0xdabbad00.com

The United States Army War College Strategic Studies Institute (SSI) published on April 4, 2013 an interesting paper titled “Making Strategic Sense of Cyber Power: Why the Sky is Not Falling” by Colin S. Gray. At 83 pages it is a long read, but was a refreshing contrarian view from the FUD that fuels our industry to sell products and services. Also, I’ve been really enjoying War Nerd lately, so I feel I should take an interest in arm-chair military strategy in a domain I know about. Below are some of my favorite quotes (categorized and re-arranged by me).

Anything can be made scary if you assume the worst of the unknowns.

“Cyber attack may be so stealthy that it escapes notice for a long while, or it might wreak digital havoc by complete surprise. And need one emphasize, that at least for a while, hostile cyber action is likely to be hard (though not quite impossible) to attribute with a cyberized equivalent to a “smoking gun.” Once one is in the realm of the catastrophic “What if . . . ,” the world is indeed a frightening place.”

“David J. Betz and Tim Stevens strike the right note when they conclude that “[i]f cyberspace is not quite the hoped-for Garden of Eden, it is also not quite the pestilential swamp of the imagination of the cyber-alarmists.””

Cyber, in terms of strategy, is not unprecedented.

“Assuredly, cyber is technically extraordinary, but so too was the electric telegraph in the 1840s. The telephone, radio, and television were each on the frontier of technological achievement for a short while.”

“Once we shed our inappropriate awe of the scientific and technological novelty and wonder of it all, we ought to have little trouble realizing that, as a strategic challenge, we have met and succeeded against the like of networked computers and their electrons before. The whole record of strategic history says: Be respectful of, and adapt for, technical change, but do not panic.”

“Cyber warfare is not, however, entirely unprecedented in its potential to do harm to people without applying force directly. For example, economic warfare in the two World Wars was confined not only to the infliction of harm kinetically, but also by the manipulation of commodity and other markets in neutral countries, in order to starve belligerent populations and deprive their industries of necessary raw materials”

Cyber doesn’t kill people. It will be most effective when used in conjunction with physical force.

“cyber power will prove most useful (or dangerous [...]) as an enabler of joint military operations.”

“cyber is only one among many ways in which we collect, store, and transmit information … From the beginning of time, armies have clashed in relative ignorance. This is not to demean the value of information, but to remind ourselves that information, even knowledge (or its absence), is not a wholly reliable key to strategic success or failure” – My understanding of this is that even if all our computers and networks are destroyed, we can still fight.

Unlike land, sea, air, and space, we built cyber space and it is governed by the rules we made for it.

“Although it continues to be orthodox to assert that cyberspace is by its scientific nature an environment friendly to offense, rather than defense, this fashionable belief almost certainly either is wrong, or, to be generous, is seriously misleading. On November 10, 1932, Stanley Baldwin was not correct when he claimed that “the bomber will always get through,” at least it would not get through well prepared defenses in strategically lethal numbers able to attack critical targets.”

“The cyberspace we use is that which we have chosen. If that cyberspace is found vulnerable to attack, or unexpectedly prone to technical failure, the fault will be ours. This cannot be said in these terms of the land, sea, air, and Earth-orbital military domains. [...] If we are lethally vulnerable to harm in our use of cyberspace, it will largely, if not wholly, be our own fault.”

I’m going to start publishing summaries here of papers I read that are interesting, pointing out the high-lights I read. I have a lot of catching up to do, and sometimes I don’t find out about a paper until later, so I will be reviewing some older papers here as well, but I’ll make sure to include dates. Let me know if these summaries are interesting to you by contacting me at 0xdabbad00 on gmail and twitter!

Mitigating Software Vulnerabilities

Microsoft paper, July 2011, Authors: Matt Miller, Tim Burrell, Michael Howard

• Great tables showing mitigations (DEP, ASLR, SEHOP and others) available for different versions of Windows, Visual Studio compilers, and versions of IE and Office. Shows when different technologies were introduced.
• Describes the economics of exploitation and how these mitigations drive up costs for an attacker. Using 3 tactics:
  • Enforce invariants: “Invalidate an attacker‘s implicit assumptions” – DEP, SEHOP
  • Create artificial diversity: ASLR
  • Leverage knowledge deficits: /GS (stack cookies)
• “There are no known exploits for stack-based vulnerabilities that have been capable of bypassing the combination of /GS, SEHOP, DEP, and ASLR.”
• “No exploits have been observed in the wild that rely on corrupting heap metadata and target Windows Vista and beyond. ” Note this statement is only relevant to “heap metadata” corruptions.
• Links to this great presentation (video and audio, but no slides, 45min) from Matt Miller BlueHat v8: Mitigations Unplugged

