Wie schon vor einigen Tagen gemeldet, gibt es bei Debian, Ubuntu, Knoppix und eben allen Debian-basierten Distros einen Fehler in der OpenSSL-Bibliothek, die das Erraten von Schlüsseln erleichtern soll. Aus diesem Grund sollte man mindestens ein
apt-get update && apt-get dist-upgrade
machen und danach mit ssh-vulnkey -a als Superuser überprüfen, ob kompromittierte Schlüssel auf dem System existieren.
Heise hat dazu einen schönen Artikel auf Deutsch bereitgestellt. Ansonsten lohnt sich ein Blick auf Debians “Key Rollover”-Seite und die Links dort.
// Oliver
Have a look at RunEl and don’t miss out when Chris presents the implementation of his newest idea. An UAC implementation which works on XP and Vista but is more user-friendly.
// Oliver
PS: I understand it’s still April, but as far as I can tell this is not a joke 
… and no more excuses from those pirating IDA. Datarescue made a freeware version 4.9 of IDA available for download. In the scope of IDA Palace, I have mirrored the files on two more servers. One of the servers is likely going to disappear in the long run, but I’ll make sure the links will work regardless.
Feel free to link.
// Oliver
Scientists have shown that the attack method devised against MD5 in 2004 is usable and can even trick code-signing tools into “believing” that the binary is the same.
We announce two different Win32 executable files with different functionality but identical MD5 hash values. This shows that trust in MD5 as a tool for verifying software integrity, and as a hash function used in code signing, has become questionable.
(Quote from the linked page)
What are the implications? Well, the worst and foremost is, that an attacker can put malicious code under the disguise of a valid and trusted signature. As an example: an elaborate attack could use a driver signed by Microsoft, and his own rootkit to create a content that is indistinguishable by MD5 hash. Thus allowing the attacker to trick the victim into believing that the code was signed by Microsoft - which is ultimately trusted on most Windows systems by default.
// Oliver
… und die F-PROT 4 Engine holt auf und auf. Ein Glück auch, daß wir es noch geschafft haben ein Produkt zu veröffentlichen, welches statt 4.3er-Serie, die 4.4er-Serie unserer Engine benutzt. Enthalten u.a. eine neue Heuristikengine mit dem (durchaus ernstzunehmenden) Namen “Eldorado”, welche zum größten Teil das “Brainchild” von Friðrik, dem Gründer der Firma und meinem direkten Vorgesetzten, ist - aber auch der Anteil der anderen Engine-Entwickler, insbesondere der von Mario, soll hier nicht verschwiegen werden. Gute Arbeit!
Inzwischen haben wir Zuwachs in Virenlabor - Schrägstrich - Engine-Abteilung bekommen - eine vielversprechende junge Dame aus Dänemark, welche großes Potential zeigt, von dem wir uns natürlich auch einiges erhoffen. Ich sage nur: “Stichwort Kryptographie”! 
Auch in Sachen Windowsprodukte tut sich wieder was; wir haben gestern (am Freitag) eine öffentliche Beta für die 64bit-Version unseres Windowsprodukts gestartet.
// Oliver
This is the first release of the new JEDI Windows API (JWA) and JEDI Windows Security Code Library (JWSCL).
JWA is known as the JEDI Windows API header conversions. JWA can be compiled into one jwaWindows unit. There is no more need to add dozens of different units into the uses statement and the smart-linking mechanism of Delphi does the rest for you. However single units can also be used!
JWSCL is a collection of classes to make programming Windows Security a whole lot easier. It uses JWA excessively.
Continue reading ‘Good job, Chris!’
As Hitzi writes in his blog - thanks for the pointer, by the way - it is formally possible for authorities in Great Britain to force someone to provide his data in decrypted form or at least provide the passphrase for decryption by the authorities. When I read it for the first time, I thought of TrueCrypt immediately.
