Friday, May 2, 2008

Unintended Consequences

This past week I spoke at the Systems and Software Technology Conference on the topic of Understanding Web Application Security in a "Web 2.0" world, and hung around to hear a few other people speak on topics that I thought were interesting.

Of note, is Paul Anderson's talk on his group's advances in the technology of binary code tracing and code obfuscation tools which his company GrammaTech sells. The first part on dis-assembly and analyis of binary code for vulnerabilities was fascinating - but I think the second portion of his talk was what peaked my attention. Essentially - his company has a suite of tools that will "transform" your code and make it nearly impossible to disassemble (he demonstrated screen shots using IDA Pro). His example was taking cat.exe, a tool we are all familiar with and taking two IDA Pro screen-shots of the binary executable. The first was just the .exe file on its own, showing all the innards and components of the binary. The second was of the same file after Paul's tools had "obfuscated" the code. IDA Pro had no idea what to do with this new binary... it found one function (the main one) and mis-labeled where it was stored (it "found" it in :data)... so this leads me to an interesting concern - so I asked the question ...

If you're now building a toolkit (or rather, perfecting it, since I'm fairly confident stuff like this exists in large quantities anyway already) and it gets into the hands of the people writing the malware (and it will) are we looking at another major set-back for signature based malware detection?

You can see this two ways, or so I think. You can look at it and say "well, this technology will change how we detect viruses and such; when it gets into the "wrong hands" it will set the good guys back pretty bad. The second way to really look at this is a two-pronged though. We're already finding code that's polymorphic and self-changing to evade detection, these tools will only further the cause and give that process enterprise-level assistance. Next - signature-based malware detection is a fairly dying and outdated method anyway...right?

So now I guess the ante has been raised in the perpetual arms race between the white-hats and black-hats. With more and more tools coming out to assist in DRM, PI security (through binary code obfuscation) are we really wasting efforts? Naturally you can guess I have my own opinion - but I'd like you to think about it for yourself.


DaveB said...

any chance of getting a copy of your presentation?

Without subscribing to IEEE I mean :-)

Anonymous said...

Just 1 url that google feeds out and is easy to find, some of those come with source, then you have morphine (google morphine 2.7 download and you'll find a working download), now that is what is publicly available let alone what is hidden around the darker allies of forums and russians. Get ahold of a good ASM programmer and pay them some $$$ and you can have a nice polymorphic metamorphic encrypting engine builtin to your exe and hey, guess what? Signatures are useless, lets hope hueristics work... but guess what? They generally suck, specially for those suckers stupid enough to be running something like Symantec, to the luck few running Kaspersky you might pick it up but your probably only going to notice it when it recieves its first botnet signal or when it tries to use your net connection for something if it can't already work out how to shutdown the firewall in your av app...

This is a serious arms race but if you come from the underground you will realize that av apps are useless and have no hope in hell of catching up. COMPLETELY undetected exes that are malware/rootkits/whatever are popping up more and more around me and i'm not in as deep as a lot of people so there's even more available when i spend some more time on it.

When it comes to installing malware, making a few k per week for an hour or 2's investment isn't all that hard and the better you get the less time it takes and the more you get for your short amount of time invested each day.

There are also other fun things like mpack, icepack, firepack, neosploit, if you havn't even heard of these as you read, go google them and prepare to go white in fear, completely silent drive by installs, all you need is a windows computer that isn't fully upto date and you happen to run internet explorer and goto a site with this on (all it takes is a lowly iframe), guess what? You now have malware/rootkit/keyloggers/anything the person who set it up wanted you to have. Now combine the pack with a 0day exploit, lets see, - how many windows computers do you think have works installed? Enough to be interesting to a hacker i would think... microsoft has done well in painting a big bullseye on themselves, they need to be far more proactive about security and even vista is not enough to compensate for their previous track record.

Sorry but AV and security firms just aren't going to win at this rate, delve into the dark side more and you would understand

Rafal Los said...

DaveB: Please email me directly, I'll see what I can do. My pseudonym (Rx8volution) is my GoogleMail email address.