Low-level Software Security: Attacks and Defenses

Microsoft paper, November 2007, Author: Ulfar Erlingsson

Describes memory corruption attacks, but more importantly to me, describes defenses (and their performance impacts) which are:

1. “Checking Stack Canaries on Return Address” – This is /GS. Discusses how this protection is not applied to all functions due to heuristics, to try to be performant, but this allowed for the ANI vulnerability.

2. “Moving function-local variables below stack buffers” – Compiler can rearrange variables on the stack so a buffer overflow will not over-write other variables.
3. “Make data not be executable as machine code” – DEP
4. “Enforcing control-flow integrity on code exe” – The concept here is that for things like C-structs that contain function pointers, to avoid having these over-written with arbitrary function addresses and subsequently executed, you can check these if you happen to know that they can only be one of some set of possible values.
5. “Encrypting addresses in code and data pointers” – Even though a function pointer might be over-written, encrypt it so that the attacker doesn’t know what value to over-write it with. This concept is used on Vista’s heap metadata.
6. “Randomizing the layout of code and data in memory” – ASLR

TASK FORCE REPORT: Resilient Military Systems and the Advanced Cyber Threat

Defense Science Board, January 2013, dozens of authors, approx 90 pages.

• Categorizes adversaries into:
  1. Those that can take advantage of known threats.
  2. Those that can find 0-days
  3. Those that can create vulnerabilities in systems (Tier V-VI threats)
• The only countries capable of creating vulnerabilities, according to the report, are the Russians, Chinese, and US. Those that create vulnerabilities are basically those that can modify the supply chain or leverage insiders. Willing to spend billions of dollars and years to do so. Provides the example of The Gunman Project. According to the report, these advanced threats require the US to spy on adversaries in order to know about them at all.
• Section 8 is the most interesting part to read, as it discusses “Enhancing Defenses to Thwart Low- and Mid-Tier Threats”, and provides a success story of how this has been accomplished in the Dept of State. See pages 59-62, which describe:
  • “8.2.1.3 Automate Patch and Threat Management Functions” states “Over time, fewer staff should be needed to maintain software patches and network configurations, allowing a shift in effort toward hunting adversaries who have penetrated our networks. Most of the COTS technologies available today have user
    interfaces that allow high levels of flexibility for determining what is deemed unusual network behavior, allowing system administrators to adjust and adapt the monitoring systems as threats evolve.”

  • “8.2.1.4 Audit to the Enterprise Standard” – Discusses improvement of security posture not only in terms of technical solutions but also through “peer pressure” by grading personnel and holding managers responsible.
  • “8.2.1.5 Build Network Recovery Capability” – Advocates having a back-up network and systems to use while kicking an adversary out of one network.
  • “8.2.1.6 Recover to a Known (Trusted) State” – Have the ability to rapidly revert to back-ups.
• Like much of the thought leadership occurring in cyber, it advocates better defined career paths for “cyber warriors”. You can tell this doc is gov focused, as it mentions “cyber” repeatedly (911 times!).
• Strong focus in the report on nuclear. Discusses how US nuclear defense should be a guide for how cyber could be similarly organized and implemented (isolated and very different than other capabilities).

There are probably enough infosec conferences for every day of the year now. All (good) conferences post their slides now, so based on the archives of the past year’s conferences, here are my favorites (most recent to oldest, with links going to the slide downloads):

• Syscan April 22-26, 2013; Singapore
• Infiltrate April 11-12, 2013; Miami, Florida, USA
• HackInTheBox Amsterdam April 10-11, 2013; Amsterdam, Netherlands
• Blackhat Europe March 12-15, 2013; Amsterdam, Netherlands
• CanSecWest March 6-8, 2013; Vancouver, Canada
• Schmoocon February 15-17, 2013; Washington, DC, USA
• ZeroNights November 19-20, 2012; Moscow, Russia
• HackInTheBox Malasia October 8-11, 2012; Kuala Lumpur, Malasia
• BlackHat US July 25-26, 2012; Las Vegas, Nevada, USA
  

tl;dr: Click on the diagram below to see the defenses involved in a content exploit.

