data.

Similarly, if I wanted to raise attention in an area which has been a problem for far too long, maybe I'd organize a contest to raise awareness and shame the culprits into action. You act as though a few hundred variants (at maximum) will be some paradigm shifting end of the world event, but to me it would seem to be at the very worst a drop in the bucket. Researchers say that Storm code is being repacked *by the minute*. Bad guys are using encryption and packing all over the place. And iirc, I remember reading some articles on studies where a significant percentage of malicious code was able to bypass AV detection and own the box some disconcerting percentage of the time.

This is the industry which ignored emerging internet based malware until then eventually realized that they could sell us a new poduct and make more money. Then they did the same thing with rootkits. Sorry, can you please tell me the fundemental difference between a virus and some malware and a rootkit? Because as far as I'm concerned, it's all malicious code running on a box, and I don't want it there.

I'm sorry, but I give the AV industry a big "F" for "FAIL"... The status quo isn't working. So if some people start a contest to learn something to help them think up a better defense, then I think that's great. And alternately, if they start a contest to draw attention to how much this industry is failing overall, I think the AV companies have certainly earned it.

And I'm sorry to be so negative here, because I get that AV work involves some huge technical challenges, and often times you are trying to protect OS's with flawed security models, and on and on... And I generally like Sophos too... But don't do this self-serving bitch session against people who aren't causing any real problems for real users. Organized criminals who are building botnets and paying coders tons of cash to come up with new attacks are the people you should be worried about... People who are trying to do research, lobby for change, and facilitate out of the box solutions are your friends...

Sunday, April 27, 2008

inet doom n gloom

ok, i'm a little worried about where the future of inet is heading...

basically, i completely support the EFF folks and net neutrality, but i am worried that the genie has been out of the bottle on that stuff for a while now, and we're just not accepting the new paradigm.

china has been sending resets and filtering content for a long time. it isn't impossible to subvert. now there's rumbling that russia may be doing something similar.

similarly, the usa govt is all about sniffing around and is also looking to expand and normalize such monitoring, which is surely a step towards active interference of activities deemed to be inappropriate.

the number of attacks coming out of china just pushes the issue further. we know they are monitoring things traversing their network perimeters, and researchers keep reporting wide-spread recon and attacks against a multitude of government and private networks which are traced back to some router in china. i'd imagine that intel ppl and infosec policy makers in the usa are probably saying to themselves: there's no way they don't at a minimum know when attacks occur and where they are coming from. at worst, is it a stretch to assume that there might be official chinese government involvement in the attacks? i can't dig up the link, but right before notacon there was a story running about a woman boarding a plane to china with trade secrets and 30k in cash in her bag.

so anyway, take into account pressures from private companies as well. after helping the us gov't break the law by spying on us citizens, perhaps comcast felt emboldened to start poking around. now we have other companies talking about it too...

we're really going to lose something important and special if we go the route we seem to be heading. but with so much value on the internet, and so much that people and organizations and commerce and governments depend on being ingrained in the internet, can you imagine that there won't be further pushes to regulate and control the internet by the powers that be?

i'm want to be hopeful about this, but people already suck on so many other levels, that i'm not bettin the farm that we'll get this one right...

Thursday, April 24, 2008

lateral sql injection

so litchfield just posted a pdf on what he calls lateral sql injection...

basically, the attack focuses on situations where you can affect a function which doesn't take any parameters. normally you'd assume such functions were immune to attack. but he takes a side-channel approach and alters the output of internal commands called by the function which are used in sql queries.

as he says at the end of the paper, the attack vector probably isn't going to be seen all that often. i'm def not a sql/db expert, but it seems like you'd need a decent amount of knowledge about the underlying code being used in a system to attack it via lateral sql injection... of course, there are probably some really common stored procedures, and perhaps an attacker could make reasonable guesses as to what a developer called in his or her code...

anywho, it's always fun to see people looking at things in new ways...

