Ptacek, Lawson and Ferrie - well-known security specialists - joined up to challenge Rutkowska and prove that her virtualization rootkit BluePill (up to now AMD-specific) is detectable regardless of her claims. The above link leads to her official reply to them.
Rutkowska likes to speak in absolutes, as it seems. In one instance I could even falsify one of her claims concerning VMM detection from within a VM using the interrupt descriptor table address as an indicator. This shows she is human as everyone, but having her own company now and being busy all the time (who is not?) she never found the time to respond to my articles 
Anyway, this gets me really excited about who will win the challenge, but Peter Ferrie, being a former FRISK employee, has all my sympathies 
// Oliver
… here Kaspersky claims:
An advisory has recently been published on rootkit.com regarding a vulnerability in KAV 7.0. Unfortunately, the authors of this material chose not to adhere to industry standard practice, and contact the vendor prior to disclosing vulnerability details. Although the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored, this is not the case: if we had been informed, this issue would have been addressed long ago.
I am really upset by this! I reported this vulnerability back in October 2005 in the Kaspersky subforum at malware-research.co.uk, a closed forum for security professionals, and one person from Kaspersky Labs Netherlands replied and said it would be taken care of. Back then (before the reply) I wrote that if they would not respond in due time I’d publish it (without details) through public channels which was taken as a threat by the person who responded. Interestingly I did never check again and it was almost one year later (September 2006) that I joined FRISK Software International and thus the AV industry.
Also fascinating, I am not the one who published it on rootkit.com, instead I chose to contact them in a closed security-aware community and the result was apparently the same, Kaspersky chose to ignore it in the end in both cases. I can well imagine that “the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored”.
Excuse me, but the claims in the above quote are ridiculous to say the least.
// Oliver
BTW: I met said person at the AV Workshop this year. A few weeks after the workshop a bug that I reported more than 18 months ago surfaces again (in one of their latest products!). Amazing!
The term “Realtime protection” has been overused in recent years and used in a completely wrong sense ever since it was invented.
To make sure to not be misunderstood - yes, even the company I work for has used the term during the hype of the phrase and recently we published a patch to the “Realtime Protector” (included in a legacy product). However, this still doesn’t make the “protector” more realtime. Now, why is that?
None of the Windows systems is a realtime operating system. So how would any software running under these OSs be “realtime” in any way? Easy answer: it won’t. Since most malware is prevalent on the two Windows platforms (Win9x and WinNT), it is fair to claim that this also means that any anti-malware application isn’t “realtime” either.
Now what does it mean? It means that “realtime protection” is formally and technically a wrong term invented and misused by the marketing experts of the companies offering it. The more proper term would be “on-access scan” as this is exactly what these components do. Whenever you touch (or execute) a file the OAS will scan it and offer you a choice of cancelling your action or deny it right away (depending on the settings). Same for registry operations and whatever else can be “realtime-protected”.
// Oliver
As some of you may know, FRISK Software had invited professionals from the AV industry and AV testers to attend the “International Antivirus Testing Workshop” this week in Reykjavik. The workshop was held on tuesday and wednesday and I had the chance to attend the second session (in the afternoon) on wednesday, which included a panel discussion. To me the presentation of Prof. Klaus Brunnstein was most interesting and in some respects it would be good if the AV industry would use a “more academic” approach. Indeed it would be highly useful for everyone, if the AV industry and AV testers agreed on some guidelines for testing, so the test results would be comparable and especially more comprehensive. At the moment it seems that competition has priority over the protection of users (yes users, not only particular customers of particular vendors!). Of course a viruslab or the software engineers are not pleased if the test results suggest that their product is so much less effective than a competitor’s. However, the first and foremost priority for us should be the protection of the users and the society - an ideal that was well described by Prof. Brunnstein and to which I subscribe almost entirely.
Oh, and before the title of this blog article is completely pointless, here’s the link to the website with the presentations from the workshop. Enjoy!
// Oliver
PS: AFAIK pictures will follow later today (friday, that is).
Ilfak posted a nice demo clip on his blog: “Decompilation gets real”. This is really a dream of many reversers and could really speed up the analysis of many samples.
// Oliver
In my previous article from November last year I challenged the claims of Joanna Rutkowska concerning Redpill. A recent article in the German computer magazine iX (April 2007) mentioned Rutkowska’s findings again so that I decided to review the tool, the driver, the accompanying research paper and the results. You can download the new results below. The most interesting findings were made by observing the values on Virtual PC 2007. For every operating system and every VMM tested the following constellations were considered: VMM tools installed or not installed with acceleration enabled or disabled respectively. For Virtual PC 2007 the acceleration was hardware virtualization.