The Lockheed Martin Cyber Kill Chain paper (“Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains“) is often referenced in the cyber (ie. US gov infosec) community and it’s main purpose is to advocate sharing IOC’s (Indicators of Compromise) via a continuous feedback loop to make life more difficult for attackers by outing their TTPs (Techniques, Tactics, and Procedures). The concept is that it is very costly to completely recreate all aspects of an operation, so some will always be re-used in new attacks. These may be the IPs, exploits, malware, or some aspect of the malware (packer, mutexes, etc.). If you can detect various aspects of an attack, then detecting only one aspect of a new attack in the future allows you to deny the new attack in it’s entirety. This motivates the concept of moving the asymmetry in cyber from the attacker (usually viewed as only needing to win once) to the defender, who only needs to detect one aspect of an attack to win.

Although I will not be discussing IOC’s here, I would like to discuss the “kill chain” of content exploits, which are those exploits contained within pdf files, web pages, and Office documents. There are many defenses that exist to deny and disrupt various phases of an attack, and I’ve tried to diagram these, but this is a lot to try to cover with some exceptions depending on the type of software used in the defense, the exploit, and other variables. I also sacrificed some clarity for brevity. Sorry.

My attack scenario involves convincing a Windows user to open a content file (.pdf, .doc) or browse to a site (Java, Flash, or browser exploit) such that Adobe Reader, Microsoft Office, Google Chrome, Mozilla Firefox, or Microsoft Internet Explorer are exploited. All of these (with the exception of Firefox) now run within a sandbox that is implemented using Windows Integrity levels.

Trying to understand where in the kill chain a security product sits can be confusing. Although defense in-depth is important, you probably don’t need two products that protect at the same level. Most security vendors should be able to point to a place near the top or bottom where their product sits to either deny the malicious content from getting to the user to begin with (the top), or to deny what the attack is able to accomplish once it obtains code execution (the bottom). This is only one attack scenario, and so some security products are more focused on other types of attacks.

Red circles are actions the attacker can make, blue are “accomplishments” he has achieved, and green are the defenses that may exist. The attack moves from the top to bottom.

PDF version: exploit_mitigation_kill_chain.pdf

For a copy of the Visio file or for corrections, enhancements, etc. contact me at 0xdabbad00 on gmail and twitter.

When security folks think of hacking and malware attacks they tend to think of memory corruption exploits as being the common attack vector. This is a misconception, and I believe will become more of a misconception as defenses improve.

What are memory corruption exploits? Basically anything that ends up calling shellcode, which means if you see a discussion that involves any of the following terms, they are probably talking about a memory corruption exploit:

• Buffer overflows
• Format string vulnerabilities
• Use after free, double-free, heap feng shui
• Fuzzing

The defenses on Windows for these can be best seen in the BlackHat USA 2012 presentation by Ken Johnson and Matt Miller titled Exploit Mitigation Improvements in Windows 8. There are two great diagrams there showing the protections against stack and heap vulnerabilities to mitigate the ability to get control of the instruction pointer, and then a slide to show the mitigations in place to get arbitrary code execution even if an attack can control the instruction pointer.

Let’s look at some popular worms and exploits and the infection vectors they used. I tried to choose some of the more famous and notable malware samples (with help from the Timeline of notable computer viruses and worms from wikipedia), with the assumption that these are more popular and have been more successful. I probably missed some of your favorites (like a lot of Chinese exploits). Let me know if I missed any infection vectors used by the malware listed or miscategorized them. Dates represent when the infection first became public. “Email attachment” means it was simply a .exe (possibly with a different extension) sent in an email.

I compiled this list to allow people to see the types of attacks EMET protects against (“Memory Corruption Exploits”) and all the threats it does nothing against. I think EMET and the rest of the protections Microsoft has implemented on the OS and within Visual Studio to thwart memory corruption exploits are amazing and important, but never lose sight of the forest for the trees. There are other threats that are not memory corruption exploits, and as these protections become prevalent (become the default without the need for EMET), the memory corruption exploits will become less prevalent. Almost all of the threats on the right hand side can be thwarted by proper white-listing (the exception is the default SQL Server password vulnerability used by Stuxnet).

Some youtube videos allows you to watch them with HTML5, some give you the message “The Adobe Flash Player is required for video playback. Get the latest Flash Player”. I just discovered how to watch any video with HTML5:
https://www.youtube.com/watch?v=kzgBcSHQDAs
change the “watch?v=” to “/embed/”
https://www.youtube.com/embed/kzgBcSHQDAs

This post is a tutorial on how to use IceBuddha and it’s parse scripts in performing some malware analysis on Mini Duke.

