Stealing Data With Obfuscated Code

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

Obfuscation 101

[kbrasee]

X=1024; Y=768; A=3;

J=0;K=-10;L=-7;M=1296;N=36;O=255;P=9;_=1<<15;E;S;C;D;F(b){E="1""111886:6:??AAF"
"FHHMMOO55557799@@>>>BBBGGIIKK"[b]-64;C="C@=::C@@==@=:C@=:C@=:C5""31/513/5131/"
"31/531/53"[b ]-64;S=b<22?9:0;D=2;}I(x,Y,X){Y?(X^=Y,X*X>x?(X^=Y):0,  I (x,Y/2,X
)):(E=X);      }H(x){I(x,    _,0);}p;q(        c,x,y,z,k,l,m,a,          b){F(c
);x-=E*M     ;y-=S*M           ;z-=C*M         ;b=x*       x/M+         y*y/M+z
*z/M-D*D    *M;a=-x              *k/M     -y*l/M-z        *m/M;    p=((b=a*a/M-
b)>=0?(I    (b*M,_      ,0),b    =E,      a+(a>b      ?-b:b)):     -1.0);}Z;W;o
(c,x,y,     z,k,l,    m,a){Z=!    c?      -1:Z;c     <44?(q(c,x         ,y,z,k,
l,m,0,0     ),(p>      0&&c!=     a&&        (p<W         ||Z<0)          )?(W=
p,Z=c):     0,o(c+         1,    x,y,z,        k,l,          m,a)):0     ;}Q;T;
U;u;v;w    ;n(e,f,g,            h,i,j,d,a,    b,V){o(0      ,e,f,g,h,i,j,a);d>0
&&Z>=0? (e+=h*W/M,f+=i*W/M,g+=j*W/M,F(Z),u=e-E*M,v=f-S*M,w=g-C*M,b=(-2*u-2*v+w)
/3,H(u*u+v*v+w*w),b/=D,b*=b,b*=200,b/=(M*M),V=Z,E!=0?(u=-u*M/E,v=-v*M/E,w=-w*M/
E):0,E=(h*u+i*v+j*w)/M,h-=u*E/(M/2),i-=v*E/(M/2),j-=w*E/(M/2),n(e,f,g,h,i,j,d-1
,Z,0,0),Q/=2,T/=2,       U/=2,V=V<22?7:  (V<30?1:(V<38?2:(V<44?4:(V==44?6:3))))
,Q+=V&1?b:0,T                +=V&2?b        :0,U+=V    &4?b:0)     :(d==P?(g+=2
,j=g>0?g/8:g/     20):0,j    >0?(U=     j    *j/M,Q      =255-    250*U/M,T=255
-150*U/M,U=255    -100    *U/M):(U    =j*j     /M,U<M           /5?(Q=255-210*U
/M,T=255-435*U           /M,U=255    -720*      U/M):(U       -=M/5,Q=213-110*U
/M,T=168-113*U    /       M,U=111               -85*U/M)      ),d!=P?(Q/=2,T/=2
,U/=2):0);Q=Q<    0?0:      Q>O?     O:          Q;T=T<0?    0:T>O?O:T;U=U<0?0:
U>O?O:U;}R;G;B    ;t(x,y     ,a,    b){n(M*J+M    *40*(A*x   +a)/X/A-M*20,M*K,M
*L-M*30*(A*y+b)/Y/A+M*15,0,M,0,P,  -1,0,0);R+=Q    ;G+=T;B   +=U;++a<A?t(x,y,a,
b):(++b<A?t(x,y,0,b):0);}r(x,y){R=G=B=0;t(x,y,0,0);x<X?(printf("%c%c%c",R/A/A,G
/A/A,B/A/A),r(x+1,y)):0;}s(y){r(0,--y?s(y),y:y);}main(){printf("P6\n%i %i\n255"
"\n",X,Y);s(Y);}

Re:Obfuscation 101

[peektwice]

That's funny. The Perl Journal had those obfuscated contests too. Here was my lone attempt:
#!/usr/bin/perl
for(unpack('C*',pack "H*",unpack "u", "B,\&\$V8S8Q-F4W,C>U-F8T83\(P-F,W,C8U-3\`R,#8U-C\@U-\`\`\`")){unshift @^O,$_};foreach $_(@^O){print pack('c*',$_)};print " \n";

Re:Obfuscation 101

loccc ray?

Re:Obfuscation 101

ioccc

Re:Obfuscation 101

How come when I ran this on my PC all my porn files were emailed to everyone in my address book?

Re:Obfuscation 101

I give up. What does it do?

Re:Obfuscation 101

And now they're slashdotted...

Re:Obfuscation 101

[jon207]

+1 I compiled and executed it and all what I see was a lot of no-sense junk in the console. What is it supposed to do ?

Re:Obfuscation 101

[fyrewulff]

Drink.... more.... Ovaltine?!?

Re:Obfuscation 101

[bone_idol]

Best Use of Light and Spheres:

        Anders Gavare
        Gibraltargatan 82-156
        SE-412 79 Gothenburg
        Sweden

        http://www.mdstud.chalmers.se/~md1gavan/

Judges' Comments:

        To build:

        make gavare

        To run: ./gavare > ioccc_ray.ppm

        For users of systems that distinguish between text and binary mode
        (you know who you are), add a library call that specifies binary mode
        for stdout as the first statement of main(),
        or use freopen("ioccc_ray.ppm", "wb", stdout) and do not use redirection.

