oxff's Blog

Reflect Yourself

oxff — Thu, 01 May 2008 21:11:00 +0000

Mayday 2008 was a total blast, DJ Korsakoff made a hell of a performance. Eventhough I didn't sleep the last 30 hours or so, I'm still rather awake due to the coffinated water they sold. I'll update this blog post with some own trashy mobile phone video later.

We are still here!

Botnet Monitoring Frontend

oxff — Thu, 13 Mar 2008 14:33:00 +0000

Spam, please

oxff — Sat, 15 Dec 2007 11:20:00 +0000

Please send me your spam or malware!

REP(N)Z and the EFLAGS

oxff — Thu, 27 Sep 2007 17:00:00 +0000

Working on some debugger like automation code for EmsiSoft, I recently discovered a funny property when single stepping REPNZ prefixed SCAS and CMPS instructions using the TF bit set in EFLAGS. As expected, for each single byte / word / doubleword, a debug event occurs. However, the EFLAGS register's status bits (e.g. ZF) are not correct for each single iteration but the last.

I tested this in Windows XP in a VmWare, didn't have the time to reproduce on a physical machine yet. Let me know if you run over this quirk, too.

My ISP Blocks YouPorn

oxff — Tue, 11 Sep 2007 11:19:00 +0000

Arcor, my home ISP, yesterday started blocking YouPorn. Welcome to China!

Alliance Public Submissions

oxff — Thu, 30 Aug 2007 12:34:00 +0000

You can now upload your samples to the Alliance manually, without being a member of the mwcollect Alliance. Submissions are correlated with automatically collected samples:

Anubis Sandbox Becoming Useless

oxff — Tue, 28 Aug 2007 09:20:00 +0000

Doing mostly botnet research with the samples we obtain through the mwcollect Alliance, the most interesting thing in the Anubis sandbox reports for me were the network traces. Following the lame ``run the binary in a VM, hooking all interesting APIs'' the Anubis sandbox has to really connect to the C&C server in order to get to know channel names, keys, etc.

The big problem here is, that the public online submission interface analysis machine all run on static IPs, not utilizing proxies and even worse -- having a valid reverse DNS entry pointing to Anubis. In the end, this made most ``advanced'' herders block the Anubis sandbox, as can be seen from this exemplary report (search for ``ERROR :Closing'').

Time to finally finish my own sandboxing stuff... not relying on the remote connection but on statical behavioural analysis with some emulation (packers, self-modifying code, ...).

Speaking at DeepSec and Winning CIPHER-CTF

oxff — Fri, 13 Jul 2007 10:50:00 +0000

The mwcollect.org Team `teamSparta', in which I participated as well, made the first place in the CIPHER CTF Contest. Yay!

I'll be speaking on DeepSec 2007 in Nov in Vienna, Austria.

Wikipedia and Public Media explaining Botnets

oxff — Fri, 08 Jun 2007 16:14:00 +0000

(All German):

There is still so much wrong information about botnets out there. These people suck as reporters (as most reporters do).

Malware Paragraph in German Laws

oxff — Fri, 25 May 2007 15:24:00 +0000

They finally criminalized any serious IT security penetration tester and the people developing the tools for them in my home country, Germany! Hail Zypries and all the other Internet nazis! \o

mwcollect Alliance Webinterface

oxff — Mon, 21 May 2007 17:56:00 +0000

We're still working on the mwcollect Alliance Webinterface, but already got some really nice stuff. The people from the Anubis Sandbox were so kind to provide us with a closed submission interface, so we can automatically upload new samples and link to them.

oxff Inc. -- Bragging Redefined

oxff — Thu, 12 Apr 2007 17:00:00 +0000

I count at least five of nine papers from HotBots referencing at least one paper, I have had my hands involved in.

Jikto Hype

oxff — Sat, 07 Apr 2007 09:27:00 +0000

After not posting for quite some time, I've got something to say again.

Recently, the Jikto `Javascript Drone' was hyped a lot in different media; the usual ``OMG t3h Internet is l0st'' we see at least once each year. I just had a look at Jikto's code, which was leaked the day after Jikto was presented on ShmooCon. It's totally ridiculous, it's using XMLHttpRequests to spider web-pages and tries finding `.old' and `.bak' files on these servers bug bruteforcing every found file. Additionally, it features a very false positive prone XSS scanner.

This XSS scanner injects <script>alert('xss');</script> into every GET parameter and just parses for `script' in the response. If the brackets are properly escaped, we still get our false positive. How enterprise.