On February 27, 2013, Kaspersky Labs released a paper The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0×29A Micro Backdoor. The paper states that the Mini Duke PDF exploit connects to artas[dot]org/engine/index.php (and some other domains) where it downloads a gif file that contains an encrypted backdoor.

I grabbed a copy of one of the files (bg_afvd.gif: md5sum 92a2c993b7a1849f11e8a95defacd2f7). I put the file in a password protected zip, using the same password scheme as http://contagiodump.blogspot.com, and you can download it here: bg_afvd.gif.zip (md5sum: 39664ffaf93d8961d1498de8a7c49807). It’s just a normal .gif file with some data appended to the end, so it can’t infect you, but it’s always good to take precautions.

IceBuddha has the ability to parse .gif files. You can take a look at one by going to http://icebuddha.com/index.htm?test=sample_1.gif

This sample file is the same one used by http://www.matthewflickinger.com/lab/whatsinagif/bits_and_bytes.asp which is an excellent explanation of the GIF file format.

When I look at bg_afvd.gif in IceBuddha though, I see there is a lot of data after the trailer.

At this point I want to extract out the data after the trailer. I could do this manually, but given that there are a number of MiniDuke gif files, it would be best to do this programmatically. IceBuddha’s parse scripts are python code that runs in the browser (using skulpt), but you can just as easily run them locally by cloning the github project https://github.com/0xdabbad00/icebuddha

Once you have that, go to the parse_scripts directory, and from here you can run:

python fileparser.py -t gif ~/Downloads/bg_afvd.gif

This will generate the following output:

[
  {
    "label": "GIF",
    "size": 1696,
    "data": "",
    "offset": 0,
    "interpretation": "",
    "children": [
      {
        "label": "GIFHEADER",
        "size": 6,
        "data": "",
        "offset": 0,
        "interpretation": "",
        "children": [
          {
            "label": "Signature[3]",
            "size": 3,
            "data": "",
            "offset": 0,
            "interpretation": "GIF",
            "children": []
          },
<snip>

You can get the same data by right-clicking on the parse data in IceBuddha and selecting “Download parsed data”.

You could then run this on all the MiniDuke gif files to identify the location of the trailer. I’ve written a script to find the trailer, extract the key, decrypt the pe file and write it to disk, which you can run as follows:

python example_extractMiniDukeFile.py ~/Downloads/bg_afvd.gif
22790 bytes found at end of file
Extracted file written to: /home/user/Downloads/bg_afvd.gif.infected

This script (part of the github repo) finds the trailer offset:

# Check if GIFTrailer is at the end of the file
parsedData = fileparser.parseFile(filename, filetype)

trailer = fileparser.findElement(parsedData, "GIFTrailer")
trailerOffset = trailer['offset']

It then reads in the file, extracts the key, and decrypts the remainder of the file, which it writes to bg_afvd.gif.infected, This file has the md5sum 297ef5bf99b5e4fd413f3755ba6aad79 which you can search for in virustotal and the search result confirm this is indeed the correctly extracted MiniDuke file.

Collaborative post by @0xdabbad00 (0xdabbad00.com) and @insanitybit (insanitybit.com)

Audience

This guide is focused on Windows Vista, 7 and 8 systems for personal use. This guide is not concerned with the following:

• Not Windows XP or earlier because they simply do not have the security features necessary to securely use. A lack of ASLR and SEHOP, no integrity levels, a kernel with exposed attack surface, and a general lack of privilege separation makes securing XP a task best left to science fiction.
• Not enterprise environments, though some of this information can certainly translate over
• No IDS, DNS log monitoring, or other network related activities that are usually only reasonable to spend time on in enterprise environments.

Strategy

Disrupt, deny, and degrade attacks through reduction of attack surface area and implementation of modern mitigation techniques. Finally, prepare for the worst, assume APT.
Reduce Attack Surface

Vulnerabilities require one thing – code; if the code exists, so will vulnerabilities. The best way to avoid being exploited is to ensure there as few vulnerabilities as possible for the attacker to exploit. The simplest and most effective way to do that is to minimize the amount of software on the system – less running code means less places for your attacker to poke at.