        A freely distributable command-line version of Microsoft Visual C
        exhibits an optimizer bug when compiling this entry. Disable /Og for
        best results.

        The judges were able to figure out how to control position
        (in all 3 coordinates), size, and color (to some extent) of the balls.

Selected Author's Comments:

        It is possible to write some kinds of programs in C without using reserved
        words. For very short and trivial programs, it usually isn't very hard to
        write a variant using no reserved words, but with this program I want to
        show that also non-trivial programs can be written this way. This IOCCC
        entry contains no reserved words (I don't count 'main' as a reserved word,
        although the compiler gives it special meaning) and no preprocessor
        directives.

        The program is a small ray-tracer. The first line of the source code may
        be modified if you want the resulting image to be of some other resolution
        than the predefined. The 'A' value is an anti-alias factor. Setting it to
        1 disables the anti-aliasing feature (this makes the output look bad), but
        setting it too high makes the trace take a lot more time to complete.

        The ppm image can then be viewed using an image viewer of your own choice.
        (Running the ray-tracer may take several minutes, even on fast machines,
        so be patient.)

        I am very much aware about the fact that I'm breaking the guidelines. For
        example, the word 'int' is a reserved word and therefore all variable
        declarations are implicit. There will no doubt be _lots_ of warnings,
        no matter which compiler is used. Still, the source code should be word-
        length-independent and endianess-independent.

        Another reason for writing code without using reserved words is that many
        text editors will make all reserved words turn BOLD when printed on
        paper. Since I care for the global environment, we shouldn't waste any
        more laser toner, or ink, than necessary. Everyone should write C code
        with no reserved words, and our world will be a better place.

Re:Obfuscation 101

[mrmeval]

NO! http://www.schlockmercenary.com/d/20010225.html

Imitation Ovalkwik!

Glucose, fructose, corn syrup solids, concentrated cocoa-bean extract, assorted methylxanthine alkaloids (including caffeine, theobromine, and theophylline), sodium laureth sulfate, Minoxadyl, buckminster fullerene, codeine, hyper-ephedrine, nicotine, with BHA and BHT added to preserve freshness.

Re:Obfuscation 101

[rugatero]

How come when I ran this on my PC all my porn files were emailed to everyone in my address book?

It's a denial-of-service attack in which your inbox becomes flooded with 'thank you' notes.

Re:Obfuscation 101

Very funny kbrasee...or should I call you Ray?

For those that don't understand, squint your eyes and look at his/her garbage. You *always* have to look past the problem if you want to see the answer.

Re:Obfuscation 101

[zolaar]

Ray

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not to push it too much

[James_Duncan8181]

But when people say that we should have only one distro, and that it's a problem that different distros use different versions of software and insert their own patches...this is why they are wrong wrong wrong.

Monocultures FTL.

Re:Not to push it too much

[CSMatt]

Except that a lot of distributions are based on only a handful of larger distributions. Any bugs present in the parent distribution can surface in all of the others that are based on it. Debian's OpenSSL flaws are a good example.

Re:Not to push it too much

[James_Duncan8181]

This is true. Although there are still recognisable families, so it's a long way from a monoculture.

Re:Not to push it too much

[IamTheRealMike]

The differences between Linux distros are big enough to annoy programmers with better things to do, but small enough that you can still write a virus that works on all of them if you want to. So it's actually the worst of all possible worlds.

Like stealing votes with obfuscated registrations

Or hiding campaign contributions by deliberately disabling credit card validation.

All Hail Change!

Finjan Software has scammed people before

[antifoidulus]

Surfin'Shield sort of drowned. There is probably a similar scam behind this "research"....

Re:Finjan Software has scammed people before

that's no true

Solve the EASIER problem. Known good.

[khasim]

http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Why bother with anti-virus for the system itself? (Note: anti-virus is acceptable for mail servers or file servers.)

Instead, why not focus on identifying the known good code ... and quarantining anything else?

Maybe there aren't an infinite number of ways to obfuscate code (eventually your obfuscation would exceed the capacity of the local hard drive) but there are FAR more ways to obfuscate code so it bypasses the anti-virus scanners than there are bits of known good code.

I should be able to boot from some form of rescue CD with a HUGE list of filenames, checksums, etc ... and what application they are associated with ... and validate every single file on a workstation. And then quarantine everything else so it can be manually verified.

There, even if you get infected, the disinfection is simple AND effective.

Re:Solve the EASIER problem. Known good.

[postbigbang]

To answer your question:

Because you'll be p0wn3d in no time. Trust what? AV libraries are mostly behind the times and can't smell subtle variations. They suck, generally. Test after test shows just how bad they are.

There doesn't have to be an infinite number of obfuscations. Just one will do. That's why trusting any code can be simply stupid. Anything can get infected, there are tons of vectors.

Getting disinfected doesn't necessarily work, either. Usually the initial infection vector still exists (the hapless user). The odd thing about computers is that you can enslave them to continue to make attempts 24/7, in huge variations. Patience is a virtue, but I've watched brute force attacks render highly-protected servers and workstations quivering in just seconds. It takes talent, boredom, tenacity, and a greed motive. There are stupendous numbers of people fitting just that profile.