Tuesday, April 22, 2008

<3

totally ripping off the xkcd style here, but i have no art skills... true story tho...


Monday, April 21, 2008

storm info

been doing some reading on a fascinating investigation into the storm worm which came out of the usenix leet08 con...

the authors start out explaining traditional botnets, and then differentiate the new p2p botnet anatomy. they do analysis on how information is routed and propagated, and then look into how they can participate within the network to gauge its size and more...

the sybil attack (and eclipse attack) are new to me, and pretty nifty...

overall, i think it is interesting how we're seeing p2p evolve to fill a new space. coming out of the high ideals of freenet, p2p moves over to a lot of legit and illegit filesharing, and now we're seeing it used to protect the C&C capabilities of modern organized crime networks.

the sophistication of some aspects of storm are quite impressive. the authors describe adaptive attacks on browsers, where non-vulnerable browsers are ignored and vulnerable ones are sent a variety of payloads. also, the exe files used to infect hosts are repacked by the minute (which seems like a cpu expensive operation) on certain web servers serving them... the payload includes a rootkit to hide itself. there are other things which point to ongoing and active development of the network. they say they are going to try to identify the ppl behind the curtain as their next effort, and i wish them luck. i am quite curious to know more about the innerworkings and motivations of the people who are coding this up.

another interesting note is that almost all of the social engineering attacks from storm were done in english. given the level of sophistication we're seeing in being adaptive and polymorphic in some areas, i wonder how long it will be until we see adaptive language (maybe based on destination ip of the domain for the spam?) as a component in these networks.

finally, the authors say they were able to successfully attack the network from the inside, by seeding benign files and then routing requests for malicious files to their sybils (the polluting attack). this is very nifty, because it allows for disruption to the network overall, and might (?) allow for the possibility to write a type of code-green countermeasure if you could somehow get infected hosts to execute a file which would turn them into sybils or clean themselves somehow.

unfortunately, given how sophisticated the bad guys seem to be, i can only imagine that this possibility will be closed in the future. i may not have thought this all the way through, but it seems that the clients could be coded to check for a digital signature on any file which is being published, and to ignore any published files which are incorrect or missing a signature. this wouldn't prevent infiltration into the network, but i think it would severely hamper any ability to hijack or suppress it. on the flip side, however, i believe the authors would then subject themselves to non-repudiation if law enforcement found a copy of the private key on their box ;)

Wednesday, April 9, 2008

notacon


notacon! just got back... been forever since posted... anywho, just a few pics...

the con was a bunch of fun... very chilled environment. i've only been doing the bh/dc stuff before now, so this was quite a change... got to hang out w/ some friends who i don't often enough get to drink beers w/...

some interesting talks, and talked to some cool ass ppl, hung at at the lp pagoda.... oh yea, and there was a party which whupped my arse the next day...




go figure, DoD sent their best and brightest ;)


anywho i loved it... super happy i went and hope to go again next year...

oh yea, and one itty bitty security tidbit... so i left my lp stuff at home, so i bought a new set of picks at the con (which was pointless, b/c my club-like hands were seemingly cursed and useless over the weekend... sigh...). well, you know, i coulda dropped em in the thing to send em home in the mail. they say no tools over 8 inches, but i figure mb they wouldn't like lockpicks on the plane given all of the stuff they've taken from ppl in the past...

speaking of that:


so anyway, we ask the TSA lady if that's stuff they pulled out of luggage and off of people, and she's like "yep, isn't is scary what people try to get on planes? that's all stuff we got in the first year since we've been doing this" (mb she meant post 9/11 sec measures?)... so i say back, "well, i guess people were probably carrying that stuff all along, and we just didn't know"... she gives me a weird look at that point...

so i'm wondering if they're going to spot my picks as my bag goes through the xray... and i hear "bag check!"... crap... the lady pulls it out, and opens it up, and pulls out a little bottle of hot sauce my friend gave me... "it's just two ounces" she says, and gives me the bag...

sigh... i am kinda disapointed...