|
How is this interesting? You might think it's boring as gently caress. That's cool. I thought it was super interesting when I was younger, but I couldn't find any information on it. I didn't even know where to get started. I imagined people who worked on anti-virus stuff had mastered some deeply mysterious art and had turned their dark, esoteric skills against the tides of evil. Maybe other people feel the same way? For a profession that pays as well as it does, and considering how important computer security is becoming, it surprises me how hard it is to find good info on the subject. I never heard it mentioned in university. There are a few books on it, but many are boring, and the state of the art changes so fast they get outdated quickly. Who are you? I was a kid from a small town in Texas that reverse engineered for fun then I got recruited online to do it professionally in San Francisco. I researched mobile malware (android / iphone) for ~2.5 years before moving on to other types of security research. This profession and hobby has taken my life in some weird directions. I'll be giving a workshop at DEFCON this year, and I've talked to a bunch of kids (12-14 years old) in Thailand about hackers and some of the neckbeard culture here in the bay area. What's reverse engineering? It's taking other people's poo poo apart. It's related to cracking apps/games and making them free, but this is illegal and I won't be talking about it. Lots of people get their start in reversing by cracking, and I can talk about that or the scene in general, but no specifics about techniques or how to crack apps, etc. I have some passing experience with reversing in general, but my focus is Android. Most of the time, mobile devs have no loving clue how reversing works, or they don't care, so reversing the app is easy. But every now and then, you get a fighter. It's more common with malware. These are the fun ones. They'll protect their apps in various ways specifically to make my life harder. There's definitely an adversarial element to be appreciated in reversing. What they don't realize is just how much of a target it makes them. Malware for my phone? Is that even a thing? Yes and no. If you have an unjailbroken iPhone, not really, and not yet. If you're on Android, you're at more risk, and the risk jumps way way up if you don't (or can't!) use Play. iPhone is more locked down than Android. You can do lots of stuff in Android apps that iOS just won't let you do. This limits malware's potential. Also, the iPhone is heavily tied to the App Store, and the store is heavily moderated. Getting accepted is such a bitch that our iOS team used to pop bottles whenever the newest version of our app was accepted. They have a big list of things to check for, and I imagine they get some really persnickety fuckers to comb through and find any little thing they can to reject, usually without explanation. The "not yet" is because there's a huge incentive to get malware working on iPhones. Apple may loosen up restrictions to compete with Android in terms of app flexiblity, though I suspect they appreciate how it's a market differentiator and don't want to do that. We've seen a few thing slip by their grading process. One app had a little hidden virtual machine and looked benign, and it'd download a script after it'd been installed for a while and execute it in it's virtual machine and it would do bad stuff. Similar "wait and hide" tactics are promising, because they're hard to spot when being graded. Android is way more of a wild west. The most common threat is premium text messages. You could install an app that looks benign, or promises access to pr0n, but as soon as it starts, it secretly sends text messages that cost you money. OR it signs you up for a subscription to a premium service, like a lovely "joke a day" service, and it'll hide the confirmation you get from tmobile or verizon or whatever, and it'll hide the "jokes" you get every day. The insidious part is, for this "toll fraud" stuff, is the charges are pretty small, and you won't notice unless you're watching your bill carefully. Most of the malware is from Russia and friends, China, and Spain. Most of the time it's for money, but there's also some bots. Usually the bots will hide on your phone and wait for commands like "go search baidu or google for this term", "visit this web page", "send this text message", "send me your contacts", etc. If you control a lot of bots, you can sell services like "we can make sure your website gets a lot of traffic from these search terms" or "your lovely app that no one actually wants will get at least 1000 downloads from unique IPs". Here are some starter questions:
|
#
?
Jul 16, 2015 18:43
|
|
|
|
| # ? Apr 25, 2024 23:28 |
|
|
I come from the glorious world of system administration and can tell you a lot more about networking shenanigans then I can software ones, but I suspect this will be an interesting thread. I'd like to hear your interpretation of the current state of antivirus software and why it is just so, so bad 90% of the time.
|
|
#
?
