Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Peter Ferrie remove filter
High-Speed Collisions
Peter Ferrie | 02 Jan 2008 | 0 comments

Recently, a post to the full-disclosuremailing list described an update to the well known MD5 collisionproblem. The authors - Marc Stevens, Arjen K. Lenstra, and Benne deWeger - provided a method whereby they can append only a few thousandbytes to two arbitrary files, with the result that both files have thesame MD5 value. This is known as a "chosen prefix collision." Not onlythat, but they produced their proof-of-concept files using one machinein less than two days. If you distribute the work, you can make it go faster.

While what they have achieved is not the same as producing anidentical MD5 for an existing file, it's still not a good thing. Inparticular it causes serious trouble for application white-listingimplementations. Why? Imagine this scenario:
- malware author creates a harmless application.
- malware author creates a malicious application.
- malware author uses the chosen prefix collision method to alter these two...

Read more
Notes from the Underground
Peter Ferrie | 27 Dec 2007 | 0 comments

There should be no question anymore that the VX scene is dying.

On the 29A forum there was a post that roy g biv has officially leftthe 29A group. Given that Vallez has been silent for over a year, itseems clear that the 29A group is really dead now. We wish the boysluck in whatever legal pursuits that they find now.

On the EOF and DoomRiderz fora, we can read that neither group hasenough material for a new zine. On the rRlf site there's a message thatthe same thing has happened to them. EOF and DoomRiderz alreadyannounced their intention to produce a combined zine and now rRlf hasannounced that they will join in, too. Of course, if people aresubmitting the same thing to multiple groups in case one of themreleases a zine, then even those three groups combined might not haveenough material for a zine. In any case, it will probably not happenthis year.

This brings us to another point - the supposed AV-VX "symbioticrelationship." It should be...

Read more
Something smells fishy
Peter Ferrie | 04 Oct 2007 | 0 comments

At DEFCON 15 this year, Paul Sebastian Ziegler presented a"multi-platform" worm that runs in the .NET framework and compatibleimplementations. He called it "Akikaze", which is Japanese for "autumnwind". We call it MSIL.Yakizake,which is Japanese for "grilled fish". We never use the virus author'schoice of name, and since Yakizake sounds similar, it worked out well.

It's unclear why Mr. Ziegler thinks that his worm is multi-platform,because the platform is the environment in which the application runs.It's not the CPU on which it is running, and it's not the operatingsystem, either, if the environment is a virtual machine of some kind.In this case, the environment is the .NET framework or equivalent(which I'll simply call ".NET" from now on, but it's meant to includethem all), which is a virtual machine. While .NET itself ismulti-platform, the virtual machine that it...

Read more
2000 and on - A Security Odyssey
Peter Ferrie | 16 Aug 2007 | 0 comments

After the success of the W97.Melissa virus in 1999, mass-mailing became the next big thing in viruses. This trend continues even today. Different methods have been tried over the time, but they fall mainly into two categories: exploits and social engineering.

Perhaps the most successful example of social engineering came on May 4, 2000 when VBS.LoveLetter called inboxes everywhere just to say “ILOVEYOU". At that time, curiosity easily outweighed security, especially with such a provocative subject line. Many people opened the email and then clicked on the attachment named "LOVE-LETTER-FOR-YOU.TXT[.vbs]" (the .vbs part being hidden by default on many systems). The resulting mess spread across the world during that same day, and...

Read more
Spitting out the BluePill
Peter Ferrie | 06 Aug 2007 | 0 comments

I just got back from Black Hat 2007 Las Vegas, where I wasco-presenting with Nate Lawson and Thomas Ptacek regarding detection ofhypervisors. Previously, we had asked Joanna Rutkowska to prove her"100% undetectable" claim, but she had declined. However, we did manageto prove that our methods work.

Joanna agreed that the TLB timing method that I first described in detailin 2006 works against BluePill. As she understood it, though, shethought that I presented it as a 'foolproof method for "BluePilldetection"'. While I did present it as a foolproof method, I didn'trefer to BluePill at all: I said that it would reliably detect ahypervisor, which it does. That it detects BluePill is a corollary.

