After a lot of work, I'm happy to announce that Vera 0.20 is available for download. This release is a rewrite of the entire code base into wxWidgets. Based on some excellent feedback from my talk at REcon (an excellent con by the way) I've made some substantial changes to the backend code.

If you're not familiar with VERA, it's a visualization tool to help understand the dynamic execution of a program. It's made to take the instruction traces from Ether and generate directed graphs showing the overall flow and composition of a program. Identifying the OEP is easy, as well as looking for main loops and initialization sections of the program. You can read about VERA in my Vizsec 2009 paper for more information.

Here's the complete changelog:

Rewrite of entire codebase to wxWidgets (should allow for future ports to other platforms)
Added configuration file (~/.wxVera/wxvera.ini)
Read/save previous window position and size from/to config file
Fixed a graph centering problem
Added update checking code
Reloading of graphs more efficient
Added welcome message
Introduced notebook style for GUI

Please feel free to contact me (dquist at this domain) if you have any problems or suggestions for VERA. Thanks!

There were good responses, mostly from people in the AV industry, to my blog post about the malware testing standards. Overlooking my error linking to their original paper (sorry) there were some points I would like to address.

At the heart of this whole process, is exactly how dangerous a collection of malware is. For the consumers, I would argue, it's not dangerous at all. The malware industry is the only one who has to fear from it. Notice I didn't say just the AV vendors, but also the producers of the malicious software. In large part the authors depend on a closed, inside group of people unwilling to collaborate openly on the problem. If you look at the major sources of malware in academic research prior to the creation of large open collections, you'll see that there were some big problems. First, the samples were old and not representative of current threats. Second, those samples either did not work or were not malicious in nature. Finally, the samples are traded as something of value.

I'm no different, of course. I derive value both from the collection and from consulting. I do, however, go out of my way to support those doing open research as much as I can. If someone in academia needs access to samples, just contact me and I'll work something out. Likewise we have helped innumerable small businesses get their start in the malware world before they could enter the "circle of trust" mentioned by David Harley.

The "circle of trust" is often cited when discussing who can and cannot gain access to these samples. Over the course of the years I've joined four of these groups. While the vetting is done as best as possible, there's very little outside of an email address, and a recommendation keeping someone from joining. Antivirus vendors exchange malware with themselves at a much higher volume, but there is still a perceived difficulty of entering this area. Malware exists on the Internet in a freely available manner as a function of its being. Limiting sample access to a certain set of privileged people fundamentally hurts innovation and response by everyone.

There was also some allusion that I did not support malware testing at all. That is not the case. Malware defense systems should be heavily tested against a range of threats. The basis for my problems with the AMTSO is that it should *not* be composed of anyone in the AV industry. Consumer Reports did an excellent job exposing the ineffectiveness of AV vendors by producing new samples. Due to the very nature of the threat, there are going to be new samples that are discovered for the first time. If an AV software can't respond to this threat, it should not be given a favorable review.

The current set of players in the malware testing arena are profit driven. In and of itself that's ok, I'm all for capitalism, but in fairness there needs to be an independent authority. AV testing companies that publish open information on the effectiveness of scanning results are not independent. Without naming names, there is a prominent one claiming to provide results for the public, but instead is backed by every AV vendor in the industry. This testing company takes in new samples, scans them with all the products, then tells the vendors how their performance rates. What is not acceptable, in my view, are the shoddily written reports intended for consumers that report unethically high detection rates.

Finally I would like to address the ethics of the malware tester. One thing I agree with David Harley on is the need to represent the full scope of the testing process to the consumer. One of the things that the academic world does well is to produce research which can be recreated by other researchers. That's the intent, at least. AV testing standards advocated by the vendors cannot and will not provide the latest samples to malware authors. What this ends up doing is providing all the methods of testing, but not the actual data to test on. For those of us able to use new samples, it's not a problem. Others who have older data and are unable to acquire new malware (due to cost, time involved, etc.) are left with only one viable option: Synthesize new samples using the exact same methods available to the authors.

First of all, thanks for all the great feedback from everyone about Vera. Keep the feedback coming!

Vera 0.11 is out on the main Vera page. This release fixes a major memory leak for those of you who aren't running video cards with a gig of ram. This should also alleviate problems that were related to running under Windows XP. A future port to a wxWidgets version is underway. This will eventually allow for cross-platform versions, hopefully timed with the IDA QT release.

As always, please report bugs to dquist at this domain.

Urlvoid (beta version at the moment) is a free service that scan suspicious websites with multi engines to check if the site is safe to browse.

Its a virustotal like but for websites ;)

http://www.urlvoid.com/

Scanner list used by urlvoid:

McAfee SiteAdvisor, McAfee Trusted Source, PcTools Browser Defender, Norton SafeWeb, MyWOT, Threat Log, MalwareDomainList, hpHosts, ZeuS Tracker, Google Diagnostic, PhishTank, Project Honey Pot, ParetoLogic, Spamhaus, URIBL, Malware Patrol, SURBL, SpamCop, TrendMicro Web Reputation, Web Security Guard.

Buster Sandbox Analyzer 1.23 has been released.

Actually the tool is being hosted here: http://bsa.isoftware.nl

Version 1.23 introduces the automatic malware analysis mode. This mode allows the analysis of multiple files without any user intervention.

