Peach Fuzz

Another open source fuzzing toolkit update was released today, the "Peach Fuzzing Platform v2.0".
Fuzz. As in Peach. Ha!




Anyways, how does fuzzing effect the security of one's computer? Directly, it does not. Indirectly, it does.

Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.




The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.

The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.

ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.




What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We'd love to hear from you.

Bootkit binaries in the wild

Yesterday, we were further analyzing an executable that we recently haven't been seeing all that much of, tmpms45.exe. The filename is familiar, as sometimes various executables with that name are delivered by malicious emails or malicious web pages. Most often, we see it as a part of a commodity exploit kit (i.e. Mpack), and the malicious web site operators simply forgot to change the filename in the kit's scripts that they just purchased.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.

This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.