There are some key areas that are commonly attacked:

1. PDF Reader: If possible uninstall Adobe Reader and use Chrome or Firefox’s built in PDF reader. If you must use Adobe Reader ensure that Javascript is disabled and that Protected Mode is enabled in the security settings. There will be other steps in the guide for hardening your PDF reader further.
2. Java: Java is one of the most highly exploited programs on Windows systems. It’s a very easy target for attackers, and this is unlikely to change for a long time. If you can’t remove Java altogether I highly suggest changing your browser settings to “Click To Play Plugins”.
3. Windows Services: Windows, like any other mainstream OS, comes with a ‘default compatible’ attitude – it has to work for everyone. That means it comes with a large number of services running by default. These services are exploitable, and have been used for local privilege escalation in the past. Disable any Windows services that you don’t need. Deciding which services you do or don’t need requires a bit of research, as different users require different things.

For other software you’ve installed, such as an instant messaging client or torrenting client, always ensure that you have the latest version and keep track of security releases. Many software applications have their own auto-update mechanisms, make sure you enable it if you don’t think you’ll stay on top of patching yourself. You can also use software like Secunia’s PSI which will scan the software you have installed to ensure it is up-to-date. Secunia PSI can be useful to install once and check for out-of-date software, but it’s somewhat awkward to use and have running regularly, so I uninstall it after running it once. Alternatively you can use the FileHippo updater, which is portable and will check for any out of date software in its repository.

Disrupt Exploits

Given the possibility that your software may be vulnerable to 0-day threats or known threats that have not yet been patched, the next line of defense is to use techniques that disrupt exploits from being successful. This is what EMET does. It takes a bit of configuration, so use insanitybit’s write-up as a guide: http://www.insanitybit.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

If an exploit does manage to get execution, the next line of defense is to break it’s ability to work correctly by denying it access to different APIs. The best solution for this is AmbushIPS by @scriptjunkie1. This will protect best against ROP based exploits (which usually disable DEP as one of their steps which AmbushIPS check for), but also against exploits which have obtained full arbitrary execution. If the attacker knows your are using AmbushIPS, he could likely modify his exploit to work around it, so to some degree this is security through obscurity, but setting up an IDS/IPS can prove very beneficial to those willing to manage them. You can also write your own signatures for AmbushIPS to check for, which adds further unknowns for attacks.

AmbushIPS cannot only block exploits, but it can also log chosen Windows API calls to a remote server. This could be helpful in identifying when an attack occurred and how, post-mortem.

Block Payloads

Although the stage in which an attacker launches their payload is both optional and late in the game, those looking to improve their security may look into AppLocker, an Anti-Executable security solution available for the more enterprise oriented Windows editions (Windows Server 2008 R2, Windows 7 Ultimate and Enterprise, Windows Server 2012, and Windows 8 Enterprise). Anti-Executable software works by preventing processes from launching based on a whitelist and blacklist. If Firefox.exe is running, and it tries to run evil.exe, and evil.exe is not whitelisted, then it will not run. This is most helpful for preventing malware that uses legacy techniques, and making it more difficult for an attacker to gain persistence.

AppLocker rules come in three types: path, hash, and my favorite, publisher.

A path rule is really quite weak. It basically says that ‘only files from this path can execute’, which means that all an attacker has to do to bypass that rule is write to the path and execute.

Hash rules are much more difficult to get around, but they’re also horribly difficult to maintain. Every time your program updates you need a new hash.

Publisher rules are based on certificate information. This is much easier to deal with, as it’ll only allow specific programs to run, but it won’t have to be updated for every program update.

While AppLocker is not enough for any attack that accounts for it, it can be useful when layered on top of other techniques. Just be sure that you realize its shortcomings.

Prepare For The Worst

Given the possibility that your laptop could just simply be stolen, encrypt your data with TrueCrypt (free) or Windows BitLocker (if you have Windows Enterprise or Ultimate editions). Any and all sensitive information (ex. proprietary code for your company if you are a software developer) should generally be stored in some type of encrypted container. Be aware that if you try to only encrypt specific data, Windows will still save a hibernation file (a copy of the RAM) to the system partition which may contain your sensitive information.

Here are guides for TrueCrypt and BitLocker.

Security advice not specific to Windows

Your browser is your main attack surface on a personal system, so take efforts to secure that by using various extensions (NoScript and HTTPS-Everywhere). You can find guides for securing Firefox and Chrome here and here. As a user if you secure your browser you’re securing the area that most attackers will attempt to exploit.

