Peach Fuzz

Another open source fuzzing toolkit update was released today, the "Peach Fuzzing Platform v2.0".
Fuzz. As in Peach. Ha!




Anyways, how does fuzzing effect the security of one's computer? Directly, it does not. Indirectly, it does.

Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.




The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.

The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.

ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.




What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We'd love to hear from you.

Agent again, this time undetected

Several interesting surges in malware activity are showing up today. The most highly propagated that we are seeing is a large increase in the past 24 hours of an old friend that's been labelled "Trojan.Agent". The filename that we are seeing the most of is "wingmmesc.exe", and it continues to run rampant without much in the way of AV detection, including the new and improved engines to detect suspicious obfuscation:




We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with "enticing" (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We'll get back with more detail.

Update...It appears to be related to the Sality family, because we're seeing lots of familiar Sality "WINEUJE.EXE" activity related to the downloader, a worm that's run around for a long time now, especially in Asia. It attempts to download .gif files from "kukutrustnet888.info" and "microupdate14.info", both domains that we've seen from this family before. We'll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we've uploaded it to virustotal for sharing.

Cnet headline needs clarification

I came across another headline that needs some clarification. The FireFox effort doesn't really deserve this one: "Firefox add-on infected with Trojan"



The language pack add-on in particular, vietnamese_language_pack-2.0-fx-win.xpi, was not infected with a trojan. We inspected some of the allegedly "trojanized" files ourselves. The ".xpi" package can simply be renamed to ".zip" and its contents extracted. Then, we extracted vi-VN.jar. Buried deep within the directories, we can find a help directory. There, multiple ".xhtml" files exist. At the very bottom of these files, we find some script code:

< c = "h xx p : / / %6A %73 %2E %6B%30%31%30%32%2E%63%6F%6D/ %30%31%2E%61%73%70">

This statement can be decoded and when viewed, redirects a browser to hxxp://js. k0102. com/ 01. asp

At this point, nothing of a highly damaging nature has occured. Web pages redirect browsers to ads all the time, for example. This particular web page redirected browsers to some advertisements.
How often might the redirection have occurred? I am not really sure. In my browser, I installed the language pack, but couldn't find a way to display the related help pages with the script code. It seems the distributed files would not have readily effected FireFox users. But it appears to not be virulent.

So how come this script code wasn't detected before it was released? Well, the AV scanners that the Mozilla team was using didn't detect this line of code. It's somewhat surprising that the scanners didn't catch it, considering the viral family that most likely left this line of code and was running on the developer's machine has been in the wild in the Asian region since at least 2006.

Nonetheless, it is never good when any developers are working on infected systems. Release quality comes into question when things like this happen, but this one doesn't seem to be terribly alarming. The group appropriately froze access to the package, removed the dozen or so xhtml files, and re-released the package. All in plain view.

Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

Risk from p2p networks?

Some media attention has been given to the circulation of a number of malicious files found on gnutella networks accessed by LimeWire users. As always, please use caution when participating in these sorts of networks. Anytime files are shared amongst a community of users, there is an increased risk of malware.

Some files were distributed on those networks with a .mp3 or .mpg extension and instead of video or audio content, contain asf files, which are scripts that direct the default handler (your web browser) to a specified URL or web site.
Luckily, most users find it suspicious when they expect to play a sound or video file in their media player, and instead receive a web browser prompting them to download and install more software. So they don't run it -- that's probably why McAfee saw a half million .mpg/mp3's that contained a link to malicious software, but saw not even 10% of that number resulting in actual downloaded adware on user's desktops.




While it's great that AV scanner detection has caught up with the file extension trickery on the P2P networks, it's unfortunate that the individuals peddling this adware just skip that step and distribute binaries. Setup.exe files archived in "american pie full dvd movie.zip" and many other misleading filenames are floating around the P2P networks with the exact same payload as the downloaders described in the news.




It wouldn't make much sense that an entire "full dvd movie" could be contained in a 94kb zip file, but some users don't make that connection. Instead of a full dvd, the user gets multiple pieces of adware installed on their system, like Adware.Agent!sd5, Adware.PlayMP3z /Adware.PlayMP3z.
The old adage follows, "If it seems too good to be true, it probably is."