Quarantining code is folly. Active and varied defenses and re-writes and restores to RO media help. If Windows, then even more techniques are mandatory. I scape so much crap from friends and relatives machines that I've got BartsCD built for most of them. I just re-write the registry after active scans, and re-write kernel, vmm, browser crap. Then I shutdown the ports that have been opened after finding out what can opener was used. Then I swear a little, accept the free beer, and move on.

Re:Solve the EASIER problem. Known good.

[sakonofie]

validate every single file on a workstation.

The problem with a white list is that in order for it be effective it can't have too many false negatives. Having the white list validation program go ape shit over every file that isn't on it isn't all that helpful. I don't really want to have to hit ignore for every file in /home and most of my configuration files. (To get around this you could just update the white list, but this would have to be done every time a file is edited, but this is too frequent, so what is the right frequency, etc.)
Also white lists will identify when things don't match and allows for quarantine, but it won't help if something needs to be replaced. Something like deep freeze might be a reasonable alternative (i don't really know) or just archiving backup disk-images.

Re:Solve the EASIER problem. Known good.

[bit01]

Yes. To verify a system is uncompromised from a possibly compromised system is idiotic. If a person doesn't understand this then they are not a competent programmer.

I've said for years that most "anti-virus" companies are engaged in fraud and the CEO's of most "anti-virus" companies should've been in jail for it a long time ago. It shows how low the IT industry has sunk when even quite basic fraud like this is being allowed to continue. At the very least there should have been a class-action lawsuit.

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM, and using that to verify the checksums of all the critical files on the hard disk. To handle updates the CDROM needs to have enough smarts to download signed checksums of updates off the net and storing them in encrypted form (so malware can't tamper with it) on read-write media, preferably a memory key only inserted into the system when booted off the read-only media.

Part of the reason this has not been done until now is that third parties could not easily read the proprietary undocumented NTFS file system, because BS OS licensing made it difficult and expensive to have a separate boot and because M$, incredibly, stopped shipping CDROM's of their OS. Now that NTFS has been reverse engineered it is possible to create a third-party Linux CDROM that can do all of the above. This is the only practical way to stop the Windows virus pandemic. Ironic that the best way to verify a windows system may be to use a linux system.

To anticipate a few questions:

• Yes, Joe Sixpack is perfectly capable of inserting a CDROM, pressing the reset key and following the limited instructions (ie. get professional help if a virus is found or recover files off the known good distribution media).
• Yes, this approach perfectly capable of protecting Joe Sixpack's personal files if the CDROM has enough smarts to back up personal files and check sum them every time it is run. Even if it doesn't do this it's still verifying the system is uncompromised.
• Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.
• Yes, both whitelist and blacklist checksumming is possible at the same time. What a concept!
• Good system/network administrators already automatically, regularly checksum verify all the systems they manage to verify their systems have not been corrupted, whether by a virus or a hardware error. It works. If they don't they are mediocre administrator at best.

M$ is perfectly capable of creating such a CDROM however those "professionals" have chosen not to and allow the virus/bot pandemic to continue. And they wonder why some people don't like them.

---

Ownership, by definition, is the right to control something. Any ethical (not legal) argument based on "because they own it" is bogus.

Re:Solve the EASIER problem. Known good.

[WhyMeWorry]

Problem being that there is no such thing as known good code. Even if you saw all of the source code and compiled it yourself, there is always the possibility that the compiler or linker/loader introduced a back door (this problem has been known for a long time). The best you could say is that certain code is trusted. On the other hand, there is such a thing as known bad code.

Re:Solve the EASIER problem. Known good.

no shit Sherlock, but how are you gonna whitelist keygens, cracks..

Re:Solve the EASIER problem. Known good.

[OeLeWaPpErKe]

If you add "why not quarantine everything" you're at what microsoft is trying to do with palladium.

Obviously one of the first side-effects is simple : that quarantine, unoverrideable (which is what security researchers want), is exactly what you need to implement "real" drm.

Re:Solve the EASIER problem. Known good.

[walshy007]

there is always the possibility that the compiler or linker/loader introduced a back door

Problem being that there is no such thing as known good code.

I disagree, you can use gdb to go through the compiled binary and watch what it does, but since it is not yet trusted, even when doing that do it on a vm. same thing with disassemblers. If I've scoured through all of the assembly and still find nothing, I'd say it's known good code, can't wouldn't say the same for the libraries it calls until they are inspected also. You would want it to be a very special program to justify that kind of work though.

Re:Solve the EASIER problem. Known good.

[bhtooefr]

What if you wrote the compiler yourself, in assembly?

Then, the exploits would only be at the BIOS or hardware level...

Re:Solve the EASIER problem. Known good.

[Angostura]

Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.

I'm very very sceptical of this claim. But I'm willing to wait and hear your methodology.

Re:Solve the EASIER problem. Known good.

[rew]

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM,
Here you have a slight problem with implementing your suggestion: The CPU boots off the read-write flash chips on the motherboard, not off the CDROM.

Re:Solve the EASIER problem. Known good.

[idontgno]

Don't forget, too, that the toolchain you're using to do your diagnostics can be the source of the hack.

...You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

-- Ken Thompson, Reflections on Trusting Trust

Re:Solve the EASIER problem. Known good.

Microsoft already provides some of this functionality, but too often users hate it. But I guess that's because of MS stupid implementation.

1. They have sfc.exe. System file checker compares the digital signatures (which hash a hash, and is not broken yet) of system files, and replaces them with copies from the %systemfolder%\dllcache storage. Of course, if the dllcache is also changed, sfc.exe then prompts for the original install media.