This example of Great Britain gives a bitter taste of what’s on the agenda of Western governments after passing all these anti-terror laws already. It hasn’t reached Germany so far, but the fact that there is a precedent, allows others, such as our beloved secretary for propaganda, interior and sports - Dr. Schäuble - to quote the precedent and therefore “justify” their own demands for similar measures 
// Oliver
Einige werden es bereits aus privaten Konversationen wissen, der Rest weiß es eben jetzt … ich halte mich als einer von sieben Vertretern von FRISK Software in Wien bei der Virus Bulletin Konferenz 2007 auf. Hier trifft man nette Leute und kann sich - zumindest wenn kein Manager danebensteht - auch mal offen mit Kollegen aus anderen Firmen austauschen. Beispiel: gestern habe ich einige Leute kennengelernt, aber die beiden angenehmsten Bekanntschaften für mich waren Nicolas Brulez und Boris Sharov. Ersterer ist vielen Reversern sicherlich ein Begriff und hat sich auch als Autor von Armadillo (ein kommerzieller EXE-Packer) einen Namen gemacht. Letzterer wiederum ist der CEO (kurz: Chef) von Dr.Web Antivirus, einem der beiden Antivirenhersteller aus Rußland. Ansonsten trifft man hier viele Leute die “in der Szene” bekannt sind, einige die sonst nur hinter den Kulissen tätig sind und so weiter. Alles in allem bin ich bei meinem Erstbesuch positiv überrascht. Abgesehen davon sind hier natürlich jede Menge Österreicher mit ihrem sympathischen Akzent (und Dialekt).
… darf es noch etwas Orangensaft sein, der Herr?
// Oliver
PS: Gestern abend haben wir auch ein zünftig “österreichisches” Abendessen gehabt. Es gab Döner und Dürüm
… although LS is not quite in the AV-business (yet? ), they promise - i.e. their CEO, Jason King, promises - that LS will show up at the Virus Bulletin Conference in Vienna in September. What a lucky occasion. So I can probably expect them to bring the money they owe me. Really to nice of them. Looking forward to it.
Oh, and FRISK will be there as well, with 7 people (including me) and the original and only Frisk (i.e. Friðrik Skúlason) among us.
// Oliver
She and a partner, Alexander Tereshkin, have published the source to BluePill, or rather a rewrite called New BluePill (NBP), since Rutkowska’s previous employer owns the rights to the original one:
http://www.bluepillproject.org
The source is a little flawed, at least the version I got. It requires three minor corrections, but I am not sure whether this is an intentional hurdle for script-kiddies or a difference between the in-lab source and the one being published. Anyway, it’s not hard at all to figure it out. The source won’t compile with the WNET DDK, though - and presumably won’t compile with even older DDKs either. This means you have to get the Vista WDK or the beta of the 2008 Server WDK. The problem for the WNET DDK seem to be the assembly parts in the source, so this may be possible to be fixed, however, I didn’t try. The executable is around 50 kiB big. Obviously compiles only for AMD64
Continue reading ‘Joanna Rutkowska gets serious ;)’
Heise meldet: unter dem Titel “GDatas Antivirenlösungen für Unternehmen ohne Kaspersky-Scanner” … “[…] Stattdessen setzen die Produkte für Unternehmen in den aktuellen Versionen auf die F-Prot-Engine von Frisk […]”.
Ich wußte es ja schon ein Weilchen, aber da es jetzt offiziell ist
// Oliver
Michał ‘GiM’ Spadliński, a Polish blogger wrote in his article “Czy Redpill Joanny Rutkowskiej jest poprawny?“:
Oliver Schneider (Reverse Engineer pracujący dla F-Prota) opublikował […] artykuł, datowany na pierwszego kwietnia, który wcale nie wygląda na prima aprilisowy żart.
This made me really laugh. No, I have to admit my Polish is not the best (and getting worse due to lack of exercise), but I could clearly understand the quoted parts and quite some more.
Continue reading ‘No it wasn’t an April Fool’s joke’
Ptacek, Lawson and Ferrie - well-known security specialists - joined up to challenge Rutkowska and prove that her virtualization rootkit BluePill (up to now AMD-specific) is detectable regardless of her claims. The above link leads to her official reply to them.
Rutkowska likes to speak in absolutes, as it seems. In one instance I could even falsify one of her claims concerning VMM detection from within a VM using the interrupt descriptor table address as an indicator. This shows she is human as everyone, but having her own company now and being busy all the time (who is not?) she never found the time to respond to my articles 
Anyway, this gets me really excited about who will win the challenge, but Peter Ferrie, being a former FRISK employee, has all my sympathies
// Oliver
… here Kaspersky claims:
An advisory has recently been published on rootkit.com regarding a vulnerability in KAV 7.0. Unfortunately, the authors of this material chose not to adhere to industry standard practice, and contact the vendor prior to disclosing vulnerability details. Although the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored, this is not the case: if we had been informed, this issue would have been addressed long ago.