New version also adds other features like the digital signature verification.

The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar

Buster Sandbox Analyzer makes the malware analysis accesible to everybody in a simple and safe manner.

Siberia Exploit Pack is a crimeware, evolution of Napoleon Exploit Pack, which we've done a brief description on another occasion. However, since the time of that description to this day, the landscape has expanded its developer.

In this regard, and while it ends up being one of the bunch, the interesting thing about this crimeware is information provided by their panel of statistics (intelligence for the attacker), by the way very similar to that provided by Eleonore Exploit Pack, which provide data regarding the success of business which has the exploit  pack for recruitment zombie, discriminating on the basis of these data:

• Countries affected
• Most exploited Operating Systems
• Reference domains with the highest percentage by which vulnerabilities are exploited
• Browsers exploited
• Pre-compiled exploits in this version of the package

Let me stress (because it's a minor detail) with this collection of information is nothing more than to intelligence, which allows the attacker to know, at first instance:

In the former case, the population of which country is more vulnerable, perhaps because of their level of piracy, which brings to attention the lack of security updates for operating systems and applications, because as we will see to reach exploits, all these are known and have long been concerned with the patch that fixes the vulnerability.

In this case, the first five countries where this crimeware has higher infection rate include the United States, Britain, Canada, Russia and Germany.

The same approach is being pursued with the data we obtained on operating systems "vulnerable" in quotes because, as I said above, the degree of vulnerability of the OS depends directly on a number of aspects that should be covered by hardening, in which an important factor is the implementation of security patches.

For example, the vulnerability in MDAC (Microsoft Data Access Components) from the year 2006 (four years), described in Microsoft Official Bulletin MS06-014. The impact on operating systems have this version of crimeware, we can see in the picture below.

The list of operating systems is large and attacked the three with the highest vulnerability gap belongs to the family of Microsoft (which is obviously due to the massiveness of use), and other MS also.

However, the crimeware cover other non-Windows operating systems, including PlayStation consoles (GNU / Linux or Black Rhino) and Nintendo Wii (ironically a modified version of a GNU/Linux), in the case of OS used and Workstations high-end mobile phones, including:

• Mac OS
• GNU/Linux
• FreeBSD
• iPhone
• Windows Mobile
• Windows CE
• Pocket PC
• Symbian OS

Here we are beginning to recognize that criminals have broadened the scope of coverage, incorporating into its portfolio of options exploitation of vulnerabilities (through the browser) and recruitment of zombies on other operating systems used in other computer technologies.

To make Ether a bit easier to install, we've put together a Debian package with precompiled Ether binaries. This is considered a highly beta install package, so you will want to take care about where you install it. Everything should install into /opt/ and work very closely to how Ether does when you compile via source.

Please note that this package contains the Ether patched Xen package. Other than satisfying the package's dependencies, you shouldn't install anything beyond that. This has been tested with a fresh installation of Debian Lenny. Please note that uninstall is currently not implemented.

Thanks to Chris Collord and Daniel Cox for their work on this.

Download the Ether 0.1 Debian Package here

I've had a few people email me about how to use non-Ether generated trace files in VERA. To help with this, I ran a trace with Ether of the Notepad.exe included with Windows XP.

Notepad.exe Trace file

If you want to generate instruction traces external from Ether, you just need to make sure it follows the same format. First, you should start with the standard instruction trace boilerplate. It looks like this:

After init:
        shared_page_ptr: 0xffff830000fd9000
        shared_page_mfn: 0xfd9
        domid_source: 0
        event_channel_port: 34
Shared Page va: 0x7fde19b77000
Shared Page test:
        Page-Sharing is A-OK!

Trying to bind to local port...
Success, bound to local port: 35
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: notepad.exe
Execution of Target detected:
        Image Base:  0x1000000
        Image Size:  0x14000
        Entry Point: 0x100739d

After this, all you need to do is have a listing of instructions. Right now the only thing I'm parsing is the instruction address, so there's no need to include the actual instruction. Later versions of VERA will use the disassembly.

100739d: push   0x70
100739d: push   0x70
100739f: push   0x01001898
10073a4: call   0x01007568
1007568: push   0x010075BA
100756d: mov    eax, fs:[0x00000000]
1007573: push   eax

At the end of the file, after all the instructions make sure you include two "Handling sigint" messages:

1007519: jnz    0x01007522
100751b: push   esi
100751c: call   [0x1001318]
Handling sigint
Handling sigint

That should be all you need to use VERA for your own uses. As always, let me know if there are any bugs you observe.

I would like to announce the latest version of VERA, the reverse engineering visualization program. Lots of bugs have been fixed, which I have detailed below. Be sure to read the original VERA release documentation for instructions on how to use it.

Here is the change log:

• View panning has now been fixed so that it follows the mouse.

• Cleaned up display code and made it more portable
• Fixed right-click selection code. Currently a stub function but more will come later
• Center graph on first load. Now the graph isn't out in the middle of nowhere when you first load it.
• The start of execution is highlighted with a big blue box
• Added arrows to show directionality of execution
• Implemented frustum culling for rendering font text. This makes things *much* faster.

If you have any problems, please let me know via dquist SHIFT-2 offensivecomputingDOTnet

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan "Highest Lowest rates for the price".

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That's, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean ... "criminal" because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his "great leap" to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of USD 400.