It sounds good, but the problem is people disabled Windows File Protection, often to hack system files, like replacing the TCPIP connection limit in tcpip.sys. Or changing the USB frequency to 1000Hz in usbport.sys. Or using NLite disables WFP for customization of windows.

People want to hack windows. And are angry when you try to stop them.

2. Or WGA. Again, it verifies MS signatures. Presumably, if you don't have a hacked version, meaning you haven't modified the original MS system files, then you have a legal and verified copy of windows. Of course people hack this as well.

So yeah, I agree there should be an offline CD implementation of sfc.exe. Right now sfc still fails because Virus can rootkit the hell out of a system, redirecting the I/O. Or just disabling WFP.

Vista x64 sp1 is the most secure yet. Not allowing you to disable WFP. And requiring digital signatures for drivers. Of course, the first thing people did was figure out a way to disable it for non supported drivers.

tripwire?

[OffTheLip]

Not a new solution but effective in its day. Poses problems for todays dynamic content/programs but if identifying alien code is the goal programs such as tripwire are a step in the right direction.

Re:tripwire?

There are better alternatives to Tripwire like products from Solidcore or Bit9 :)

EXE Packers

[tukang]

I'm not sure if this is still the case but back in the day using an exe packer (like upx) on a trojan or virus would prevent detection by most anti-virus software and as an added bonus the payload also becomes much smaller

Re:EXE Packers

They know how to unpack upx now but with pretty much anything else like aspack or armadillo you can fool any antivirus.

Re:EXE Packers

There are virus scanners that don't know how to unpack executables, but instead flag any packed file as a virus.

No way out?

[iminplaya]

Will using only live CDs work? With a white list?

Maybe a Solution

[mebrahim]

Everything Open Source + People collaboratively and systematically review source codes

Run a decent firewall....

[ZosX]

Of course this doesn't really apply to web browser hijacks, but you can at least intercept a lot of your outgoing traffic. The problem is that most people just click the ok button willy nilly because they want to see it go away.

Re:Run a decent firewall....

[Laebshade]

Outbound firewalls are for people who don't know what they're doing or who support users who don't/want to stop them from doing something.

Re:Run a decent firewall....

[ShinmaWa]

Outbound firewalls are for people who don't know what they're doing

What an incredibly ignorant and stupid thing to say.

I definitely know what I'm doing and I use my outbound firewall to its fullest extent. Having the ability to proactively determine what software can and can't touch the network, be it establishing a connection or binding to a port, in conjunction with a proper hardware solution provides not only good protection, but also serves as an early warning system when an unknown program attempts to go to an unknown site for an unknown reason.

Granted, outbound firewalls are not perfect. If a whitelisted application is compromised, then it this firewall doesn't provide much protection. This is why outbound firewalls should be but one of several items in your security toolbox.

However, to wave your hand and claim they are only for people who don't know what they are doing shows a level of arrogance that usually gets corrected only after you are compromised.

Re:Run a decent firewall....

[danieltdp]

I short: he knows what he is doing, but what the computer is doing is quite a different matter

What are the best tools for detecting this?

[Phizzle]

For the truly paranoid, what are the best tools to run on your system to detect potential intrusion of this type?

Re:What are the best tools for detecting this?

[Xakh]

A newspaper, typewriter, and calculator.

Re:What are the best tools for detecting this?

[symbolset]

Most of the major antiviruses should be able to detect this, except maybe Norton. Kapersky adds detection code to their database for newly discovered variants within minutes of when they appear - 17 times on 10/24/2008 for example. With a metamorphic engine this advanced it's likely that you can find a variant that Kapersky will never see. Kapersky is now watching nearly 700 variants of this one threat to date. This is what makes the databases for a modern antivirus engine so huge.

Removal is not hard for the "truly paranoid". Although you'll find a host of removal instructions on the internet none of them is reliable for this level of security threat. Your best option if you find you're compromised with this threat is to backup your data, use Darik's Boot and Nuke (DBAN) to completely erase your hard drive, and start over with a clean install using a good process for your installation. Be aware that DBAN can make your HDD firmware unrecoverable in certain rare instances, so be prepared to buy a new drive if you must. If you find yourself repeatedly compromised, you might reconsider your commitment to online banking and stock trading or to the software you're using to do it.

For this sort of threat prevention is the best cure. For over a decade systems have been available that have a BIOS boot option to check the boot sector and refuse to boot if it has changed. Most of the Sinowal variants compromise the boot sector. Also, use a browser and/or operating system less susceptible to drive-by downloading.

Although the focus in the article is about financial data it's fairly trivial to modify Sinowal to steal access credentials for other systems such as GIS databases, CAD databases, and other high value information targets not directly associated with finance. Data is money.

Some Sinowal variants are compatible with Vista. I know of no Sinowal variants that are compatible with GNU/Linux OS-X or BSD.

Good luck.

Re:What are the best tools for detecting this?

[Phizzle]

Thank you! I guess I can fire up my old Amiga 4000 and run my online banking through AWeb :)

Re:What are the best tools for detecting this?

[svank]

Thank you! I guess I can fire up my old Amiga 4000 and run my online banking through AWeb :)

Just use a Live CD for online banking if you're really paranoid.

Re:What are the best tools for detecting this?

[danieltdp]

But if I ran those on my Core 2 Duo it will get squashed!

if(isroot = 1){

[davolfman]

Does this remind anyone else of the time someone tried to replace a conditional with an assignment and check it into the linux kernel to make a trigerable security hole?

