Michał ‘GiM’ Spadliński, a Polish blogger wrote in his article “Czy Redpill Joanny Rutkowskiej jest poprawny?“:
Oliver Schneider (Reverse Engineer pracujący dla F-Prota) opublikował […] artykuł, datowany na pierwszego kwietnia, który wcale nie wygląda na prima aprilisowy żart.
This made me really laugh. No, I have to admit my Polish is not the best (and getting worse due to lack of exercise), but I could clearly understand the quoted parts and quite some more.
Continue reading ‘No it wasn’t an April Fool’s joke’
No, this time it is not a binary file for download. It is a website. Hope you enjoy as much as I did when pointed to it by a colleague.
This website allows you to look up DLL versions and when they were bundled with which product and so on. Very nice idea.
// Oliver
… here Kaspersky claims:
An advisory has recently been published on rootkit.com regarding a vulnerability in KAV 7.0. Unfortunately, the authors of this material chose not to adhere to industry standard practice, and contact the vendor prior to disclosing vulnerability details. Although the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored, this is not the case: if we had been informed, this issue would have been addressed long ago.
I am really upset by this! I reported this vulnerability back in October 2005 in the Kaspersky subforum at malware-research.co.uk, a closed forum for security professionals, and one person from Kaspersky Labs Netherlands replied and said it would be taken care of. Back then (before the reply) I wrote that if they would not respond in due time I’d publish it (without details) through public channels which was taken as a threat by the person who responded. Interestingly I did never check again and it was almost one year later (September 2006) that I joined FRISK Software International and thus the AV industry.
Also fascinating, I am not the one who published it on rootkit.com, instead I chose to contact them in a closed security-aware community and the result was apparently the same, Kaspersky chose to ignore it in the end in both cases. I can well imagine that “the authors claim that all attempts to inform Kaspersky Lab about this vulnerability were ignored”.
Excuse me, but the claims in the above quote are ridiculous to say the least.
// Oliver
BTW: I met said person at the AV Workshop this year. A few weeks after the workshop a bug that I reported more than 18 months ago surfaces again (in one of their latest products!). Amazing!
Today I set up an RSS feed for DDKWizard and DDKBUILD under this URL. If you are interested in either of these tools, please feel free to subscribe and get automatic notifications about updates within your favorite feed reader.
// Oliver
As some of you may know, FRISK Software had invited professionals from the AV industry and AV testers to attend the “International Antivirus Testing Workshop” this week in Reykjavik. The workshop was held on tuesday and wednesday and I had the chance to attend the second session (in the afternoon) on wednesday, which included a panel discussion. To me the presentation of Prof. Klaus Brunnstein was most interesting and in some respects it would be good if the AV industry would use a “more academic” approach. Indeed it would be highly useful for everyone, if the AV industry and AV testers agreed on some guidelines for testing, so the test results would be comparable and especially more comprehensive. At the moment it seems that competition has priority over the protection of users (yes users, not only particular customers of particular vendors!). Of course a viruslab or the software engineers are not pleased if the test results suggest that their product is so much less effective than a competitor’s. However, the first and foremost priority for us should be the protection of the users and the society - an ideal that was well described by Prof. Brunnstein and to which I subscribe almost entirely.
Oh, and before the title of this blog article is completely pointless, here’s the link to the website with the presentations from the workshop. Enjoy! 
// Oliver
PS: AFAIK pictures will follow later today (friday, that is).
Ilfak posted a nice demo clip on his blog: “Decompilation gets real”. This is really a dream of many reversers and could really speed up the analysis of many samples.
// Oliver
Delphi ist eigentlich eine ganz angenehme Programmiersprache für die kleinen und großen Aufgaben des Programmierers. Leider haben Borland/Inprise/CodeGear wohl ungefähr 10 Jahre geschlafen.
Vornweg, ich habe mit Delphi auf Windows angefangen, nachdem ich zuvor auf DOS mit Assembler und Turbo Pascal schon einige Erfahrungen gesammelt hatte. Das hält mich allerdings nicht davon ab inzwischen fast ausschließlich C/C++ für jene Aufgaben zu benutzen bei denen als Ausgabe ein Binärprogramm erwartet wird. Wie kommt das? Nunja, fairerweise muß man vorwegschicken, daß ich beruflich natürlich ohnehin C/C++ benutzen muß und bei der Treiberprogrammierung Delphi ohnehin Unsinn ist. Allerdings ist zu einem nicht unwesentlichen Teil auch Delphi selbst dafür verantwortlich (bzw. der Hersteller).
