My ISP Blocks YouPorn

Arcor, my home ISP, yesterday started blocking YouPorn. Welcome to China!

Jikto Hype

After not posting for quite some time, I've got something to say again.

Recently, the Jikto `Javascript Drone' was hyped a lot in different media; the usual ``OMG t3h Internet is l0st'' we see at least once each year. I just had a look at Jikto's code, which was leaked the day after Jikto was presented on ShmooCon. It's totally ridiculous, it's using XMLHttpRequests to spider web-pages and tries finding `.old' and `.bak' files on these servers bug bruteforcing every found file. Additionally, it features a very false positive prone XSS scanner.

This XSS scanner injects <script>alert('xss');</script> into every GET parameter and just parses for `script' in the response. If the brackets are properly escaped, we still get our false positive. How enterprise.

Another wrong rumor is, that this code turns your computer or your browser into a drone. It's just yet another non-resident script. Additionally, because of the XMLHttpRequests, you're limited to your own domain to scan (unless you find a cool vulnerability in your browser or already know a XSS in the target site to inject Jikto).

All in all, this is just some hyped, lame, proof of concept script, if you ask me. :/

Update:
One of my favourite hypes regarding Jikto says ``the hacker tool Jikto is spreading uncontrolled'' and ``the script captures computers of clueless Internet users to perform a portscan''; ``security experts are afraid that blackhats could misuse the extremely dangerous potential of this software''.

Botnets? No real threat, not interesting to the media... Hey, there is already a cool botnet monitoring tool from Microsoft, featuring a laggy GUI and dieing if more than 2k nets are monitored. Hey, subfolders for each botnet are cool.
Seriously, let's just all commit suicide in such an IT security world. :/

New Sandbox Application on the Horizon

A new sandbox application has poppep up on the net: JoeBox. Of course it uses its own ``unique special concept''; the same unique special concept we were seeing in CWSandbox and some other private tools before.

It uses the same old userland API hooking tricks, everybody else seems to be using but this one runs on a physical machine and not in a virtual machine. Let's hope there is at least one bigger difference: this one could be free. But in the age of every company registering .org's like crazy, this will probably stay a dream.

Carnival

Like all good Rheinland folks, I'll be unresponsible for any business-related requests the next seven days. It's carnival! \o/

23c3 Congress in Berlin

Just a short note: I will be at this year's Chaos Congress 23c3 holding a short presentation on «Automated Botnet Detection and Mitigation». Besides visiting Berlin with my girlfriend, I'll also be visiting the Blue Men Group.

Give me a shout if you're also going to 23c3 and want to meet up there!

VirusTotal.com

VirusTotal.com is a well-known multi-scanner interface, available for free via web upload. In order to be better comparable to other anti-virus scanners, EmsiSoft recently decided to ask them, to add their A-Squared engine (for free as well, of course). At first, nobody at Hispasec had any problems with this and they put them in the queue to be added (due to backend redesign, this lasted for weeks).

Then suddenly, Oliver Auerbach from Avira started to complain, just because he had some unsettled issues with one of the developers at EmsiSoft and therefore declared EmsiSoft as an untrustworthy corporation. Hispasec immediately reacted and rejected EmsiSoft.

Seems like VirusTotal.com is not that independent, as they always try to look like. This also fits into my image of them, distributing samples, even if you ask them not to do so. The little ``don't distribute'' button at the upload interface really seems useless, at least it was in 2005.

Back then, I was developing some proof of concept samples for the c't Magazine and tested them with VirusTotal.com. Since they were obfuscated and 0day, nobody of course detected them. A few weeks later, when the magazine wrote their article, Symantec and a couple of other scanners were detecting them (funnily enoguh as RBot variants, just because it was IRC proof of concept malware). The samples never left my harddrive, except for going to VT or to the magazine...

So be careful with VirusTotal.com (there is also an alternative, Jotti's Online Scanner).

Update: jcanto@hispasec.com informed me in a closed forum:

"This also fits into my image of them, distributing samples, even if you ask them not to do so."
Anybody in the sample distribution system knows this is simply a lie. Simply ask any person dealing with VT in that labs and you'll know it.

We don't distribute samples that are not detected by any engine. Besides that, Symantec is curiouslly the only company participating in VirusTotal that has never received a sample from us as they've never wanted it. We contacted repeated times with people at the company but never gave us an email to send that samples. I suppose they are not interested in them because they've enough with their sources.

I never said that Symantec was the only to detect it, though.

Microsoft Powerpoint, please.

I will soon stay in at a security conforence for someone else from the Honeynet project and today received this amusing email from the `Marketing and Events Manager':

Thanks for your presentation which we received this morning. However I'm having trouble inserting it as it's a PDF file. Could you please send this on again as a PowerPoint Presentation.

Of course I did the presentation with LaTeX and latex-beamer (yes, no funny animations). Ouch.

Update: Just to clarify, I certainly did not want to blame the organizators for anything, I just wanted to point out that it's sometimes useful to stay `compliant'.

Reviewing Blachat Japan 06 / Tokyo

This trip was a blast! I already arrived on Wednesday -- one day before the conference -- and went out with Laurie from ShadowServer to do some shopping in Asakusa as he is a Tokyo local for two years now. Bought some nice stuff for my girlfriend and family there and also took the compulsionary tourist's fotos in front of one of the temples.

Later on that day, I went to Roppongi visiting the Gas Panic club, which really deserves the description ``foreigner meat market'' as it is called by some locals. I've been later on told by some other locals that it's not the most beautiful you'd get there, but nevertheless it would have been really easy as far as I can judge.

Thursday started with a huge hangover, a nearly missed press meeting and a hard one staying awake during the day, followed by going to bed right after the Blackhat social event. I talked to some people and attended some talks, as usual the topics at Blackhat were rather interesting but conferences are more for socializing...

Our talk at Friday morning went pretty well, apart the we totally messed up our botsnoopd demo as no botnets were showing activity and even #gentoo on FreeNode was silent during our presentation (we should have pre-recorded a video). So we could only show some simple management commands... Apart from that, it was said to be the second most popular presentation (right behind Joanna's talk on the virtualization rootkit), probably thanks to Thorsten's CWSandbox part of it.

The speakers party did not convince to much (especially not for 4500 Yen entrance fee), but we were going to the Air club later on were a Chicago DJ hat some insane set; we were there from 1:00 to 6:15, powered by Redbull and Orange Juice (and the other by Vodka Redbull, too). It was simply great.

So see you next year at some Blackhat conference! ;)

Blackhat Asia 2006 / Tokyo

As some of you may already now, I will be at Blackhat Asia 2006 in Tokyo, having a talk on botnet detection and mitigation.

I will arrive on the 4th of Octobre and leave on the 7th. Feel free to drink a beer with me, just drop me a line as some already did. I'll probably also go clubbing in Roppongi some evening (maybe the 4th?) -- looking for someone to join me.

Prohibition of `Hacker Tools' in Germany

As heise writes, the German government plans to criminalize what they call `hacker tools' (if they already use such a misleading term, why not `haxor toolz'?). This is yet another example that impressingly shows that politicians know nothing about the Internet world; we all have already learned that the Internet is a set of tubes.

This would be like sueing Heckler & Koch for manufacturing a weapon that was used to shoot a police officer.The CCC has a good writeup, why this criminalization is bad.

As they say, they just want to realize a new EU directive; but this one is going way to far. Since I am working in the Computer Security industry and already had to develop proof of concept malware in the past for heise, so they could test some AV, I am directly affected by this.

I will try to actively fight this law and already dropped an eMail to my local MdB (however I doubt, this will change anything -- my belief in democracy was lost long ago).