Another wrong rumor is, that this code turns your computer or your browser into a drone. It's just yet another non-resident script. Additionally, because of the XMLHttpRequests, you're limited to your own domain to scan (unless you find a cool vulnerability in your browser or already know a XSS in the target site to inject Jikto).

All in all, this is just some hyped, lame, proof of concept script, if you ask me. :/

Update:
One of my favourite hypes regarding Jikto says ``the hacker tool Jikto is spreading uncontrolled'' and ``the script captures computers of clueless Internet users to perform a portscan''; ``security experts are afraid that blackhats could misuse the extremely dangerous potential of this software''.

Botnets? No real threat, not interesting to the media... Hey, there is already a cool botnet monitoring tool from Microsoft, featuring a laggy GUI and dieing if more than 2k nets are monitored. Hey, subfolders for each botnet are cool.
Seriously, let's just all commit suicide in such an IT security world. :/

New Sandbox Application on the Horizon

oxff — Tue, 06 Mar 2007 09:19:00 +0000

A new sandbox application has poppep up on the net: JoeBox. Of course it uses its own ``unique special concept''; the same unique special concept we were seeing in CWSandbox and some other private tools before.

It uses the same old userland API hooking tricks, everybody else seems to be using but this one runs on a physical machine and not in a virtual machine. Let's hope there is at least one bigger difference: this one could be free. But in the age of every company registering .org's like crazy, this will probably stay a dream.

Dinner for Five

oxff — Tue, 27 Feb 2007 01:45:00 +0000

Last Saturday, my mother and me (visiting at her during the weekend) got guests: Janine's parents and herself were coming over for some nice dinner. Some photos are available.

Entry: `Stremel Lachs'
Make some simple Guacamole based of Avocado: Mix the squashed Avocado with lemon juice and salt, that's it. Serve the raw salmon filet with the Guacamole and some baguette, offer a twist of lemon optionally to the salmon.

Main Course: `Rindersteak an Haricot-Verde, Rosmarienkartoffeln'
Fry the steak in a very hot pan in olive oil, but not too long, so it's medium. Cook string beans and roll them into bacon, fry these little packs in a pan. Cook potatoes in the skin, remove the skin and bake them with rosemary and olive oil in the oven. Serve all together with a sauce based on the steak's brew, cream and a little bit of smokey BBQ sauce (thanks Ryan!).

Dessert: `Tiramisu'
The nice Italian desert, don't ask me for a recipe -- I didn't do it and I don't know how to!

Get EIP with SEH

oxff — Fri, 23 Feb 2007 18:08:00 +0000

While talking about shellcode detection with Paul and Markus, I remembered some SEH based code I've written some time ago for some code to be position independent (and obfuscated). Unfortunately, I couldn't find the original source anymore but wrote up, what I remembered (and didn't test it):

Snippet 1: Custom Handler

mov eax, [esp+0x10]
mov eax, [eax+0x0c]
push eax
jmp eax

Snippet 2: SEH Overwrite

mov edi, [fs:0]
mov edi, [edi+4]
mov [edi+0], 0x448b6766
mov [edi+4], 0x67661024
mov [edi+8], 0x660c408b
mov [edi+12], 0xe0ff6650
 
xor eax, eax
xor [eax], eax
 
pop eax

Basically, the second snippet fetches the address of the current top-most SEH, overwrites it with the binary version of the first snippet and triggers a general protection fault. The address is then popped. Of course, this only works on Win32.

At the time I `invented' that code, I didn't have any reference for such code ITW. But I'm pretty sure, I'm not the first one to have that idea (although a quick Google run didn't reveal anything to me).

Der Sinn des Lebens

oxff — Wed, 14 Feb 2007 13:48:00 +0000

I've got a terrible hangover, but it seems I'm not the only one, who drunk too much last night. Seems, they've lost a letter at Google:

But #nepenthes has the answer: < olsson-> stop worrying about worms! do some disco dancing instead! ;-)

Carnival

oxff — Tue, 13 Feb 2007 20:20:00 +0000

Like all good Rheinland folks, I'll be unresponsible for any business-related requests the next seven days. It's carnival! \o/

Crazy0r

oxff — Mon, 05 Feb 2007 23:14:00 +0000

Work is driving me crazy. And all that annoying University Math on top of it.

The only thing keeping me up is the di.fm Hardcore stream; and that one is surely not keeping me away from insanity.