At the forum last week, she said that it can be defeated, but hermethod to do so is to single-step the code following the RDTSCinstruction. That assumes, of course, that RDTSC is the instructionthat is used...

Read more
A PoC Epoch
Peter Ferrie | 18 Jul 2007 | 0 comments

It's not often that we get a proof-of-concept (PoC) virus, but toreceive four in two weeks is completely unprecedented. The first one,which we call MEL.Odorousis a virus for the Maya 3D scripting language. It searches in thecurrent directory for uninfected files, and prepends itself to them.After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred isa virus for the WinHex scripting language. Like MEL.Odorous, Vredsearches in the current directory for uninfected files, and prependsitself to them. Unlike MEL.Odorous, however, Vred does not run the hostcode after infecting files.

The third and fourth viruses, which we named...

Read more
If You Build it, They Will Come
Peter Ferrie | 18 Jun 2007 | 0 comments

It seems that for every scripting language that is powerful enoughto host a virus, a virus will be written for it eventually. It alsodoesn't seem to matter if the audience for that scripting language isvery restricted, or that the scripts might not be shared with anyoneelse.

This brings us to the first virus for the Autodesk Maya 3D scriptinglanguage - "Maya Embedded Language" or "MEL" - which we call MEL.Odorous.

This virus is simply a proof-of-concept. It begins by searching inthe current directory for the .MEL file that contains its code. Itreads this code into a buffer that will be used for replication. Thenit searches again in the current directory for other .MEL files. Forany .MEL file that is found to not be already infected, the virus willprepend itself to the file. There is no payload, and it does nothingbut replicate.

Such a virus...

Read more
Calculating the Risk of Infection
Peter Ferrie | 30 May 2007 | 0 comments

A new virus has appeared for a new platform. Nothing really newabout that, except that this time, the platform is a...calculator. Yes,the Texas Instruments TI89 is now the target of infection. The TIcalculators are very powerful, and allow modules to be installed in theRAM. There are thousands of applications already, lots of games, hacksto display grayscale instead of just black and white, and of courselots of mathematics routines.

We don't even have a name yet for this virus, because we're still inthe process of deciding on a proper platform name. TI89 is not accurateenough, since it's the underlying software layer that determines if thecode can run, rather than the hardware. It might be AMS, after the nameof the ROM software. Anyway, we'll see.

The virus itself is interesting, since it is not only a parasiticinfector of other modules, but it is entry point obscuring. That is,instead of simply changing the entry point of a module to pointdirectly to the virus code,...

Read more
Tales of the \u-nexpected
Peter Ferrie | 19 Apr 2007 | 0 comments

Microsoft's JScript is a very powerful and flexible language.However, great flexibility leads to a great potential for obfuscation.We have seen many examples of JScript obfuscation in the past, such asstring concatenation and dynamic decoding, and will likely see more inthe future.

The most recent and a potentially problematic example uses one ofthe simplest obfuscation methods: Unicode escaping. Normally, Unicodeescaping is used to send Unicode characters that might not travel wellacross networks, such as characters that could be transformed accordingto the system locale. From a security perspective, Unicode escaping iswidely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can beapplied to function names, variables, and all kinds of other code. Thiswas demonstrated by the recent virus that we detect as ...

Read more
Not .HLPing
Peter Ferrie | 16 Apr 2007 | 0 comments

A few days ago, a postto a vulnerability discussion mailing list included a demonstration ofa heap corruption in Windows .hlp files' "bm" section. .hlp files areWinHelp-format Help files, a primitive version of .chm, or CompiledHelp Module-format help files. The "bm" section, or the Bitmap-formatgraphics section, is the part of the .hlp file that contains graphics(icons, pictures, etc.). The poster had discovered the vulnerability byusing a fuzzer to insert random data into the file. However, it seemsthat he did not understand why this vulnerability works.

After digging into the issue, it appeared to me that the filetargets the same vulnerability that was last attacked in December of2004, the WinHelp Phrase Heap Overflow.However, after a careful review, I realized that this heap overflow isnot the same as...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,893