Video Screencast Help
Security Response
Showing posts in English
Peter Ferrie | 07 Sep 2006 07:00:00 GMT | 0 comments

I’ll admit right now that this entry is a tease, because I can't tell you how I did it. However, I'll start by saying that there are some people out there who are claiming that hardware-assisted hypervisors are completely undetectable and some people who are claiming that they are not.

The people claiming that hard-assisted hypervisors are undetectable are basing their argument on several things. First, the sensitive instructions that allow detection of software-based VMMs are trapped by a hardware-assisted hypervisor so that they can be emulated appropriately, if necessary. Second, some registers already have hardware-backed shadow copies; so, as an example, trying to leave paged protected mode (which is not permitted—not even in root mode) might seem like it worked, but it didn't really, because the hypervisor will simply switch the guest into v86 mode and the shadow CR0 will be lying to you. Third, the delivery of physical memory can be intercepted and empty pages...

Dave Cole | 06 Sep 2006 07:00:00 GMT | 0 comments

Last month, I blogged on the security and privacy implications surrounding Web 2.0, but left a little for another day. Following up after this year’s Black Hat, where Web 2.0 issues were cast into the spotlight, I’m here to finish what I started and provide an update on some interesting happenings.

Since my last post
To begin with, the potential for AJAX to empower sophisticated JavaScript malware and a host of invasive Web applications was demonstrated at Black Hat in Las Vegas. From port scanning to fingerprinting and basic network mapping, all done using the AJAX group of technologies, it’s clear that we’ve only begun to see what’s possible via malicious Web sites. While they may not have the immediate impact of a...

Ollie Whitehouse | 05 Sep 2006 07:00:00 GMT | 0 comments

In a time not so long ago the world was a very different place—in terms of mobile phone software upgrades at least. For many years now, several smaller companies in the cellular handset industry have provided a means for users to upgrade the firmware of their devices at home. These firmware upgrades are typically carried out using a computer—on which the firmware files are stored—and a connecting cable (or desk stand) for the cellular device. Sadly, this was not always true for the larger players; the result of which was that when a vulnerability was discovered, the user would first have to learn of it and then take their handset into a service center to be upgraded. This method isn’t very practical and would be pretty low on the priority list for most, if not all but the seriously security conscious.

Well, I applaud Nokia for their recent change of heart to allow users to perform...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....

Zulfikar Ramzan | 01 Sep 2006 07:00:00 GMT | 0 comments

The second Symposium on Usable Privacy and Security (SOUPS 2006) was held July 12-14, 2006 at Carnegie Mellon. The symposium focuses on bringing usability back into the equation when designing security technologies. That is to say that ultimately, any system providing security is only as secure as its weakest link. Unfortunately, that weakest link often turns out to be the human being using the system.

One particular paper from the conference proceedings that (naturally) caught my attention was “Decision Strategies and Susceptibility to Phishing” by Julie Downs, Mandy Holbrook, and Lorrie Cranor (all of Carnegie Mellon). The paper describes the results of a mental model interview/study with 20 non-expert computer users, in an effort to better understand the user decision-making process upon encountering suspicious emails and Web sites.

The study found that while the participants were aware of traditional risks such as malicious code, they were less aware of...

Hon Lau | 31 Aug 2006 07:00:00 GMT | 0 comments

Software engineers, just like any other professionals, are always on the lookout for a faster, better, and cheaper way of getting the job done. In the construction industry you can use pre-cast concrete and timber frames to speed up production. Likewise, in the systems engineering world you can use code generators and CASE tools (and the like) to make things easier. So, it comes as no surprise that malicious software creators have also been building tools and aids to help them become faster and better.

Many years ago, building a useful and profitable piece of malware required a fair amount of skill and knowledge of the systems being targeted for attack. The lack of handy tools, together with a limited target group for the malicious code, made it difficult to make any easy money out of writing malicious code. Unfortunately, those days are long gone. Today, it doesn’t take much skill to produce, distribute, and maintain a large collection of deployed malicious code to...

Hon Lau | 29 Aug 2006 07:00:00 GMT | 0 comments

Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.

Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as...

Kelly Conley | 28 Aug 2006 07:00:00 GMT | 0 comments

You are not alone. Practically everyone with an email account has encountered this problem. Image spam is everywhere these days and for the recipients it is a headache of fake Rolex, Chialis, and stock recommendations, to name only a few of the favorites. While antispam vendors mobilize to keep up with this new trend, the spammers infiltrate your Inbox.

The most frustrating thing is that these messages all look pretty much the same when reading them in your email. However, they are very different in the raw, which is why it makes the creation of effective filters much more difficult. Some of the techniques being employed by spammers to get these image-based ads into your Inbox are so subtle they are virtually imperceptible to the naked eye. These include, but are in no way limited to slight changes in text size and color, as well as image placement from one message to the next. The spammers keep utilizing more and more elaborate avoidance techniques to get their ads to...

Peter Ferrie | 28 Aug 2006 07:00:00 GMT | 0 comments

I have posted this blog in order to outline a recent Q&A session that provides more information about my previous blog regarding a new virus affecting the AMD64 platform.

Q. How does the virus function occur (infection, propagation, etc.)?

When an infected file is executed it functions normally; however, when the application wants to terminate (e.g., the user closes it), the virus code is then called. At that time, the virus will seek other files in the directory that contain the currently infected file and all subdirectories below it. Any Windows executable file, regardless of the file extension (i.e., not just .exe files), will be infected if it passes a strict set of criteria that the virus carries.

Q. Is it easily detected and, for that matter, avoided?

No, the detection is not...

Peter Ferrie | 25 Aug 2006 07:00:00 GMT | 0 comments

We recently saw the first polymorphic virus for the AMD64. It was released by the same virus writer responsible for the development of the first virus for the Intel Itanium platform; I suppose it was only a matter of time before this author began to do some serious research on the AMD64 platform, too.

The AMD64 virus is both polymorphic and entrypoint obscuring. The entrypoint obscuring is achieved in two ways: one is by making an unusual use of the Bound Import Table, the other is by creating a polymorphic decryptor that contains no explicit register initialization (e.g. MOV instructions). The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption.

Interestingly, the virus author also created a 32-bit version of the same virus, using exactly the same techniques....