Hahahahahahahahahahahaha! O_o

New GPG Key

oxff — Thu, 11 Jan 2007 17:22:00 +0000

Due to the recent theft of my laptop and the HDD crash on my desktop, I have a new GPG key (and embarrasingly no revocation certificate for the old one):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (GNU/Linux)

mQGiBEWmRn0RBADwlG2LczheYy60A6DDxe8QRkdiB/u6qvRkDjxwRNwNYiyGI+/v
pod6QC4Y3mKtKsyKrMjCT9PvD9HNgRHU7h4i7BC4XKEAIWvV9hpT/Dc5GtTwg7eY
z8ip/1XtT60WlFEMlhNsiNrV4evcF5C0pCuniNVYRa7ceWK9SI79fa40VwCg96iq
Cj8I6SRP1Rb2KGt408Q2iHUEAOFerhLDCbAK6PEEyE6hl7AESCFRWY4Ot+8ppMM1
znUEs8AzwRg8OgEIO6hEml3fHVdnDRnk0yhXMhxr3EPDjHrJRSZ8h/BukDz0PPMj
8kb4eAaIOxiL5H8S7SkSvoiEKTqVgpd3gGKLyHA4A+E1A3qGYD/wsmdDM8rCrDyn
3D3oA/0QQcTJ6MLWEgeSJMLC0GaljelyDvMpD7KluXNLmasF3/GgMKM4xBQrf5BG
dsKKP8O0yy1gI08tiPe2/fBGZTYWdYLKbXQDB72MoIHLiPLzD0iAygmYR9DmAXST
NVj3hxXt+k02i6WY7DdsYh4dQT9F1PEDcAQmRgw0gEiRf4l8vbQhR2VvcmcgV2lj
aGVyc2tpIDxnd0BlbXNpc29mdC5jb20+iGYEExECACYFAkWmca4CGyMFCQlmAYAG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAqWE42za9SspmBAKDuBWns68fSbUM3
HoRBv7x4MD8X7wCgrwIqYeZ7u3waK9RyPXfPo9ZH7XC0JEdlb3JnIFdpY2hlcnNr
aSA8Z3dAcGl4ZWwtaG91c2UubmV0PohmBBMRAgAmBQJFpkZ9AhsjBQkJZgGABgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQKlhONs2vUrJXoQCbBx+VUUmUETTpOjdz
Nks66lOc2iMAn1uCCEynkKys6IA8VGNCX4f22kKDtCJHZW9yZyBXaWNoZXJza2kg
PGd3QG13Y29sbGVjdC5vcmc+iGYEExECACYFAkWmcbkCGyMFCQlmAYAGCwkIBwMC
BBUCCAMEFgIDAQIeAQIXgAAKCRAqWE42za9SskBhAKCgQ+bDQIemK2E2Vn1xdST3
/DvnnACeJI+vxwMcpfGo12LIgePLuuCfJH25Ag0ERaZGlRAIAOyuWt2MLTompq1e
lUZ4iArEoPjGPBaP8bfj+yETa0UMXVDNFaK9fqzqXpukEOFecWGHpWxhXe6i5DHs
x0HCs0/Ay9txWMsSKPbgwXrBcW8fju1lTbRolJtQ6JFgfO+hkuX+b6UeTcoOmofs
ET7+G2Bu9hdQ9zy626GRjjCwNGnNVtIwkRftM18nnks617U40lZR/gpLv0Yp+SkJ
t+MdID3kn5VUraRLGpLMpMADlAYi8nIFy/xODklfL4wU2ZxZuo+HBomVtx4VPuNQ
I/TnbH+YNaKRzF4ibN4qLZ0NE7bFuYJ5q+wfOyY4nidxs/Erm3dC8IeyYwNNCjBL
sxM0N+sAAwYH/A4jpBNBwAjiOSOBjm5yTvV+6O+msq0+nR2dKIwZzkpiOLTmSR2B
SkfdAZmIR7iuqk14qx4Cp8hy5OuLY5L1z1dGBtiKdoVy0qin+/J5Qt0+bCRd/nay
f9eqo0RlqMx8dXtaGRPtIW0D3EE4it6QKN4xH8J4a+5TdGaoCaMkYWRlsDNc+2vw
DtNEE3YnWxXY2aXxtXbKWjXyOARX9sFJxQozDbUEZA0w49Iq1XVcX73kafHQf4oh
0rW+5sqVzSJuNXelugodlW5h+KkU02Oo0FAfevY175MRJoEMcyCVGHEW2iGIOFVb
Vbs0WO/CFIuMziI6JDG4yyovMdJoRo8VPnmITwQYEQIADwUCRaZGlQIbDAUJCWYB
gAAKCRAqWE42za9SsvGiAJoC9+Ppv+SRZ0+dYJYl9G816OVMlwCfWHbjBoDySAgl
nHARGOmqJJ+5XOM=
=rYgd
-----END PGP PUBLIC KEY BLOCK-----

