| 2008, 6, 17, 10, 36, 14 | | Hacker Japan Interview |  |
| Paul Sebastian Ziegler | PERMALINK |
| The local Japanese magazine Hacker Japan contacted me a couple of weeks ago asking for an interview. Since we could agree on the general conditions, we ended up having a nice conversation about life, international relations, hacking, laws and work.
This conversation can now be found in the current edition of the magazine covering about 4 pages. However it is in Japanese only.
 | |
| 2008, 6, 13, 18, 20, 56 | | RE for crazy people | |
| Paul Sebastian Ziegler | PERMALINK |
| Some of you may know that I work as a research engineer and get to deal with fresh malware on a regular basis. Those of you who either work in the security sector or take part in the good old AV vs. VX vs. Blackhats challenge will also know that stepping through a piece of malcode isn't really the same as disassembling winmine.exe. Apart from the fact that most people who actually release malware into the wilderness just can't be convinced to include debugging information (come on guys, be "1337") we today face a lot of techniques that were specially designed to make an analyst's life harder.
Most notably we face Anti-Debugging and Anti-Reversing. (And of course anti-anti-anti-foo... the list goes on.)
Then there are some other techniques that aren't directly geared towards researchers but try to accomplish something else, like for example escalating privileges or circumventing the firewall. I'm not going into detail here either, but everyone who has a shortcut for "launch notepad.exe in OllyDBG, break on new thread and dump the process id to a file" should know what I mean.
And then there are those moments where you just want to shout, because someone invented something completely new. Some days ago I was facing some good malware. The name may not be mentioned, so let's just call it "XY" for clarity's sake. XY pulled about every trick in the book, including - among others - indirect calls, process injection, debugger detection and encryption. Those could be defeated using some careful engineering and lots of coffee. Somewhere in the code I ran into this statement (obfuscated):
-=ASM=-
push ebp
call loc_XYZ
pop ebp
-=/ASM=-
This is something we see almost every day. A regular internal function call. By quickly checking over XYZ, I could see that it contained a lot of crypto-foo. Thus I tried to see what it changed before going into more detail and decided to step over the function.
Interestingly enough, the malware crashed with a memory violation. Now that is not very unusual either, since anti-debugging techniques tend to lead to this result, but just to make sure, I loaded a snapshot and hit F9 from the same spot. But while it should have crashed again right then, it just exited gracefully. I decided to set a breakpoint on pop ebp manually, to check if this was a bug in the debugger. The results were the same as when stepping over. The malware crashed. This began to make me confused. But it still had to get a little worse. I removed the software breakpoint on pop ebp and replaced it with a hardware breakpoint. Now the program didn't crash, but it didn't stop either. It just ran through.
Confused enough yet? Bear with me for another minute.
I couldn't figure this one out. And luckily lunch-break came up quickly. While returning to the office, two of my coworkers were arguing over which way to walk. "This way is more direct" "This one is faster" "But I need to go to that store". Suddenly something in my brain shifted. When we arrived at the office, I was soon bent over laughing.
What happened?
Their conversation was the missing piece. It made me realize one essential fact: loc_XYZ never returned the flow of execution to the calling function at all. Whoever wrote this used the function call like a jmp instruction. It was a one way path. Later during the analysis I was able to discover a piece of code, that then checked if "pop ebp" had been modified. By setting a software breakpoint and stepping over, "pop ebp" had become "CC CC". The malware noticed this and faked a crash to hinder the analysis. This also explained why running the malware and setting a hardware breakpoint didn't do anything. push ebp remained unchanged.
Sometimes we need to keep our eyes open for new possibilities. To my friends from the AV: Good luck on generating a working fingerprint for this one.
| |
| 2008, 4, 10, 12, 38, 41 | | Never knew Google was so clever... | |
| Paul Sebastian Ziegler | PERMALINK |
| Props for Google. No really!
Today I was looking for some papers about OS hardening and did a search for "minimum rights policy". Everyone who knows computer security should realize by now that this is about an approach to running software.
However Google, well... they did it the right way.
Let me break that down for you.
The first thing you get with this search is
[The] American Civil Rights Policy
I'd like to emphasize at this point that the views expressed by Google in this screenshot do not necessarily have to match the author's opinion.
But let's keep on looking. I personally like entry number 4 as well, since it clearly states
Intellectual Property Rights
Google, please be careful. As soon as the RIAA finds out about this you'll get sued over and over again.
And since things are fair in this world, the
EU Human Rights
are mentioned twice. Someone should tell Wolfgang. | |
| 2008, 4, 1, 10, 3, 59 | | My reason(s) for being silent | |
| Paul Sebastian Ziegler | PERMALINK |
| Yes, it has been a very long time, since I last posted any entries for your amusement. I apologize for that. It was not my intention to have more frequent readers bored, but my interests and resposibilities greatly shifted during the past few weeks.
I got in contact with several good Japanese hackers and finally got the industry connections I wanted. Starting from today I am an employee of FFR(1440) - a small but extremely professional Japanese company consisting exclusively of well-known hackers.
I never thought, I'd ever become a regular employee, but this was simply to perfect.
So my work keeps me rather busy. Apart from that, I will have to pass a federal examination in informatics soon. It has a rather high level and is written and in Japanese only. So I have aproximately 4 years of of content and 10 years worth of language to learn within 7 months. Wish me luck. Otherwise it will be impossible for me to keep my visa status. But hey, I've done strange things before. This should be just fine. I will keep you posted on new developments. Let's see how things go. | |
| 2008, 2, 11, 3, 54, 30 | | Moving, Writing, Stuff | |
| Paul Sebastian Ziegler | PERMALINK |
| In case you may have wondered why there are so few posts lately:
Apart from trying to get my life on track here in Tokyo, I just moved house. And - guess what - it takes a while to get an internet connection around here. Don't ask me why. The apartment is already wired and everything, but apparently it takes at least two weeks.