Antivirus Fraud 2008

2008 continues to live up to the title "The Year of Rogueware". So far this year, bots, worms and viruses, all seem to live in the shadow of this type of activity. Users are actually trying to run this constantly changing stuff on their systems, with AV scanners missing them during their effective window ITW altogether. Rogueware themes are changing, the binaries change, and the websites change somewhat according to thematic content. You can see a lack of scanner detection here.

Accelerated numbers of "AntiVirus2008" software installs are popping up, created by our familiar developer friends in the Ukraine (yes, that is sarcasm), which can be found at "hxxp://www.antivirus-scanner.com". We're seeing installs from a file named "atnvrsinstall.exe", which is dropping "antvrs.exe". Here's another fraudulent screenful from its distributors. There are no dangerous files or viruses detected on the system as they state, because the web site isn't really scanning my system:




Quarantine it if you see a popup from threatfire, warning you of "PuA.Rogueware".

AMTSO and CARO Workshop

The AV industry was busy this past week amongst the blooming tulips in Hoofddorp, the Netherlands. Both an AMTSO conference and a CARO workshop was held the last three days of the week.

A large group of attendees arrived for the Wednesday all-day testing standards meeting, with more journalists in attendance than before. It was encouraging to see, because one of the AMTSO's formative goals has been to invite and include representatives from all parts of the computer security industry. Progress is being made toward a set of testing standards for anti-malware products for everyone involved.

The CARO workshop followed on Thursday and Friday, with presentations focusing on malware obfuscation from the AV industry's perspective (googling "datasecurity event caro" provides a link to the home page). The opening talk by Paul Ducklin from Sophos set the tone for most of the event -- legitimate compressors/packers are acceptable and good (according to a number of individuals in the AV scanner business), while software protection solutions like Themida and SVKP are unacceptable and evil (to a number of individuals in the AV scanner business).
It was interesting that while AV vendors and Ilfak Guilfanov of IDA Pro/Hex Rays spoke and gave presentations over the two days, none of the developers or vendors from Themida or ASProtect (a couple of software protection systems that were referred to in the presentations) were invited or presented their thoughts.

Even at the workshop, it seems that there remains disagreement on how the industry should handle software obfuscation, and there remains a sense that software obfuscation is a major source of problems for the AV industry. Whether it's due to difficulties in emulation, performance issues when unpacking, the complexities of the virtualization packers (where Sophos' Boris Lau showed that a single NOP instruction can be easily and inexpensively be translated into over 50 virtual instructions) or simply disagreement over how to identify what is behind software protection, it continues to be a weakness for traditional AV scanners.
Just to give an idea of the volume of difficulties and tricks that researchers have to develop methods to deal with, Peter Ferrie's paper was presented by Mady Marinescu of Microsoft, and in it he enumerated over 50 anti-unpacking tricks commonly seen in packers and often seen in malware.
Presenters also included evaluations of the proportions of malware seen packed by specific packers and various approaches to dealing with them, including blacklisting. It seems that it is easier to include this approach in a scanner than to have to actually implement an unpacker in a scanner for all the different varieties of packers. Blacklisting is cheap and easy, but is more prone to causing fp's, and often decisions to blacklist may be debatable.
We will see what this turn away from extremely low false positive rates will do to the major advantage that the scanners had over behavioral based solutions.

From the perspective of an individual pushing a behavioral solution that solves for the difficulties that scanners have with obfuscation, it is somewhat easy to be critical of AV scanner products' inability to continue performing with such a low level of false positives and exacting matches in the face of ongoing obfuscation and "server-side polymorphism"/"rapid release" techniques currently used by malware distributors to evade the AV solutions. The complexity and difficulties are high for the guys trying to develop elegant and effective AV solutions to these problems.
We'll see more of this obfuscation topic, but from the "hackers" perspective, when defcon's "Race To Zero" contest is held this fall.