Open Source malware Macfee Rant

NutJob

http://www.vnunet.com/vnunet/news/2160379/security-feels-pain-open-source


The quote of the day

The Phalcon-Skism Mass Produced Code Generator, for instance, is a virus creation kit that has been used to author about 15,000 different viruses. It accounted for 46 per cent of all detected malware in 1999.

This engine did not produce encrypted code and produced the most basic of viruses. Heurusutcs picked up most if not all of these. Its no different from googleing for code and changeing a few instructions.

Virus code has been distributed since the days before dialup on bbs and mail order file liburaries. ( i used to use mail order file liburaries and remember seeing them on the catalogue)

Martyr

if you haven't already read this book, i would highly suggest gettin a copy.
http://www.amazon.com/gp/product/0321304543/sr=8-4/qid=1153242398/ref=pd_bbs_4/102-3388621-0268162?ie=UTF8

i've just skimmed through most of the chapters & found it really interesting.
although i've gone through source code from e-zines for quite a while, it was refreshing to read comments from the other side of the fence in this book, so to speak, in a more clear & concise way.

its written by Peter Szor, who orignally wrote the av software, Pasteur (discontinued in 1995)
he now works at symantec

on your own comment NutJob, i see the point you make in that, although there can be thousands of variants, the code is all very similar in structure.

its probably just a business tactic most of the companies use, like one claiming "our scanner can detect 15,000 viruses"
trying to score points against another vendor, because it can detect more, therefore it is somehow better..etc

Zmist by Z0MBiE or MetaPHOR by Metal Driller were probably created when win32 virus programming was at its height..4-5 years ago, the code was & still is very impressive & a challenge to av vendors to detect.

even Peter admits that they cannot detect all infections of Zmist or MetaPHOR 100%

29a, the group which both were/are members, haven't really produced anything as good as their 6th release & it doesn't look like they will either..i was expecting 9th release last month.

these days, there just seems to be loads of spyware & malware rather than code that shows some new technique in virus programming.

perhaps rootkit programming will integrate some of the ideas used by virus writers years ago, its yet to be seen though.
i mean polymorphism & metamorphism..that kind of thing, not so much hooking which has been around for yonks.

check out the book anyway, its excellent.

NutJob

Same old arms race.

Itll happen the old dos stuff like tunneling interrups will become tunneling kernel apis.

Rootkit stealth will move to the disk level as soon as Macfee starts using rootkit revealer type searching. Its all re-hashes of old dos stuff.

Odds are the 29a group is working on Vista as a target like many others as the kernel now moves and the old kernell search routines wont work + LUA. All for the same bragging writes the ozzies got for starting the first win95 bizatch virus.

As for malware writes most of them are aming for terror weapons. Fraud and bots thell use any code they can get there hands on if theres unfortunatly easy money in the equasion.

Hell most bots are just an irc client and an ftp server and the shell code from the metasploit framework + payload. Two days of easy work in straight c.

Must grab that book thanks and ill grab the rootkits one two ass it will be a classic in a few years.

Capt'n Midnight

looks like we could be heading back to white lists, still with centralised updates off the web this may actually be easier for executable files.
binary searches of checksums are fairly fast and if each vendor released a standardised list that is updated when patches appear then that would be nice. would be quicker to CRC a file than do a full scan of it against a malware database. (but many av programs do a quick scan by testing parts of the files)

It could also stop end users installing unlicensed software and provide a more definitive way of checking patches were actually installed and not subsequently overwritten like IIS used to do..

You still have the problem of documents having payloads though.


Ttrusted computing where you have to trust the software companies ?
It's not like verisign and co. haven't handed out certs to the undeserving before.

rogue-entity

@CM: End users will always find a way to install "unlicenced" software, as long as software like: Dreamweaver, Photoshop, Office and Windows remains expensive and defacto standard. Open Source has come a long way, but it just doesnt provide the same features that are available in these commercial programmes.