Jul 16, 2015 19:03
|
|
|
tekproxy posted:Here are some starter questions: Definitely interested in this one. It seems like anything mobile related to antivirus and even simple ad/popup blocking web browsers suck. I use Ghostly and Eset on my Android, and both seem to be the best so far, but I know jack poo poo about phones.
|
|
#
?
Jul 16, 2015 19:22
|
|
|
What is the best way to detect malware? Other than common sense stuff (don't install shady apps, etc), what is the best way to prevent infection?
|
|
#
?
Jul 16, 2015 19:28
|
|
|
Is having Java installed really stupid?
|
|
#
?
Jul 16, 2015 19:37
|
|
|
tekproxy posted:Why are most anti-virus apps total lovely unmitigated disasters? Interested in this one as well. I read an article a long while back talking about people who create antivirus software and how it was nearly worthless when it comes to catching "new threats" since all a malware writer needs to do is make a few small changes to their code once their software has been detected and, poof, now it's undetectable again for a short while. Has that changed at all? Related question: do you ever feel like you're just piling sand bags against a flood of malware that you'll never really be able to stop?
|
|
#
?
Jul 16, 2015 21:56
|
|
|
Canine Blues Arooo posted:I'd like to hear your interpretation of the current state of antivirus software and why it is just so, so bad 90% of the time. Cuckoo posted:Definitely interested in this one. It seems like anything mobile related to antivirus and even simple ad/popup blocking web browsers suck. I use Ghostly and Eset on my Android, and both seem to be the best so far, but I know jack poo poo about phones. Knowledge is power (to kill lovely products) In general, products get lovely because of market forces, i.e. demand / competition. IMHO, the main problem is the market is not informed. An efficient market, where products must improve or die, must be well informed. This is "non-trivial", which is nerd euphemism for "really loving hard". Oh sure, there are companies like AV-TEST and AV-Comparatives that score AV products. Unfortunately, they're literally extorting AV companies and their tests are complete bullshit. Even worse, is it's inherently very difficult for any independent lab to implement a good testing methodology. Why is testing so hard? First, let's define what we actually want from an AV.
#1 and #2 are easily evaluated. The rest require throwing malware at a product and seeing what it detects. This means you have to have a set of malware and know what the malware is. This is nearly impossible for any lab, and here's why: Collecting and identifying malware is the hard part. That's what AV companies do. So, AV tests get samples from the public domain, which are outdated, or, and this is the best part, from the companies they're testing.  Think about that for a second. The only samples they have are old, and are less likely to affect you, or they're from a source with a vested interest in gaming the test. And you can bet they do. Here's some of the problems that come up:
Companies spend a lot of resources, millions of dollars, hundreds of people at larger companies, to win these tests, and improving relevant detections is but a tiny, tiny, tiny part of winning. Oh yeah, I mentioned these tests extort. If you weren't doing well in their tests, you could pay them to not publish your results. They'd still test you and you'd get to see what you missed, which had some value. We did it for a while, mainly because they rejected a new family I found on the grounds that "no one else was detecting it so it's prolly not malware". This made us think, well what's the loving point of trying so hard to find new stuff? As soon as we started paying them, and maybe this was just coincidence, our scores went way up. Then, one day they told us they were publishing our results anyway.  We threw around words like "illegal" and "contract" and they decided they wouldn't publish our results.. unless someone asked for them. And of course people will ask.  Because good testing is so hard, people pick what AV product they use based on reading tea leaves, chicken bones, PCMagazine articles, word of mouth, etc. Until quality can be better measured, companies can focus on marketing and winning these bullshit tests, or pretty much anything except for making their stuff better. Good testing would probably require companies collaborate and share what's called "prevalence", or what maljuarez they see in the wild. Combine all that together and build a sample set of relevant malware, with families as evenly represented as possible. Probably not ever going to happen, though. All that aside, there are some really good security researchers at these companies. And none of the shittyness of their companies has anything to do with them.
|
|
#
?