Continue reading ‘Redpill getting colorless? (continued)’
To create a public/private key pair for use in PuTTY (i.e. OpenSSH and so on) use the following method.
Continue reading ‘PuTTY Key Generator’
Read the article by yourself on Heise: Kasperskys worry about malware and hit out at Microsoft.
I would therefore like to see a kind of internet Interpol. Even the best security software will, on its own, soon no longer be sufficient
Eugene Kaspersky
// Oliver
I wonder whether this is an official statement on behalf of Lavasoft. Alright, there have been other statements from the PR spokesperson which are not much better, but this one is really frightening (emphasis mine):
That being said, we are very aware that you do not want a process that, seemingly without reason, hogs precious system recources — We do not want that either. Please but bear in mind, however, that this is beta software, and the program has yet to find its final form, both in terms of features and in terms of what it requires of your system in order to run.
Source: Lavasoft Beta Community
Has anyone of those in charge actually there read this article, yet?
// Oliver
In this article back in November 2006 I complained about the way the security flaw was reported. This was apparently fixed. So in I think it is only fair to publish that fact here as well.
My apologies for the delay, some friends made me aware of the changes only recently.
// Oliver
Unbelievable. Even though the company is aware of their violation of the GPL, they don’t give a shit about it as it seems. They have been aware of it for at least one month now, yet their newest release which bears the version number 1.61 still contains the binary-identical file which is in violation of the GPL since version 1.55 (inclusive!).
Continue reading ‘Violating GPL to make the big money #2 …’
A great new opportunity for IT security companies which sell products to detect bugs in software automatically (static analysis) - report some vulnerabilities after running your program on a bunch of software applications and feature your own product in the “Provided and/or discovered by” field without ever giving details of the error! The last one is important, never give details! That’s sleek, that’s modern that’s seemingly a new initiative by Secunia to support third party security companies. One of the first to take advantage of this new initiative is GLEG Ltd. from Russia.
Continue reading ‘Marketing for security companies now via Secunia!’
Although I had posted this already at the malware research forum and received little feedback, I decided to prepare a brief research paper about this topic and post it here.
The topic is that the Redpill approach by Joanna Rutkowska does not seem to work reliably and the values retrieved in kernel mode inside a virtual machine (VMWare ) differ substantially from the ones retrieved in user mode. While calling SIDT in user mode was the rationale of the whole approach, it would not usually be expected that the results between user mode and kernel mode are different. Also the difference means that the approach is not generally applicable. Last but not least the Redpill approach failed for me on Virtual PC (see the paper).
Continue reading ‘Redpill getting colorless?’
IE7 is coming. But who cares? This company has given a sh*t on standards for the last 10 years, now all of us are supposed to fix our websites again just because they finally found out that there is a certain sense in standard-compliance? I don’t think so. On my website there is one single piece of special treatment for the old IE because it had a screwed box model - and frankly, I am excited how screwed it will look now that IE is going to be standard compliant Continue reading ‘So IE7 is coming. Who cares anyway?’
… many people are blaming the judge in the US for Spamhouse’s problems. However, here is a different view on the case.
If you are not familiar. An US-based company has sued UK-based Spamhouse - well-known antispam fighters - because Spamhouse blacklisted the company’s domain as a spam source.
// Oliver
Obviously spammers try to get the biggest effect without caring for success. This is why greylisting works so great, I think.
I still get daily requests to the sendmail CGI script which is no more vulnerable and turns down all exploit requests in the first check. I rarely see a message which gets to the second check and is illegitimate. Funny, huh? Looks like the spammers are not smart enough to see there is no success anymore. If I was a spammer, I’d always include one mail address as recipient to check for my success rate and “assess” the different paths of spitting out my garbage to the world.
It has been over a week now that I patched the security hole …
// Oliver
Today the Software Engineering Institute of the Carnegie Mellon University (CMU) announced a new tool named LiveView on the forensics mailing list at security focus.
This tools looks really promising in that it claims to provide a way to create a VMWare image from a physical disk or raw disk image (e.g. created with DD). Such a tool will allow security researchers to inspect an infected machine without having to be at the site of the incident. Although CMU introduced the tool to forensics specialists, it can be used in various ways apart from the main objective. Such a tool should have been published long ago by the VM vendors. Thank CERT and CMU we now have this tool to aid in different ways during an investigation of malware targets.
Check it out!
// Oliver
Today my logs showed how exactly the spammers exploited the old script. I do not log the mail body, but only sender, recipient and subject, but that’s enough to show the used pattern. In fact the subject variable was used, but different from what I expected. Continue reading ‘Spammers not welcome (2nd part)’