Continue reading ‘Was ich an Delphi überhaupt nicht mag’
In my previous article from November last year I challenged the claims of Joanna Rutkowska concerning Redpill. A recent article in the German computer magazine iX (April 2007) mentioned Rutkowska’s findings again so that I decided to review the tool, the driver, the accompanying research paper and the results. You can download the new results below. The most interesting findings were made by observing the values on Virtual PC 2007. For every operating system and every VMM tested the following constellations were considered: VMM tools installed or not installed with acceleration enabled or disabled respectively. For Virtual PC 2007 the acceleration was hardware virtualization.
Continue reading ‘Redpill getting colorless? (continued)’
The fixes in DDKWizard are minor except for one. This one requires manual fixing in old existing projects that have been created using DDKWizard. The problem is described in section 5.1 “Important change in version 1.1.1b”.
As for DDKBUILD there was a bug that prevented users from calling it from inside a long path containing spaces. This has been fixed.
Please fetch your copy here.
// Oliver
Read the article by yourself on Heise: Kasperskys worry about malware and hit out at Microsoft.
I would therefore like to see a kind of internet Interpol. Even the best security software will, on its own, soon no longer be sufficient
Eugene Kaspersky
// Oliver
Delphi 2007 for Win32 ist also erschienen. Soll ich jetzt also updaten weil das Produkt so cool und endlich wieder schnell ist, verliere dann nur leider die anderen BDS-Produkte, die ich im Moment inklusive habe? Irgendwie fehlt mir da die Logik. Irgendjemand der aushelfen könnte? Oder sollte man jetzt einfach solange warten bis die anderen Produkte BDS komplettieren und dann updaten? …
// Oliver
I wonder whether this is an official statement on behalf of Lavasoft. Alright, there have been other statements from the PR spokesperson which are not much better, but this one is really frightening (emphasis mine):
That being said, we are very aware that you do not want a process that, seemingly without reason, hogs precious system recources — We do not want that either. Please but bear in mind, however, that this is beta software, and the program has yet to find its final form, both in terms of features and in terms of what it requires of your system in order to run.
Source: Lavasoft Beta Community
Has anyone of those in charge actually there read this article, yet?
// Oliver
… geht man normalerweise Pfade die bereits einmal zum Erfolg führten. Meine Suche nach WiX-Material (klingt schlimmer als es ist :mrgreen:) führte mich auch prompt zu einem alten Bekannten.
Danke Mathias!
// Olli
Since it is always exciting to find new features, I thought it would be good to put up a list of the changes introduced into the IDA SDK since version 5.0! This should allow all plugin writers to get a quick overview of new functionality.
Relevant changes in the IDA SDK between version 5.0 and 5.1 beta 2 follow, sorted by filename …
Continue reading ‘Updates in the IDA SDK 5.1 …’
Finally IDA 5.1 and Virtual PC 2007 have been released. I wrote about IDA during the beta-phase and I promise to write some more stuff (probably) the next weekend.
Virtual PC 2007, just like its predecessor Virtual PC 2004, is freely downloadable and comes free of charge. Although it is inferior to VMWare in several aspects, it seems there is one point where Virtual PC 2007 is better than VMWare … the support of VMX on 32bit hosts. However, I’ll have to verify that and will turn back to you with more information about it once I have it.
// Oliver
In this article back in November 2006 I complained about the way the security flaw was reported. This was apparently fixed. So in I think it is only fair to publish that fact here as well.
My apologies for the delay, some friends made me aware of the changes only recently.
// Oliver
The F-Prot 3.x uninstaller of the Windows version has apparently a glitch. Due to how Windows works, this may lead to a blue screen if the driver entry in the registry was not removed during an upgrade to version 6.x! To mitigate this issue until the next version is released, use the fix described here before you reboot the system after upgrading from F-Prot 3.x to 6.x!
// Oliver
PS: The next release of the 6.x installer will be aware of the issue and incorporate the fix.
Today, FRISK Software International (FSI) released in a not so surprising move - there have been rumors before - the F-PROT Antivirus for Windows, Corporate use which carries the version number 6.0.5.1, just as the recently released home use version.
Please provide FSI with feedback at the FSI forum or via the support.
// Oliver
Yesterday Ilfak released the second beta of IDA 5.1. Not only have several issues been fixed, but also were the IDC symbol and kernel function introduced as described in the updated blog entry from a few days ago.
// Oliver