Also the moving itself has been pretty busy and my deadlines at O'Reilly are drawing closer. So overall I am just terribly busy.
But the CFPs for the major conferences are about to open and that will force me to research on some new stuff again. I got a couple of really nice subjects planned, so stick around. I will decide for one and put it out in the open soon. | |
| 2008, 1, 14, 15, 40, 58 | | Some Thoughts on Viral Statistics | |
| Paul Sebastian Ziegler | PERMALINK |
| Recently the people over at AV-Test released their annual statistics on viruses.
Various online media have picked up the subject and are now eagerly reporting. Among those is the German newscaster Heise.
However there is one important sentence to consider.
Laut Andreas Marx von AV-Test haben die Spezialisten sämtliche unterschiedliche Dateien gezählt, bei denen sich der Fingerabdruck (MD5-Hash) von den anderen Funden unterscheidet.
This is translated to:
According to Andreas Marx of AV-Test the specialists counted all infected files with a fingerprint (md5-hash) that was unique among other findings.
They go on to say:
Ab 2004 scheint das Wachstum zu explodieren
Starting from 2004 the growth [of the number of viruses] seems to explode.
On the first gasp this appears to be correct.
However we need to consider the following. 2004 marks the first large-scale appearance of polymorphic malware. That is - malware that is able to alter it's own code in order to stay unrecognized when scanned by fingerprint-based AV scanners.
This means that a single virus is now able to produces massive amounts of different unique md5 hashes when analyzed.
Since then the degree of polymorphism and metamorphism has steadily increased.
Of course the real number of malware in the wild is increasing. Last year we saw the Storm-Worm break free which maxed out old edges a lot. There were some new techniques and apparently huge activities. The next years will be interesting as well. OSX-malware has made it to the wild and we'll probably see it spread during 08.
But the vast part of that growth is based on malware altering its form and thus altering it's fingerprint and not actually by a vastly growing amount of unique malware. The approach to raising those statistics will have to be changed. Until then, please keep these thoughts in mind when thinking or reading about malware-growth.
Update:
And if you don't believe me, please listen to SkyOut's blog. He is among the people who know viruses best. | |
| 2008, 1, 9, 11, 16, 44 | | Back from the ashes - again | |
| Paul Sebastian Ziegler | PERMALINK |
| Some of you will know my concept of Phoenix computing from other entries some moths ago.
I did not plan to do so today, but the changes I made to the server would have required days of carefully readjusting configuration files and scripts.
So instead I wiped the server clean and started over from a data-backup.
Most of the systems and mechanisms should be back and running. If you encounter any problems, please let me know. The webinterface should mostly be working again.
Also please be aware that for about an hour today, mails that were sent to legitimate @observed.de addresses bounced.
So if you sent me a mail during that time, please check for error messages. | |
| 2008, 1, 9, 3, 11, 35 | | Major Server Changes Up Ahead | |
| Paul Sebastian Ziegler | PERMALINK |
| I know this notice is rather short-timed, but I'll introduce some major changes to the server today. Everything should be alright, but in case something breaks, I will have backups to get everything up and running again.
However there will be some downtimes today - and some of them may get long and/or nasty.
So if the site should run unstably for a few days and all you see at the top of my blog is this message, then you know I'm still fighting with some major or minor problem.
As soon as all the changes are made, I'll post back to you. | |
| 2008, 1, 6, 3, 32, 9 | | New SSL Certificate | |
| Paul Sebastian Ziegler | PERMALINK |
| Well, since this page has just had it's 1-year-birthday, the old SSL certificate which was signed for 365 also ended it's duty.
If you connect to this site through SSL, you will find that a new one is in place.
Maybe someday I'll get myself to either apply for a major certificate or setup my own CA.
Until then please just bear with me and the new certs from time to time. | |
| 2008, 1, 2, 5, 37, 34 | | Introducing... | |
| Paul Sebastian Ziegler | PERMALINK |
| 
I already announced something like this would come up soon during my last entry. But here it is. I just set pix.observed.de free. It is a subproject where I'll publish images, photographies and more visual material.
Right now it only contains a single gallery called Berlin Lights I. It is full of photos I took during my brief visit to Berlin. They all play with very slow shutter speeds to create some really nice effects.
pix.observed.de is not exactly google-friendly since I don't care how many people visit it.
However check out the license!
Being (among other things) a writer myself I know how much it sucks to find works on the internet that are not clearly licensed.
All the images, photos and other visual things on pix.observed.de are licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.0 License. This makes it pretty liberal and free to use for about anything you want as long as some rules are followed.
But this is where the clue comes in. Even those few rules are breakable.
How?
It's easy. One Euro each.
Allow me to explain. For each rule you break you have to pay one Euro per picture you break it for. It's that easy. I won't even control it. The license is really liberal, so the only people who really need to break any rules here are the ones using the images commercially. And it will be hard for them to keep it secret anyhow.
So you can literally do anything you want with those images. Either you follow the license or you pay a minimal fee for breaking it.
Feel free to check it out and/ spread the word. Link to it, if you like it. But please remember, that when you include the images in your page directly, you are violating the license unless you give proper credits. | |
|