Many websites now offer dual-factor authentication, such as GMail and Facebook. Take advantage of these, so you don’t end up getting locked out of your own email and social network sites if you ever get owned.

Do your banking from a different computer that you use infrequently, but still keep up-to-date on patches! Have your various website accounts send password resets to an email account that you only access from this banking computer. Make sure you’re connecting to these websites through a secure and trusted network.

Conclusion

There is a lot of security software for Windows out there: Some legitimately adds protection, and some unfortunately exposes you to more attacks than it protects you from. It’s impossible to cover it all in a single post, so we tried to stick to the built-in and free tools that are most important.

If you follow this guide you’ll be making an attackers job much more difficult. Though there is no silver bullet, and Windows security software is somewhat limited, you can use this guide to significantly improve your chances when facing the latest 0-day exploit in your browser.

As always, if you have suggestions for the guide, corrections, or general comments, please feel free to leave that all in the comments section and we’ll have a look. (Comment on insanitybit.com)

In thinking about making an application to do white-listing on Windows, one of the first questions you have is how do you identify what to trust? I played around with Faronic’s Anti-Executable software a little, and although they do a lot of what I want, and their personal tool is well-priced at $35, the trust issue is a problem. When you install the tool, it just trusts everything on your system. To some degree, you have to do this, because for the type of tool this is, the assumption is that you are running on clean system. However, it doesn’t allow you to do anything with the signers of signed binaries, so when I updated Google Chrome, it asked me if I wanted to trust the new binaries, which is the purpose of the tool, but it would be nice if it told me “You’ve trusted binaries from this signer before”. You do have the ability to look at the list of binaries it trusts, but it’s mostly just the filenames and paths. When it comes across a new file you just get some info parsed from the PE file.

You can then try to find out more about the files from Faronic’s site, but most files I tried were unknown, and for known files, it doesn’t show much.

I have assumed that in this day and age, most binaries, from major corporations, are signed. A white-listing product, should thus allow you take advantage of this and allow you to trust that signer, so that any new binaries on your system that come from that signer can be pre-trusted. This is one of the features of AppLocker.

You should also have more information about files. Instead of asking me if I want to trust a file and giving me info about the company name stored in the binary (easy to fake), and the file path and name, it should use the Internet to find out some info for me.

CrowdStrike recently released a tool called CrowdInspect that checks currently running files against VirusTotal and the Team Cymru’s Malware Hash Registry. That’s a tool for 2013. Use the Internet hivemind to help me make decisions.

So what I want in the tool help me make decisions is to check the file against VirusTotal, help me identify where it might have come from, and for anything that is unknown I should be able to upload the file somewhere where it’s trust can be further evaluated, or at least recorded so I can later identify points of infection/intrusion (more of an enterprise purpose).

But before I start coding, I need to check my other assumptions, can I make trust decisions based on the signers of binaries? Stuxnet was well-known for having been signed by the legitimate certificates of JMicron and Realtek, so I don’t necessarily want to 100% trust something based on it’s signer, but can I use this concept at all? How many binaries are signed? How many signers are there? I think for determining which signers I trust (and possibly all trust issues for binaries), I can use something like Convergence does for SSL certificates. But first, let’s see what is on my system.

I used Didier Stevens’ AnalyzePESig tool to look at the binaries. I used this tool because it’s open-source so I could modify what it output to my liking.

I scanned my Windows 7 system (a VM with some development tools) for all files that begin with an “MZ” header, and then checked if they were signed and by who. I found there were 36 signers, which seems fairly reasonable to keep track of. There were 23992 executables (these end up being .exe, .dll, .sys, and some other files), of which only 1962 (8.2%) were not signed. It is important to note that not all of these are unique because Windows caches and copies files in various places. These numbers could be completely different from system to system as well, but you have to start with some data. For the unsigned binaries, a lot of files came from “C:\Windows\assembly” (915 files), “C:\Windows\sxs” (117 files), “C:\Program Files\Git” (310 files, basically a minimal cygwin install), and other various locations.

