Dailydave mailing list archives

Re: VPC

From: Halvar Flake <halvar () gmx de>
Date: Tue, 26 Feb 2008 11:46:03 +0100

Thorsten Holz wrote:

On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave () immunityinc com> wrote:

 There's another one called CWSandbox that has a free web form you can
 send exe's to.


You can either send a sample to <https://cwsandbox.org/?page=submit>
or <http://research.sunbelt-software.com/submit.aspx>
More info about the tool is available in an article
(<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
 and an example report is
<https://cwsandbox.org/?page=details&id=156851&password=iokop>

(They hook a bunch of things but I think you can escape
 the hooking by calling system calls directly?)


But then you are not platform independent. CWSandbox was originally
designed to automatically analyze the malware we capture with the help
of honeypots (worms, bots, ...), but has evolved a lot since then


OS-version independent API-hook bypassing is a very old hat (late 90's
?). Aside from checking for such hooks
(which many common packers do out-of-the-box, and have been doing since
... uhm ... almost a decade?),
the attacker has many choices to bypass the hook. I have seen many
variants of hook bypasses of various
quality over the years -- some samples include:
    * Checks for the exact OS version to then differentiate which exact
syscalls to use, then using syscalls
    * Inlining the first few bytes of OS functions into the executable,
then jumping to API+X
    * Packers that inline entire OS functions into the executable
None of these are entirely rocket science (altho (3) is kinda cute), and
platform-independence can be achieved
easily if one is willing to sacrifice Win9x (and, perhabs, Win2k)
compatibility.

Empirically, it is likely true that very little malware takes these
countermeasures. That just means that the authors
have decided that the cost of taking countermeasures (virtually zero)
isn't worth incurring yet.

It constantly amazes me in how many guises API hooks will cross my path
in my life -- I have
seen bad IPS based on it 7 years ago, then again 4 years ago etc. etc.

API hooking is great if you're dealing with a nonadversarial target. For
everything else, it's
useful as long as nobody decides it's worth 3 hours to deal with it

Cheers,
Halvar
PS: "Nobody will break into my house -- I put paper in front of my door.
No burglar has ever been
seen cutting paper in order to break in !" :-P
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: VPC, (continued)
- - - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Thierry Zoller (Feb 23)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC dan (Feb 25)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC Kurt Baumgartner (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Thorsten Holz (Feb 21)
  - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
  - Re: VPC Halvar Flake (Feb 27)
- Re: VPC Thierry Zoller (Feb 22)
- Re: VPC Alexander Sotirov (Feb 24)
- Re: VPC Anthony Lineberry (Feb 28)
  - Re: VPC Matt Richard (Feb 29)
    - Re: VPC Jon Oberheide (Feb 29)
    - Re: VPC Andrew R. Reiter (Mar 03)
- Re: VPC Thierry Zoller (Feb 23)
  - Re: VPC Tyler (Feb 23)
    - Re: VPC J.M. Seitz (Feb 24)
    - Re: VPC Jared DeMott (Feb 25)

(Thread continues...)