Re:if(isroot = 1){

[Alex+Belits]

No.

Re:if(isroot = 1){

[gzipped_tar]

I don't think the infamous "isroot = 1" is an example of obfuscated code.

It is actually quite straightforward. I didn't RTFA (but again who does? ;-P ), but I guess the "obfuscated" malware is something like a just-in-time code spitter: the attack code is generated at runtime, on-demand, in an obfuscated manner, bypassing common antivirus software. If the payload is not hard-coded, the malware can masquerade itself as an innocuous application more easily.

Correct me if I'm wrong.

Re:if(isroot = 1){

[dw604]

You stand uncorrected.

CERT and Function Extraction?

I've heard about a project at cert called function extraction that might be relevant to this. It's been going on a few years and they've produced some tools. Don't know much more.

http://www.cert.org/sse/function_extraction.html

WTF?

[CSMatt]

Will someone please make a BugMeNot account for this site? I'm not registering just to view one PDF file.

Re:WTF?

[tylerni7]

You must be new here. You aren't supposed to read the file, just make comments about what it might say.

That's what I said.

[khasim]

Because you'll be p0wn3d in no time. Trust what? AV libraries are mostly behind the times and can't smell subtle variations.

That's what I said. While there isn't an infinite number of variations, there are far more variations possible than there are known good bits.

So do NOT try to solve this problem by matching "bad" patterns.

Match known good patterns and quarantine everything else.

Getting disinfected doesn't necessarily work, either. Usually the initial infection vector still exists (the hapless user).

The user will ALWAYS be the weakest link. As the article I linked to stated, if education could work, it would have worked by now.

Instead, focus on building systems that MINIMIZE the vulnerability and that make it EASY to RECOVER when it is cracked.

Quarantining code is folly.

That's your opinion. I can show that it does work.

Active and varied defenses and re-writes and restores to RO media help.

Huh? How about some specifics? Because that isn't making sense to me.

I scape so much crap from friends and relatives machines that I've got BartsCD built for most of them. I just re-write the registry after active scans, and re-write kernel, vmm, browser crap.

How do you "re-write the registry"?

Instead, imagine an anti-virus system that refuses to allow code to be installed in they system directories (or registered) unless it matches the checksums, names, etc on a list of known good apps. Then it just becomes a issue of keeping that list updated with the latest patches and upgrades.

Instead of downloading the daily list of suspected BAD patterns, you'd be downloading a list of known good patterns. And that would only need to be updated prior to something being installed on the system.

For a business looking to manage thousands of PC's ... all with the same basic apps and patch levels and such ... this would be so much easier than trying to maintain the current anti-virus system (engine upgrades, signature upgrades). Nothing would be installed that was not pre-approved by their department.

Re:That's what I said.

[that+this+is+not+und]

Match known good patterns and quarantine everything else.

That's fine in a business environment where you have a floor of users all running an Office Suite of programs.

In any other setting it stifles innovation. Which is fine, if you work for a big company operated by stuffed suits.

White lists are an excellent opportunity for the people and organizations not afflicted with an IT staff who impose them.

But, then, 'IT' is just the new word for file clerk. Keep those files all neat and in order, clerks.

Re:That's what I said.

[postbigbang]

It's possible to write a known good kernel and a matching set of registry hives (the whole thing can be dangerous) along with vmm, hiberfile and so on to DVD. Using BartsCD, one boots XP, does the restoration, and easily moves on.

There's a certain amount of sense in trying to protect groups of users, in business environments, and so on. An individual will be eventually cracked somehow on Windows. It's tougher to do on Linux, and still tougher on MacOS and xBSD and OpenSolaris.

Still, I watch everyone ignore responsibility, the ISPs and mail providers refusing to write any kind of parsers for their subscribers (fearing latency and liability) and then civilians get hurt. Sure education is a good thing. We try to tell people this. When they go to a legitimate site that's been infected with a cross-post exploit, or a truly well-crafted email, or open up an attachment from an infected friend, relative, or colleague, they're beaten.

IMHO, for Windows users, they've come to accept that they're going to get infected and must then remedy the problem. I protect a few of them by using a cd/dvd of my own design with their stuff on it, so that it takes less than a half-hour to do the repair from beginning to end. There's no use in educating someone when they go to, say, an ancestry site that has a browser exploit in it that can sail right through AVG, Norton, or McAfee, as recently happened to five of my relatives. Same damage, same exploit, same site was the common denominator. When I went to the site, the site didn't bother my machine, likely because someone fixed the problem, maybe unwittingly.

Minimizing is important, sure. But nothing is foolproof because fools are so ingenious.

Re:That's what I said.

[Locklin]

It could still work, on Linux. Suppose you had a program that checks the md5 of every executable file and library on the system with the distro's repository. Then creates a list of the remaining files to be confirmed manually. People writing software could simply manually mark their own software, or non-packaged software as needed.

Re:That's what I said.

[OeLeWaPpErKe]

The problem with open source is simple : authors don't bother, which makes their apps vulnerable in transmission, and the source itself can be infected.

Of course really providing unbreakeable process isolation is evil (drm-enforcement, palladium, microsoft)

Redhat, btw, does do this, but nobody really bothers to check their installation.

And as for the anti-virus companies, every virus author runs all the antivirus tools against his new creation (obviously).