Martyr

Ttrusted computing where you have to trust the software companies ?
It's not like verisign and co. haven't handed out certs to the undeserving before.

i don't believe trusted computing will work.
it will certainly stamp out alot of piracy & give developers some breathing space to innovate without worrying about the issue

Pierre Vandevenne (from datarescue, authors of IDA) made some interesting remarks recently about cracking protection mechanisms.

The problem with hardware protection is that it really bothers legitimate customers. And that is really something I don't want to do.

Another expert says in response to above.

There is really only one serious draw-back to hardware protection, cost. The costs falls into two categories; costs to DataRescue for implementation and costs to customers for validation. The uber secret gov/mil types often have validate everything they run, including hardware.

and from a cracker himself.

As for the idea of hardware for copy protection, that is the best laugh I've had all day. I am certain that at absolute best it will be snake-oil. Sure implement it as a processor or co-processor. Don't you think that will be emulated? Don't be fooled that providing a solution via anything but USB dongle will make it more secure. It will either work the same way as a dongle (and we all know how well they have secured other popular software) or as an emulator which again, any determined and skilled cracker will in time bypass. The old adage applies - if it runs it CAN be cracked. It is a battle which is already lost. Ultimately additional security will only be to the detriment of legitimate customers whilst dedicated and highly skilled crackers will bypass this to the benefit of all of the pond-life out there.

It is all well and good to occupy the moral high ground regarding crackers, but unfortunately in a global population of over 6 billion people, however second-rate most crackers may be, there will always be a minority with the sources and ability to crack anything, given time, if it is seen as being of worth. Realistically I believe IDA is probably number one in the chart of must have underworld tools so therefore will gain the focus of the finest crackers, for fame or fortune. Look at some of the examples of extreme protection, be they from Starforce or dongle implementations used in Cubase products etc. They may at best slow down a pirate release, but name one popular product that hasn't ultimately been cracked?

The single best security solution is to keep it out of their [crackers] hands in the first place and to provide updates and support to make purchasing worth every penny (which as a company you definitely do). I believe that a name and shame policy, secure and obtuse fingerprinting, plus very careful vetting of potential customers (all of which you are very familiar with) over time can lead to the only truly secure distribution system.

Think about the mentality of the cracking community - If you release IDA 5.1 tomorrow will they still be interested in IDA 5.0? Definitely not! In that respect if you can contain leaks you will always retain the competitive ground and business viability which comes with it. I can only guess that since following such a policy you are finally making a profit on IDA and it is my belief that if continued, you will in time break the back of this problem.

If you consider in recent years how many cracked 'Russian' releases have made their way onto the pirate scene compared to how many 'leaked' releases, then it can only confirm your policies as successful. Knowing where to really close the holes (at this stage) to secure your software is easy.

http://www.datarescue.com/ubb/ultimatebb.php?/topic/1/989.html

Capt'n Midnight

NutJob wrote:

Same old arms race.

Itll happen the old dos stuff like tunneling interrups will become tunneling kernel apis.

Rootkit stealth will move to the disk level as soon as Macfee starts using rootkit revealer type searching. Its all re-hashes of old dos stuff.

Odds are the 29a group is working on Vista as a target like many others as the kernel now moves and the old kernell search routines wont work + LUA. All for the same bragging writes the ozzies got for starting the first win95 bizatch virus.

10 years ago it was a case of sending random packets to windows to crash it.
Things have changed.
Now sending random packets to windows is a way of finding new buffer overflows to gain complete control of the system.

microsoft are rewriting the networking in vista so expect it to be flaky for a while. I'd love then to put proper bounds checking on buffers / input even at the expense of speed. Maybe it would be stable then. But I expect to see a repeat of stuff like NT4 needing SP3 to share files, and 2003 failing to copy large files on UNC names but work better on drive letter shares. And 2003 also has problems with importing lmhosts via IP'd unc shares. If you can't get TCP/IP right then internet security is not a certainty.