One of the day-to-day tasks of running this site involves monitoring for spam. Usually it's no problem: I just delete the junk posts, comments, and disable the accounts. I've made some tools to make this pretty easy. The problem is that the spammers and malcontents seem to have ratcheted up their spamming and it's getting to be too much work. I've made a drastic change requiring people to send me an email asking to register their account.

There is a general pattern to the spam. All of the accounts are new and created within 1-10 hours of the spam. They all tend to have Gmail accounts. Others such as Yahoo, Hotmail, etc. have really dropped off. It would be nice if Google could do something to prevent people from taking advantage of their server. If I just banned any accounts from Gmail I could probably get rid of about 90% of the spam. That would affect other people using Gmail legitimately though, so I didn't want to take that step.

I realize there are people out there doing legitimate work [1] that can't answer the questions truthfully. That's ok, just make something up. I will accept "I work for the Post Office" as an answer [2], or pretty much anything else. So far it seems to be working too, there haven't been nearly as many spam messages as before.

There also have been some efforts to download our entire collection of malware. While I can understand why someone would want to do this, it does end up using a lot of our resources, bandwidth being one of them. As always I'm happy to work with people but please contact me about it. I'm happy to make trades with people for new samples I can add. If you have nothing to trade drop me a note and we can work something out.

[1] For some definition of legitimate. :)
[2] Stolen without shame from Halvar's class

Watching the sample counter, I noticed that we have ticked over the 1 million mark. Ordinarily I'm not one for making a big deal about big round numbers, but I think this one has some special merit. There has been a lot of work to make this happen from a lot of people. Offensive Computing has been running for a little over 4 years now. It started out as a small website with big dreams. That turned into one with more of a focus on large numbers of samples. I can remember conversations with friends about how amazing it was when we had a thousand, ten thousand, and forty thousand samples. Each increment of size added more complexity to the system. There is no better way to learn about scaling issues than to run a public site like this.

It has always been our hope that this site has been a resource to the reverse engineering and malware analysis community. As always we enjoy interacting with everyone whether it be at conferences, training we've taught, twitter, or just email.

Thank you for all your support in creating this resource. Happy 1 million samples!

Danny Quist

Artem has created a mailing list for all Ether development related activities. You can find it here in the Google Groups.

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./eb.py 192.168.0.2 malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM 192.168.0.50
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at 192.168.0.50
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166) 192.168.0.50
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166
Aborting...

Download Ether Bunny here.

Danny

I've gotten a few emails from people asking questions about how to install Ether. I thought I would put some very rough notes together for my general method to install it. Artem Dinaburg and crew have some good notes at the official Ether website but there are a few more things I do to get things rolling.

Here goes:

1. Download the Debian AMD64 5.x net installation ISO and install it. Get your network card and configuration working.
2. Install ONLY the linux-image-2.6.26-*-xen-amd6 package. You just want the kernel for this one. This is where I've gotten myself into trouble by installing the kernel source that comes with the patched Xen system.
3. Download the Xen and the ether_ctl source and patch as described on the Ether installation instructions page.
4. Install the Debian packages necessary to get the system up and running. I recently installed a system and this is the output of dpkg --get-selections command: ether_install_packages.log
   Hint: grep '[[:space:]]install$=' ether_install_packages.log| awk '{print $1}'| xargs aptitude install
5. Start compilation of Ether in the following directories not the main xen-3.1.0-src directory
   1. cd xen ; make && make install
   2. cd ../tools ; make && make install
   3. cd firmware ; make && make install
6. Edit the /boot/grub/menu.lst to have an entry that looks something like this (be sure to substitute your information):
   
   
title Debian GNU/Linux, kernel 2.6.26-2-xen-amd64
root (hd0,0)
kernel /boot/xen-3.1.0.gz dom0_mem=1G
module /boot/vmlinuz-2.6.26-2-xen-amd64 root=/dev/sda1 ro quiet
module /boot/initrd.img-2.6.26-2-xen-amd64


7. Reboot. You should see a Xen logo then your system will start up and look like normal.
8. Make a Windows VM and follow the modification instructions on the Ether website.

That should be all it takes to get a working system up and running. While you're playing with Ether be sure to check out Vera as well.

Updates

• 10/9/2009 - I've heard from a number of people that you may have to disable NX protection in your motherboard's BIOS to get this to work correctly.
• 10/27/2009 - Updated to not need compilation of libdisasm, updated installed modules list

The Vizsec 2009 program looks to be a pretty exciting this year. Please join us in Atlantic City New Jersey; I will be presenting more visualization techniques for malware. I'm presenting a paper titled "Visualizing Compiled Executables for Malware Analysis." I hope to see you there.

Visualizing Compile Executables for Malware Analysis PDF - This won best paper at the workshop.

Abstract

Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users.

Offensive Computing is now on Twitter! Follow OComputing for all the malware and reverse engineering 140 characters can handle.

My Blackhat talk is over and I think things went really well. As promised here is the latest information on the slides. To be able to use VERA you will need to follow the installation instructions from the Ether project. Thanks again to everyone who attended and thank you for all the great questions.

Vera Executables 0.002a - Binaries to run VERA and generate graphs. (updated 9/2/2009)
Reverse Engineering by Crayon Slides from the Blackhat talk.
VERA Source Code (coming soon!)

If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.

Read more for usage instructions.

I recently came across this patent from Network Associates by Igor Muttik. Here's the abstract:

"One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls."

Reading through the claims it appears that they have patented much of what was the state of the art of academic research in the early 2000's. I'm shocked with how loosely the patent is written. Comparing system calls might have been novel at the time, but the real magic is finding a matching algorithm for them. That algorithm, I would think, would be the real patentable material. Then again that's why I'm not a patent lawyer.

A few conference acceptances are in so I can now lift the cone of silence and share some of the research I've been doing.

Lately I've been using Artem Dinaburg and Paul Royal's excellent Ether Malware Analysis system they presented at ACM CCS last year. This is some very good work that allows you to instrument a running binary extremely well. The paper they have written is very good. I've submitted some patches to the project and overall it's in good shape. I'll write up a more detailed post about using the Ether framework later. Those of you that have been using Saffron should check out this system. Even though it requires dedicated hardware it's a much more robust system.

Using Ether I've been working on my visualization tool for better dynamic and static analysis integration. I call it VERA: Visualizing Execution for Reversing and Analysis. Using the dynamic trace data and unpacking capabilities of Ether, VERA helps you to better unpack unknown binaries, reduce the reversing time, and generally make the whole process easier. I've shown it to a pretty limited set of people, mainly the students in my Reverse Engineering courses, and it seems to be reasonably well received.

I will be talking about VERA at some conferences and workshops this summer and fall. The first is the Blackhat USA Briefings 2009 and Defcon 17. This talk will show how to integrate the reversing process into using Ether and also demonstrating VERA. I'll be giving a live demo and release the tool here.

A more formal treatment will be at the Workshop on Visualization and Security 2009 (VizSec). This paper will outline the nitty-gritty details of the Reverse Engineering process and how VERA fits into it.

I hope to see you this summer. Several former OC members will be giving talks too so it should be a worthwhile experience.