Jul 16, 2015 22:37
|
|
|
Not a Children posted:What is the best way to detect malware? Other than common sense stuff (don't install shady apps, etc), what is the best way to prevent infection? Best way to detect Right now, everyone uses "signatures". Think of a big list of rules like: "if it has these 12 bytes and (these 6 bytes or these 18 bytes), then it's MalwareA" This is weak because, as a malware author, you can figure out what those rules are yourself, then change your app so it can't be detected. What's more is you can "pack" your app so that the binary (think EXE) looks different every single time it's created, even if you don't change anything. Then AV companies come up with ways of dynamically unpacking, and it's an arms race. This is a big area of research, and I could go on at length. There are ways of using predictive analysis and statistical models to determine if something looks bad without it being analyzed by a human. Some companies call this "advanced heuristics" or "suspicious behavior", etc. Another huge topic I can go into if you're interested. Basically, AV companies collect thousands and thousands of applications. From each application they do some analysis to tell them what the application looks like and what it does. Some of these applications are labeled as malware, perhaps after review by an analyst. Then, when they get a new app, they can ask questions like "does this app look like all the other malware I've seen?" And if it does, they can prioritize that to be reviewed by an analyst. This was a big deal where I was working. Because Android is written in Java (mostly), and because Java was designed with static analysis in mind, it's easier to tell what an Android app does. PC apps can hide in all kinds of ways, and Android is going there, but that takes effort and most malware authors don't like to spend effort. Best way to prevent infection I don't think I can add much to this question. There's a lot of info online and it's pretty good. I can say that for single users, the common sense stuff goes a long way. You could use linux (lolol). Honestly, I think most infections are from people doing stupid stuff. Most malware authors make really low-effort garbage and just pump it out everywhere they can. If only 0.001% of people are dumb enough to run it, that's enough to make it profitable for them. Now, if you're a business or government, or you're otherwise a high value target, you've got to worry about advanced persistent threats (APT). That's a whole new ballgame. Basically, you get rid of the mentality of: "make sure we never get pwned" and replace with: "when we get pwned, they can't burn everything to the ground" Because you will get pwned. Sooner or later. It just takes one employee to do something stupid. If it's China, they'll eventually find a service somewhere that you didn't update, or they'll use a 0day that no one knows about. Or if it's a local threat, they could do physical penetration (  ), like drop a bunch of "free" USB keys (stuffed with malware) around the parking lot. Hell, you can even make Mac laptop and iPhone chargers that infect your device's firmware. You've got to assume they'll get in eventually, so you wall everything off even inside the network. Don't assume that if it's coming from one of your own machines that you can trust it.
tekproxy fucked around with this message at 23:16 on Jul 16, 2015 |
|
#
?
Jul 16, 2015 23:06
|
|
|
Obdicut posted:Is having Java installed really stupid? I think a lot of people use it for legitimate purposes (minecraft), so for anyone who actually wants to use java, it's not really stupid. Even if you never have a need to use java ever, which is unlikely, I don't think it'll reduce your risk surface much. Why? Do you disagree?
|
|
#
?
Jul 16, 2015 23:19
|
|
|
tekproxy posted:I think a lot of people use it for legitimate purposes (minecraft), so for anyone who actually wants to use java, it's not really stupid. It's just what some random IT guy told me, that anyone running JAVA was asking for trouble, which seemed over the top.
|
|
#
?