Re:That's what I said.

[BrokenHalo]

It's tougher to do on Linux, and still tougher on MacOS and xBSD and OpenSolaris.

How so? Security is really very much the same between Linux and any other Unix-like OS.

Re:That's what I said.

[JasterBobaMereel]

I am a developer - I run my compiler it generates an EXE - It get quarantined...

It simply is not practical in a "real world" situation except on a locked down one task PC

A firewall, the latest updates, and a user who cannot install/run new programs easily is far more secure (not perfect but more reliable)

I would like to know how the PC was infected : this is the only interesting bit - what happens after is largely irrelevant, once a PC can be persuaded to run arbitrary code then the payload can be anything ....but I can't be bothered to register to find out ...

Re:That's what I said.

[tepples]

People writing software could simply manually mark their own software, or non-packaged software as needed.

So how would malware not mark itself in the same way?

Re:That's what I said.

[RockDoctor]

People writing software could simply manually mark their own software, or non-packaged software as needed.

So how would malware not mark itself in the same way?

The "mark" would need to be made using something like a public-key signature system. The signature contains the path of the OK'd file, it's MDx hash (doesn't particularly matter which hash you choose), and the public key ID of the person who says it's OK, then sign it with that person's private key. The "OK" mark should be trivial to check then.
In addition, since you're talking about someone's within-company ID, you're also talking about their within-company public and private keys, so they can't take those signatures with them and the marking of the system becomes part of the owner's intellectual property.

The malware would have to infiltrate a user ID (and public/private keys) into the system that is secured. And probably they'd need to find and circumvent whatever hash system is being used too (you don't need to use MD5 - there are many other cryptographic hashes around, and the benefits of a multiculture are obvious here).

Re:WTF-squared

WTF? You don't know how to make your own BugMeNot to help OTHER people?

Interesting attack vector

[psydeshow]

According to the Register article, the method of attack was DOM manipulation. The code waits until it sees a login form from a targeted site, and then it injects markup that sends the credentials to the bad guys on submit.

We can speculate on whether that's true or not, but if it is then it should be fairly easy to use a bit more javascript (why not? heh.) to check the integrity of the DOM. Banks should also be randomizing the structure of their forms and the names/ids of form fields as a matter of course.

Of course the attacks will evolve, but as long as you're going to play the game you've got to keep moving.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Web 2.0 RIP

[PPH]

That will kill Web 2.0 technologies. Or anything where content/service providers expect you to run their code on your system. None of the schemes for whitelisting, signed certificates, checksums, etc. can handle the sheer volume of apps. that these new services expect you to handle. They work well for manually downloaded and installed applications and packages. But not when every kid with a FaceBook page has a game or other cure widget they want you to download.

The sheer volume of web apps of this type will provide numerous opportunities for people to find weakneses and use it to deliver something evil.

Re:Web 2.0 RIP

Great. Running code from someone else is a very large security exposure.

My bank expects me to run their code (javascript) but won't run my code on their system. Why not?

Re:Web 2.0 RIP

You just answered your own question at the start of your post.

Running code from someone else is a very large security exposure.

We can "trust" them because, well, we're told that we can trust them -- but who are you and why should I trust your code?

Re:Web 2.0 RIP

[Wildclaw]

It is perfectly possible to run programs that aren't trusted. You just can't allow them to do certain things. This is the main principle of sandboxing, and a good operating system should sandbox every single application completly, unless someone with administrator privileges requests otherwise. And even such requests should only be exceptions to the sandboxing.

I am running every program I don't trust sandboxed with sandboxie. It isn't a perfect solution as it isn't as well integrated into the system as it could be. There is also the problem that I don't have a 64 bit upgrade path because Microsoft is preventing low level security programs from working on their x64 operating systems.

When I install a game I want to be able to say:

"By default you'll have access to the same things as any program and that is read access to executables/libraries and settings registered as public. I'll also grant special rights to access the internet, but because of that you won't be able to access my documents folder (even in read mode) because that would constitute a security risk."

Finally, a whitelist to authorize installation of well known libraries (DirectX, Java, etc.) would further reduce the burden of making hard security decisions.

Re:Web 2.0 RIP

[PPH]

unless someone with administrator privileges requests otherwise.

Which, for most PCs, happens to be the user, Joe Sixpack. To whom, most UAC popups look like:

Blah, blah blah blah. Blah access blah blah blah. Blah.
[Cancel] or [Allow]

All Joe Sixpack cares about is which button will make the nasty box go away the fastest.

Re:Web 2.0 RIP

[Wildclaw]

True. But you can never protect idiots. It is doomed from the start.

However, modern operating systems fails to even protect people who aren't stupid. It is way too easy to get malware installed on machinem and far too difficult to remove it.

Re:Nothing can protect you

[Jessta]

Nothing can protect you?
how about not running code that is malicious?

I've always found the concept of 'computer security' fairly strange. It's your computer, you control what runs on it...
why are people running code that acts counter to their interests?
why are operating systems designed in such a way that a user can have no idea what a program is going to do?

Seems kind of insane to me.

Been around for 18 years

[Xenna]

We used to call it polymorphic code. A much prettier name if you ask me.

Been around since 1990:

http://en.wikipedia.org/wiki/1260_(computer_virus)

Re:Been around for 18 years

[Bounb]

Actually, polymorphic code is that which mutates whilst obfuscated code is that which is intentionally written as to mask the function of the code.