For the signers, the breakdown looks like this (I got tired as I was doing some manual effort to correlate these things, and honestly, there is a lot more analysis that needs to be put into this for this to be very meaningful, but the main point is that a lot of stuff is signed by Microsoft already):

  Count, Thumbprint,                             , Subject name
  11820, 02eceea9d5e0a9f3e39b6f4ec3f7131ed4e352c4, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows
   4925, 018b222e21fbb2952304d04d1d87f736ed46dea4, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows
   2520, 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation
    951, d57fac60f1a8d34877aeb350e83f46f6efc9e5f1, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation
    831, 9e95c625d81b2ba9c72fd70275c3699613af61e3, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation
    296, 564e01066387f26c912010d06bd78d3cf1e845ab, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation
    141, 06c92bec3bbf32068cb9208563d004169448ee21, C=US, S=California, L=Mountain View, O=Google Inc, OU=Digital ID Class 3 - Java Object Signing, CN=Google Inc
    135, d468faeb5190bf9decd9827af470f799c41a769c, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation
     73, 8aed552a1387870a53f5f8aee17a3761232a4609, C=US, S=California, L=Mountain View, O=Google Inc, OU=Digital ID Class 3 - Netscape Object Signing, CN=Google Inc
     66, 57e82e9da631a768d8890e0a0b85381e3cb06d2e, C=US, S=California, L=Palo Alto, O="VMware, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Marketing, CN="VMware, Inc."
     64, 10622c76f18897e95222a888556843f4ce7e6aca, C=DE, S=Berlin, L=Berlin, O=ThinPrint GmbH, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=ThinPrint GmbH
     57, a25800bb7577f5854b3823b82228d94140d0244e, C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation
     18, 0bc8249c29e2c5ee53abf5c233c0e7ff90f582f5, C=DE, O=Open Source Developer, CN=Sven Strickroth - Open Source Developer, E=mail@cs-ware.de
     16, 93859ebf98afdeb488ccfa263899640e81bc49f1,
     15, 665f9ee40c024625ffec8d0102a3946270a98dd8,
     13, 597f04600b965bbf8a011df89dd0403ed50c44e0,
     12, 3bf0735c54918aec95062d61dc387c36b2643bb8,
     10, bca0a72fbf7c3a6666cbb15eeb450a3ae6f14a48,
      9, 98483cc3cf08e666f188383a30aa00c49521617b,
      7, 54e57dc08f1298601a22d6ac5278d472d3bacb56,
      6, 6ebdfb3cf5d0a9691f8700f96bb16d62d344f229,
      5, b0ddf7c3098a9d2261e6fa25a36fa50dccf63c36,
      5, 8e1354ff462a548bafe42c3214472dd18e5cd931,
      5, 2d39f75fa6f6c06a3cb23c7bc2bf874cfe6ba0af,
      4, 617c3b8c0c6d7808ad7b116ded7a271ef2ded82b,
      4, 282d9806c3df7345929f64f5895ef2ea4ac29302,
      4, 0b96f3350e96268136c9118e36c91232e2511222,
      3, c464d7b441a7e78ec9e5e0a1d4602e1e95fda0f3,
      3, a8a4f672d2a011189d2989e137be4a89080dc757,
      3, 5c616dc011e309dfcd15c0ea32494186654a2cdc,
      3, 190352e3ab6dc702e6ab1e5296753efda57c4480,
      2, ca45aba93f7d68104ae730bf99d0f1f0aebdaf3b,
      1, 90c22db300f44ec79beab4662bb77ed1e81843bc,
      1, 8849d1c0f147a3c8327b4038783aec3e06c76f5b,
      1, 1e039f8c2bcb0d13fc5459957ecc5b9b7a271041,
      1, 1017a37c5edfd1da9d3a435ea7767d5e3a5a8daa,

I have a lot of ideas for things I want to work on, but I’m hoping I can get some feedback from the readers of this blog to prioritize these ideas and where I should focus my efforts. Here are the things I have been meaning to do:

Work on IceBuddha

I really want to get IceBuddha to a point where I can convince Didier Stevens to use IceBuddha as part of his PDF training at HITB Amsterdam. Continueing on IceBuddha means getting it to parse PDF files, and eventually other file types, lots of GUI features, providing hex editing capabilities, ability to run IceBuddha parse scripts via the command-line without the browser, and many other things.