Jul 17, 2015 00:16
|
|
|
kedo posted:Interested in this one as well. I read an article a long while back talking about people who create antivirus software and how it was nearly worthless when it comes to catching "new threats" since all a malware writer needs to do is make a few small changes to their code once their software has been detected and, poof, now it's undetectable again for a short while. Has that changed at all? The piling sand bags against a flood is apt. Yeah, we felt like that. We called it "boiling the ocean" because there was a never-ending stream of poo poo. I'd sometimes work on weekends because I couldn't stand the thought of there being stuff we -knew- was bad, but hadn't written detections for. This stress slowly subsided as I learned to focus my energy on more long-term solutions like automation. Catching new threats is hard. Totally true. But there's a lot you can do that a lot of older AV companies have been slow to adopt. Where I was working, because we focused on mobile, and because Android apps are easier to analyze, we were bringing a fresh approach. First, there are two types of new threats. 1.) new families, 2.) new variants of known families. For detecting both types of new threats, you want to improve your "acquisitions". This means collect more apps. For us, that meant finding and crawling more Android markets, and crawling Play better, which was always a bitch because it's complicated as gently caress and they'll ban you. You've got to be really sneaky to not get banned, or just make it easy to create new accounts.  Ideally, there's a whole team for this. We went from getting hundreds to tends of thousands of apps a day while I was there. I wrote a crawler that could queue up hundreds of thousands of apps to download. When I left, the download queue was at several million. Eventually, wasn't how good our crawlers were, it was how good our infrastructure was at "ingesting" at scale. webscale. 3.0.Detecting new families A new family is something totally new or undiscovered. To find this, your behavior analysis game has to be tight. To do this, you need an amazing data set, kickass statistical models, and have some good signals defined for escalating to analyst review. Amazing data set comes from having good acquisitions and good feature extraction. When you get an app, pull out what the looks like it could do (static analysis), and what the app actually does when you run it (dynamic analysis) and simulate some user behavior, e.g. send it a text message, click randomly all over the screen, etc. While you're doing this, you're also manually which apps are malware and what type of malware they are. Then, you can build up a model of what each type of malware looks like, e.g. trojans behave one way, toll fraud behaves another way, etc. For each new app, evaluate its features against the model of malware you've built. For apps that score high, get an analyst to look at them. If your acquisitions are timely, and your models aren't too noisy, you can find new families quickly. And yes, this means if we didn't acquire it, we wouldn't detect it. And even if we did acquire it, we wouldn't detect it until it'd been processed by an analyst. Detecting new variants New variants are like "new versions" of apps. The updates are usually incremental, like normal software. Plus, malware authors are lazy, so usually not a lot changed. For this, you've got to have an established and good taxonomy of malware, and really good searching of your own "corpus" or collection of apps. You can't group malware into a few generic families, which a lot of companies do. We saw a lot of stuff like Android.Gen.1, FakeReg. SmsReg, etc, from other companies. Even for apps that were totally different and we knew were being made by different groups. We tracked malware families by looking at code, and some other proprietary stuff. Any time we had an app that came in where the code looked similar, or they named things in the same style, etc. we'd be able to put that app in the correct family. There was one guy that always used animal names for classes, and another that would put cute messages for us like a string like "gently caress AV companies". We'd note all the interesting stuff about a family into "teardowns" and slowly accrete "intelligence profiles" on groups creating malware. For important families, we'd do a lot of digging into who the gently caress was actually making it, like specifics. There was more than one occasion where I found myself doing something creepy like browsing the youtube favorites of someone we knew to be releasing malware. Like some kind of cyber stalker. We keep a close eye on them and make sure to acquire anything new they make. Because of this type of intelligence, we found some pretty serious malware in the Play store and had it taken down before it affected too many people. Long story short, malware people bought a developer's account with an established user base, and added code to one of his apps that would download and execute code when it was started. At first, there wasn't any code to download, so it wouldn't do anything bad. This is how it got past bouncer. They released the "updated" app and waited for it to soak into the user base. After a few weeks, they flipped a switch and made the malware available from their servers. Any time the app ran after the malware was available, it would download and execute it, sending premium text messages. Malware people would get the money, and the users may never notice the charges on their account. We caught the fucker wayyyyy early and had it taken down. We could have scared the poo poo out of everyone about it while it was up, but we told Google first and let them deal with it before releasing the news. When we found a sample that looked like it was part of a family, but didn't fit any established variant, we created a new variant. Then, because our searching was pretty good, we could find all the related apps and quickly fill up the new variant with samples. The more samples we had, the more confident we could be that our heuristics were good. Also, we found that certain things are more likely to change than others between variants. We'd focus our heuristics on that, so between hitting everything we knew of so far, or at least maximizing it, and hitting on stuff we knew was less likely to change, we could be reasonably sure we'd hit on things we haven't seen yet either. This happened on many occasions. We got better at it. Creating heuristics, even with automation, is very much an art. Maybe eventually with "big data" and "leveraging cloud synergies" and other buzzwords, we'll get to a point where it can be totally automated. I'll miss it, but I'll enjoy spending my time working on other problems. tekproxy fucked around with this message at 00:33 on Jul 17, 2015 |
|
#
?