Re:Been around for 18 years

Indeed. Anyway the word used was polymorphic because the viruses had to modify themselves when spreading to different floppies, to try bypassing the AV checks of that time. I'd swear i heard about the concept before the 90s even.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nothing can protect you

[Jessta]

In fact you are wrong.
Computer aren't as complicated as that.
It's easy enough to design a system to make obscuring the purpose of a piece of code impossible and then have all programs define a contract with the system as to what resources they need to use on the system, this information is conveyed to the user in a nice way and now the user will know straight away if a program is going to act maliciously before they run it.

0-day arbitrary code execution vulnerabilities are created due to a small set of things that overworked programmers forget sometimes, and can be easily abstracted away (it's just that C is such a shit programming language yet it's so widely used)

Where is specific information on Sinowal?

So I've read through the RSA article and the one linked to by the story and apart from some fancy graphs and "it works by doing this", there is *NO* specific information available about this trojan.

How do I know if my computer, or anyone else's computer, is infected?

Are there URLs that a firewall can block?

Are there IP#'s that a fireall can block?

Are there DLLs that should be searched for?

Registry entries that need to be fixed?

None of this is provided...or is it all in Finjin's report?

This is why not providing full disclosure sucks - nobody is able to do anything to determine if they're infected or if they need to do any mitigation until some "approved" vendor bundles detection into their anti-virus product.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nothing can protect you

[jesterzog]

As always, the only thing you can do is keep your software updated, don't run programs or code you don't trust, don't let people on your system that you don't trust to keep the system clean, and hope for the best.

I'd add regular backups of important data to that list.

Matching Obfuscated Code

There are ongoing efforts to detect the similarity of a program even when the code is obfuscated.
http://www.furiachan.org

Re:Nothing can protect you

[danieltdp]

There should be a contest of obfuscated english! I would vote on your post! kudos

You mean a sandbox, right?

[tepples]

It's easy enough to design a system to make obscuring the purpose of a piece of code impossible

Given: The purpose of a piece of code is either to halt or to loop. Deciding even this has been proven impossible.

and then have all programs define a contract with the system as to what resources they need to use on the system

In other words, you're recommending sandboxing. That is a solved problem on OLPC and on FreeBSD, but as far as I can see, no such software for creating and managing sandboxes comes with home editions of the Windows operating system.

Re:You mean a sandbox, right?

[Jessta]

Given: The purpose of a piece of code is either to halt or to loop. Deciding even this has been proven impossible.

This is only an issue for a complete Turing machine, by limiting what a program can do you can avoid this problem.

The relevant parts of a possibly malicious program to a user or admin is how it interacts with the rest of the system. Because what ever it's doing is mostly irrelevant until it's outputting it to somewhere. This is very easy to notice and impossible to obscure. As all of this interaction goes through calls to system libraries

and then have all programs define a contract with the system as to what resources they need to use on the system

In other words, you're recommending sandboxing....I can see, no such software for creating and managing sandboxes comes with home editions of the Windows operating system.

I wasn't actually recommending sandboxing, I was recommending language based system security(singularity, inferno etc). Why even run untrustworthy code? Thanks for the link to Bitfrost haven't seen that project yet, has some similar ideas.

Re:You mean a sandbox, right?

[tepples]

The relevant parts of a possibly malicious program to a user or admin is how it interacts with the rest of the system. Because what ever it's doing is mostly irrelevant until it's outputting it to somewhere.

And sandboxes are designed to control how a program interacts with the rest of the system.

I was recommending language based system security(singularity, inferno etc).

Most languages still can't parse string arguments deeply enough to distinguish open() in the user's home directory from open() elsewhere. That's the responsibility of runtime security such as ACLs or capabilities, and sandboxing is just a finer-grained way to assign capabilities than the traditional user/group model.

Why even run untrustworthy code?

Because the major vendors of computer hardware for use in a home environment have declined to provide a convenient way to mark code developed by an amateur programmer as trustworthy. This is already the case for computers designed to display on an SDTV[1]: these devices require all software to either 1. have been digitally signed by the console maker under a negotiated contract with a sufficiently large publisher, or 2. run in an interpreter in a sandbox under a soft-mod that costs $495 per machine[2]. Some are speculating that Windows 7 Home Edition will require programs to carry an Authenticode signature in order to access new features of Windows 7.

[1] These devices are commonly called video game consoles. Not all home PCs include TV output, and those that do typically include TV output only as an afterthought.

[2] This soft-mod is called XNA Creators Club, and I quoted the price for a certificate that covers the five-year life of a console at $99 per year. The iPhone SDK has a similar pricing structure, as I had predicted when Apple announced it. Wii doesn't have even this; the WiiWare SDK is thought to cost $2,000 for a Wii developer unit plus $10,000 per year or more for office space.

Re:You mean a sandbox, right?

[Jessta]

And sandboxes are designed to control how a program interacts with the rest of the system.

Sandboxing is usually about controlling an untrusted program and denying it access to requested resources it's not authorised to access. I'd prefer a program was trusted and didn't make requests for access to unauthorised resources.

Most languages still can't parse string arguments deeply enough to distinguish open() in the user's home directory from open() elsewhere...

Yeah, so you don't even include open() in the standard lib of the language, so the programmer can't even make the request. Then you create a different syscall that's more restricted. Similar to how the Bitfrost #P_DOCUMENT section handles it.

Why even run untrustworthy code?