Software to whitelist Windows

It really bothers me that there are no good white-listing options for Windows. This is a big task and involves the following:

• Step 1: Produce tool to hash all executables, and incorporate AnalyzePESig. This hash list will then be fed into Windows Software Restriction Policy (SRP). At this stage, you can lock down a system, but doing updates will be problematic.
• Step 2: Write driver to identify anytime a process starts or loads a DLL, and checks this against the hash list, so we no longer have to use SRP. This also would allow for “audit” modes to see what files would be executed instead of enforcing the policy all at once. I could also provide nicer pop-ups to the user when a new unknown file wants to be executed, and be able to turn the service off more easily during updates, or automatically add files to white-list when their certs are good. I will also likely use BLAKE2 for the hashing algorithm because for this use case, it is ideal.
• Step 3 (optional): Depending on the speed step 2 runs at, and how much I want to cheat (ex. don’t bother re-hashing the file if the modification time stamp has not changed), I may want to write a filter driver to watch file writes and do cache invalidation on my list of known good files. This would also allow me to track for the user “File X was updated by process Y”.
• Step 4: Once I have a list of known good files, I can write a server component, so that an agent on these clients could call in and provide the list of files that the system has and has white-listed. If you have enough systems calling in, and they additionally provide information like the version number of the file, and what updated/created the file, you can do something like Secunia PSI to inform the user they have out-dated software. The basic concept here is that if you have 100 clients calling in, and 10 clients say they are using Adobe X, and the other 90 are using an earlier version of Adobe, then assume Adobe X is the latest and inform those other 90. Also, can check adobe.com for updates periodically. Additionally, business could use this client/server setup to identify all the software running in a network, which is what a lot of white-listing products tend to focus on as one of their selling points (such as bit9).

This concept could actually make me money (hurray!) because I would release the client side stuff as GPL, and the server side would be a service I could charge for or software to sell to businesses. The open-source client side stuff would be very useful for the home-user (and free), but if you want to integrate this with domain controllers and make me do boring coding, then I would want to charge money. This would also be the starting point for my Security as a Service company that one day I dream of eventually doing, and I should probably write a post on what the company would be doing.

Post on securing Windows

The main component of this will be how to use AmbushIPS, with a check-list of other steps to take (browser plug-ins, emet, encryption, etc.), which could ultimately become an application that locks it all down for you. Also, I should probably do something for locking down other OS’s (Ubuntu and OSX). For example, most people probably aren’t aware that Chrome on Ubuntu is a couple of versions behind.

Post about online advertisers

I have a strong knowledge of how online advertising works and the dangers involved with that (generic problems, in case my old employer just freaked out). This post would expose that. This would be in the spirit of the work done by Mozilla’s Collusion project, and Vincent Diaz’s (Kaspersky Lab) talk from VB2012 “I´m not a number, I´m a free man”

Asymmetric defenses on Windows

This would be a combination of my posts Hurdles for a beginner to exploit a simple vulnerability on modern Windows and DEP (Data Execution Prevention) explanation by example applied to every protection offered by EMET and other protections possible (such as sandboxing). The goal would be to take a simple application and show an exploit for it, then show how various defenses could have mitigated it, and provide real-world references to where this same vulnerability was used to exploit a real application and again how those defenses would have stopped it. This post is motivated both by my desire to understand these better (I learned a lot in that DEP post), and also by the post on pagetable.com Leave security to security code. Or: Stop fixing bugs to make your software secure!. It also draws inspiration from A Bug Hunter’s Diary.

Misc

I spent some time without Internet for a while, and it was horrible. However, in my boredom, I started writing short stories to keep busy. I’m a horrible fiction writer, but my plots are awesome, because I think about current technology and capabilities and just let my mind run with it, and sometimes how “If this one thing was different, what would the effect of that be?” which is really how I look at computer security in general because I think “If this thing was no longer a problem, what would the other problems be?” Or “If this thing didn’t work like it should, what affect would that have? What can detect that breaking and what other protections could back it up?” One of my plots involved a guy that finds flaws in financial software, such as the tools that let people do automated trading. This software identifies certain conditions (prices of a stock, volume of trades, or maybe twitter references to a company) and then makes stock trades. This software really exists, but in my story the character discovered that when certain conditions occurred in the world, the software would react in a way that he could predict, control, and profit from, and it was the perfect crime. I then thought “Why am I writing fiction, I should make this reality!” So that’s another idea, or I could just write the story instead of hiding from the SEC, but I also think the story would be more fun if I actually found some of these flaws so I could reference them, and some flaws in some other software out there, like forensics software (actual arbitrary execution exploits, not boring stego tricks).

Let me know your opinion!

I don’t have commenting ability on this blog, but I do read and respond to emails. My email is 0xdabbad00 .at. gmail.com or I’m @0xdabbad00 on twitter.