Jul 17, 2015 00:20
|
|
|
While working in tech support, the biggest issue was the cryptolocker variants. What do you think can be done to prevent the next massive extortion and bank fraud virus against people who not entirely computer literate? It seems that there is a lot of hackers putting out low effort dreck and the chance of professional outfits putting out high quality stuff. Is there a risk of hackers moving towards being more monetarily damaging as a whole?
ShadowMoo fucked around with this message at 05:17 on Jul 17, 2015 |
|
#
?
Jul 17, 2015 04:52
|
|
|
tekproxy posted:Amazing data set comes from having good acquisitions and good feature extraction. When you get an app, pull out what the looks like it could do (static analysis), and what the app actually does when you run it (dynamic analysis) and simulate some user behavior, e.g. send it a text message, click randomly all over the screen, etc. Do you use machine learning methods at all to do this? If so, how effective are they and what sort of features can be extracted from those data sets?
|
|
#
?
Jul 17, 2015 11:18
|
|
|
ShadowMoo posted:While working in tech support, the biggest issue was the cryptolocker variants. What do you think can be done to prevent the next massive extortion and bank fraud virus against people who not entirely computer literate? It seems that there is a lot of hackers putting out low effort dreck and the chance of professional outfits putting out high quality stuff. Is there a risk of hackers moving towards being more monetarily damaging as a whole? I don't think you can prevent. You can only harden security and improve isolation to mitigate the inevitable pwn. The reason is simple: It's an arms race. The incentive to create ever increasingly complex malware attacks only increases as 1.) more of our valuable databits move to "the cloud" and 2.) countries exist that are both technically developed and possess weak economies (looking at you Russia and China). I don't see #1 or #2 going away anytime soon. So yeah, since there's more incentive, hackers will continue to move away from the clever or destructive viruses / hacks of my youth, to the money-grabbing dreck you see now. If I were to prescribe something to aid with prevention, it wouldn't be technical. Let me explain. Many companies hire penetration testers to simulate attacks on their network. If you ever want to get as close to possible as being a hacker from the movies or playing shadowrun IRL, without going to pound-me-in-the-rear end-prison, be a penetration tester. I've heard some of the coolest stories, like forging a note from the CEO to smooth talk past some security guards, or plugging in a tiny, stealthy computer into some networking hardware and using it to stage attacks into the rest of the network. Since NDAs are always required, they can't talk about specifics, but I'll ask about poo poo they've seen and general state of security. They almost always give me this look:  Then, they usually either start shaking their head in a wide-eyed daze, start laughing, or simply stand still and stare off into the void as their eyes grow dark with memory. They assure me everyone is getting pwned, hard, all the time. Companies I'd "really really really expect to be secure" have some of the worst holes in their security. I don't doubt them. I've seen how apathy sets in if you don't have a few highly paranoid security people beating everyone else with sticks. Bigger companies are probably even worse. It's easy to let things fall through the cracks. Security is complex, sometimes onerous for devs and users, and the benefits are not immediate. In fact, if you have good security, you don't notice it at all. It's easy to understand why companies don't give a poo poo. So my recommendation is to give a poo poo. I think this is starting to happen. You can't go a month now without hearing about some new high-profile hack. Sony, iCloud, and now HackTeam come to mind. Popcorn tastes good. It seems people are becoming more sensitive to how secure all their poo poo is. As this demand increases, companies must oblige or risk going out of business. This won't stop the hacks, but it should diminish their scope and frequency. You brought up cryptolocker, which I find interesting. It's pretty big. I talked to a few non-tech people who'd been hit by it. It was well written, well executed (distribution), and they actually decrypted the data if you paid them. You're probably talking about the PC version, but there was an Android version that did the same thing too. There were actually a few different Android families that we classified as "ransomeware". My favorite was a Japanese app that promised "mom porn". When you ran it, it locked your phone, called you a pervert, and demanded payment within 24 hours lest it alert all of your contacts what a loving perv you are. We reversed all of them well enough to understand how to decrypt the data ourselves. Decryption keys were almost always hard coded. We actually had a customer send us their phone and we decrypted everything manually for them. Some people floated the idea of publishing a decryptor app to the market, but it was judged to be a little too risky and too much work.
|
|
#
?