I am really upset by this! I reported this vulnerability back in October 2005 in the Kaspersky subforum at malware-research.co.uk, a closed forum for security professionals, and one person from Kaspersky Labs Netherlands replied and said it would be taken care of. Back then (before the reply) I wrote that if they would not respond in due time I’d publish it (without details) through public channels which was taken as a threat by the person who responded. Interestingly I did never check again and it was almost one year later (September 2006) that I joined FRISK Software International and thus the AV industry.
Also fascinating, I am not the one who published it on rootkit.com, instead I chose to contact them in a closed security-aware community and the result was apparently the same, Kaspersky chose to ignore it in the end in both cases. I can well imagine that “the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored”.
Excuse me, but the claims in the above quote are ridiculous to say the least.
// Oliver
BTW: I met said person at the AV Workshop this year. A few weeks after the workshop a bug that I reported more than 18 months ago surfaces again (in one of their latest products!). Amazing!
The term “Realtime protection” has been overused in recent years and used in a completely wrong sense ever since it was invented.
To make sure to not be misunderstood - yes, even the company I work for has used the term during the hype of the phrase and recently we published a patch to the “Realtime Protector” (included in a legacy product). However, this still doesn’t make the “protector” more realtime. Now, why is that?
None of the Windows systems is a realtime operating system. So how would any software running under these OSs be “realtime” in any way? Easy answer: it won’t. Since most malware is prevalent on the two Windows platforms (Win9x and WinNT), it is fair to claim that this also means that any anti-malware application isn’t “realtime” either.
Now what does it mean? It means that “realtime protection” is formally and technically a wrong term invented and misused by the marketing experts of the companies offering it. The more proper term would be “on-access scan” as this is exactly what these components do. Whenever you touch (or execute) a file the OAS will scan it and offer you a choice of cancelling your action or deny it right away (depending on the settings). Same for registry operations and whatever else can be “realtime-protected”.
// Oliver
As some of you may know, FRISK Software had invited professionals from the AV industry and AV testers to attend the “International Antivirus Testing Workshop” this week in Reykjavik. The workshop was held on tuesday and wednesday and I had the chance to attend the second session (in the afternoon) on wednesday, which included a panel discussion. To me the presentation of Prof. Klaus Brunnstein was most interesting and in some respects it would be good if the AV industry would use a “more academic” approach. Indeed it would be highly useful for everyone, if the AV industry and AV testers agreed on some guidelines for testing, so the test results would be comparable and especially more comprehensive. At the moment it seems that competition has priority over the protection of users (yes users, not only particular customers of particular vendors!). Of course a viruslab or the software engineers are not pleased if the test results suggest that their product is so much less effective than a competitor’s. However, the first and foremost priority for us should be the protection of the users and the society - an ideal that was well described by Prof. Brunnstein and to which I subscribe almost entirely.
Oh, and before the title of this blog article is completely pointless, here’s the link to the website with the presentations from the workshop. Enjoy!
// Oliver
PS: AFAIK pictures will follow later today (friday, that is).
Ilfak posted a nice demo clip on his blog: “Decompilation gets real”. This is really a dream of many reversers and could really speed up the analysis of many samples.
// Oliver
In my previous article from November last year I challenged the claims of Joanna Rutkowska concerning Redpill. A recent article in the German computer magazine iX (April 2007) mentioned Rutkowska’s findings again so that I decided to review the tool, the driver, the accompanying research paper and the results. You can download the new results below. The most interesting findings were made by observing the values on Virtual PC 2007. For every operating system and every VMM tested the following constellations were considered: VMM tools installed or not installed with acceleration enabled or disabled respectively. For Virtual PC 2007 the acceleration was hardware virtualization.
Continue reading ‘Redpill getting colorless? (continued)’
To create a public/private key pair for use in PuTTY (i.e. OpenSSH and so on) use the following method.
Continue reading ‘PuTTY Key Generator’