Because the major vendors of computer hardware for use in a home environment have declined to provide a convenient way to mark code developed by an amateur programmer as trustworthy.

This doesn't require hardware support(it would be nice, but not required), it just means that you have a small piece of code for a launcher that you must hand review that checks if a piece of code is correctly signed

Antivirus isn't exactly "security"...

it's more like "insecurity mitigation". You're right, though, whether caused by malware or just a patch gone awry, you keep having to rebuild system images.

<rant>
With tons of software that requires activation, patching, and so forth, even imaging backup is nearly a waste of time. Volume licensing is nice but just try talking small business owners into paying $oftware A$$urance to get bulk-installable volume versions. Half the machines own specialized hardware so terminal services and virtualization are right out. About the only workable answer is script-based installation, and that just takes ages to finish.
</rant>

Anything similar for home edition?

[tepples]

The "mark" would need to be made using something like a public-key signature system. [...] In addition, since you're talking about someone's within-company ID

The system you describe is very similar to the existing Authenticode system, with the company as the root CA. It would work within a sufficiently large company, which applies something like Windows group policy across a domain. But do you know any way this system could be extended to a home or home office environment? Adware and surveillanceware published by large companies routinely gets signed, and legitimate free software maintained by amateurs remains unsigned because the extra $200 per year to keep the certificate current isn't worth it.

Re:Anything similar for home edition?

[RockDoctor]

The system you describe is very similar to the existing Authenticode system, with the company as the root CA.

I'll take your word for it. "Authenticode" rings a (faint) bell.

It would work within a sufficiently large company, which applies something like Windows group policy across a domain.

I'll take your word for it. I remember trying to get my head around the difference between a domain and a subnetwork yonks ago, and failing. It seems to be an incoherent mess - every company implementing different things differently, with zero or negative documentation.

But do you know any way this system could be extended to a home or home office environment? Adware and surveillanceware published by large companies routinely gets signed, and legitimate free software maintained by amateurs remains unsigned because the extra $200 per year to keep the certificate current isn't worth it.

I don't know what you mean by "home" or "home office" environment - at least in some way that differentiates it from any other office environment. You have costs (heating, tax, hardware, etc), which you pay as a part of doing your business. I've been considering whether or not to pay such a cost for myself, but not having any pressing reason to do so, I've got better uses for the money. But then, I don't make my living by writing software. Obviously, if you do make your living writing software, then you'll take a different opinion on what are necessary costs for your business.
Such costs would, I assume, be tax deductible. So they come off your gross income before you start calculating tax. (If I understand the tax laws, which is something that I don't intend to put to the test, ever, if at all possible.)

What's $200?
A pretty high end graphics card (which, if you're doing graphic-intense work, should itself be tax-deductable. But you'll have to keep it around for the auditors for IIRC 5 years.)? Well, far higher end than anything that I've ever wasted money on.
Or a night out at a decent restaurant for several piglets? (Two nights if it's Malta - I was quite impressed by the food, and the prices.)

Is $200 more than you're willing to pay as part of the cost of being in that business? You'll love doing it for a living then - we spend something like that much on the execution-control device for every installation of our software.

There may well be lower-priced signing authorities - I thought that was part of the purpose of things like the PGP "network of trust"? I've never had reason to find out.

Re:Anything similar for home edition?

[tepples]

I don't know what you mean by "home" or "home office" environment - at least in some way that differentiates it from any other office environment.

A home environment has no dedicated IT personnel to try new programs in a sandbox to determine that they're not likely to misbehave in production. That's why some Slashdot users have proposed installing every application into a separate sandbox, but then that would involve work on Microsoft's part to add support in the system libraries and the Windows user interface for managing sandboxes.

I've got better uses for the money. But then, I don't make my living by writing software. [...] Is $200 more than you're willing to pay as part of the cost of being in that business?

As you started to recognize, not everybody who develops software does it as a business. Some are employed in other fields; some are developing a portfolio for prospective employers; some are still in school. If you get your pet free software project picked up by a company or a software foundation, signing software for public use is well worth it. Otherwise, $100 to $200 per supported platform per year can make it a really expensive hobby. And even then, signing just tells the user who published a program, not that it is in fact safe. In the era of ABSOLUTELY NO WARRANTY, there's a big difference.

Re:Anything similar for home edition?

[RockDoctor]

If you get your pet free software project picked up by a company or a software foundation, signing software for public use is well worth it. Otherwise, $100 to $200 per supported platform per year can make it a really expensive hobby.

You need a different signature key for each platform?? Weird. And probably unhealthy.

Re:Anything similar for home edition?

[tepples]

You need a different signature key for each platform??

Yes. Authenticode certificates work only on Windows. iPhone SDK certificates work only on iPhone. XNA Creators Club certificates work only on Xbox 360.

Re:Anything similar for home edition?

[RockDoctor]

This bloody "new" discussion system seems to have lost my previous reply. What I want to know is, what did I do to get it turned on, so I can avoid doing that in future?

Do you know of a cross-platform code authentication system? You seem to have some sort of professional stake in code development.

I would guess that the only way such could work would be to distribute a package of pre-compiled binaries, separated into chunks (libraries) which are processor-specific versus processor-agnostic, together with linking information to put together the "libraries" at run time into a "authenticated" whole.

Authenticating the author of code would provide a worthwhile level of protection against malicious code, but no protection at all against incompetent programming, or the use of inappropriate algorithms.