23c3 Congress in Berlin

oxff — Sat, 23 Dec 2006 23:39:00 +0000

Just a short note: I will be at this year's Chaos Congress 23c3 holding a short presentation on «Automated Botnet Detection and Mitigation». Besides visiting Berlin with my girlfriend, I'll also be visiting the Blue Men Group.

Give me a shout if you're also going to 23c3 and want to meet up there!

HoneyBow v0.1.0 Release

oxff — Fri, 15 Dec 2006 21:02:00 +0000

The Chinese Honeynet Project just released their HoneyBow software at mwcollect.org. HoneyBow is an utility suite, built around a VMWare Windows honeypot to automatically detect infections by malware and extract the malware to submit it to a central G.O.T.E.K. server for aggregation.

VirusTotal.com

oxff — Wed, 29 Nov 2006 11:13:00 +0000

VirusTotal.com is a well-known multi-scanner interface, available for free via web upload. In order to be better comparable to other anti-virus scanners, EmsiSoft recently decided to ask them, to add their A-Squared engine (for free as well, of course). At first, nobody at Hispasec had any problems with this and they put them in the queue to be added (due to backend redesign, this lasted for weeks).

Then suddenly, Oliver Auerbach from Avira started to complain, just because he had some unsettled issues with one of the developers at EmsiSoft and therefore declared EmsiSoft as an untrustworthy corporation. Hispasec immediately reacted and rejected EmsiSoft.

Seems like VirusTotal.com is not that independent, as they always try to look like. This also fits into my image of them, distributing samples, even if you ask them not to do so. The little ``don't distribute'' button at the upload interface really seems useless, at least it was in 2005.

Back then, I was developing some proof of concept samples for the c't Magazine and tested them with VirusTotal.com. Since they were obfuscated and 0day, nobody of course detected them. A few weeks later, when the magazine wrote their article, Symantec and a couple of other scanners were detecting them (funnily enoguh as RBot variants, just because it was IRC proof of concept malware). The samples never left my harddrive, except for going to VT or to the magazine...

So be careful with VirusTotal.com (there is also an alternative, Jotti's Online Scanner).

Update: jcanto@hispasec.com informed me in a closed forum:

"This also fits into my image of them, distributing samples, even if you ask them not to do so."
Anybody in the sample distribution system knows this is simply a lie. Simply ask any person dealing with VT in that labs and you'll know it.

We don't distribute samples that are not detected by any engine. Besides that, Symantec is curiouslly the only company participating in VirusTotal that has never received a sample from us as they've never wanted it. We contacted repeated times with people at the company but never gave us an email to send that samples. I suppose they are not interested in them because they've enough with their sources.

I never said that Symantec was the only to detect it, though.

Microsoft Powerpoint, please.

oxff — Tue, 07 Nov 2006 12:02:00 +0000

I will soon stay in at a security conforence for someone else from the Honeynet project and today received this amusing email from the `Marketing and Events Manager':

Thanks for your presentation which we received this morning. However I'm having trouble inserting it as it's a PDF file. Could you please send this on again as a PowerPoint Presentation.

Of course I did the presentation with LaTeX and latex-beamer (yes, no funny animations). Ouch.

Update: Just to clarify, I certainly did not want to blame the organizators for anything, I just wanted to point out that it's sometimes useful to stay `compliant'.

Computer Science Studies in Aachen

oxff — Sat, 28 Oct 2006 14:04:00 +0000

Studying is mostly fun, got a lot of new people to know in my first two weeks in Aachen. Lectures aren't too complicated yet and doing some math is fun so far. The `Programming' lecture is annoying for anybody, who touched a sourcecode before, though. Anyway, attendance is not enforced -- it's up to you and in fact, I haven't attended a single `Programming' lecture yet.

But studying is also time intensive. Working as Anti-Virus developer is also a time intensive job (that becomes very difficult, if you don't have Internet in your flat because your ISP bitches). But the dream of the perfect behavioural detection engine is just to great, to give it up just because of university!

The backside of all this is that my OpenSource development projects have to step back a bit. But the mwcollect Alliance will survive! ;)