Jul 17, 2015 19:35
|
|
|
Is there an antivirus that's not garbage? If you would prefer to not endorse any specific company or product that's fine.
|
|
#
?
Jul 18, 2015 06:03
|
|
|
Zsa Zsa Gabor posted:Do you use machine learning methods at all to do this? If so, how effective are they and what sort of features can be extracted from those data sets? Yes, we used machine learning. I've somehow avoided that phrase, but when I say we built up statistical models of what malware looked like, that's the machine learning I mean. As to how effective it was, it ranged. We were always prototyping new things and a lot of them looked promising. The most well developed would give us a similarity score of any app for each category (trojan, toll fraud, spyware, non-malicious, etc.). In theory it should have worked great, and sometimes it did, especially in the beginning. For some reason probably relating to how it was implemented, a 1.0 score, which indicated it was very similar to malware, usually meant it wasn't malware. But if the score was, say, 0.6-0.85, it was doing some heavy poo poo, and we might want to look at it. If the score was less than 0.4, it usually didn't have enough "capabilities" to do anything bad. As for what we extracted, that's part of the secret sauce and I can't give everything away. There's some really obvious and easy to change stuff that malware authors don't seem to know about, so they never change it, and it's the best way we have for detecting them. I can say we extracted stuff like:
The way we extracted these features was really neat. Instead of just looking through the code to see if there was an API call to sendTextMessage, we'd actually run the code through symbolic execution in a virtual machine. This means we'd "kind of execute" the code, and could tell you if some code was reachable or not. If you had "if (false) doBad()", we could see that doBad() would never get called. This gave us more certainty in our extracted feature set. What's more, is for any capability / feature, we had the call stack to each API call. This means that if sendTextMessage is called somewhere, we knew what method called it, and what method called that method. One of the things I researched was asking "what programs send text messages without any human interaction", which is what toll fraud does and possibly not much else. To do that, I could take all the call stacks that ended with sendTextMessage, and exclude the ones like onClick, onTouch, etc. This actually worked fairly well. Maybe 10-20% of the results were malicious, or looked really malicious, which is a good signal to noise ratio. The problem was it was obvious to my team some of the techniques were amazingly powerful, but they were never refined and fixed up, and the R&D team didn't have good intuition about the data. I think we could have done much much better with the data set we had. There's a lot of untapped potential to really automate a lot of what the analyst does by hand there. Maybe they will in the future? I didn't leave because they were dysfunctional or broken. It's probably normal for companies to have these problems as they scale from 50 to 300 people.
|
|
#
?
Jul 18, 2015 17:38
|
|
|
tekproxy posted:Many companies hire penetration testers to simulate attacks on their network. If you ever want to get as close to possible as being a hacker from the movies or playing shadowrun IRL, without going to pound-me-in-the-rear end-prison, be a penetration tester. I've heard some of the coolest stories, like forging a note from the CEO to smooth talk past some security guards, or plugging in a tiny, stealthy computer into some networking hardware and using it to stage attacks into the rest of the network. Since NDAs are always required, they can't talk about specifics, but I'll ask about poo poo they've seen and general state of security. They almost always give me this look: I know you're not a pen-tester, but are there any in here? I'm curious if that leads down the road of keeping your phone's battery out until you need to make a call, refusing to buy a car with OnStar / other wireless connection, and keeping all of your money hidden in your mattress. Because if not, that does actually sound like a really cool section of IT.
|
|
#
?
Jul 18, 2015 19:40
|
|
|
How do you break into this field?
|
|
#
?
Jul 20, 2015 00:33
|
|
|
What kind of vectors do mobile malware use, besides the app store?
|
|
#
?
Jul 20, 2015 01:18
|
|
|
How sophisticated is mobile device malware compared to desktop computer malware? What behavior does malware exhibit that is the most difficult to distinguish from legitimate software?
|
|
#
?
Jul 20, 2015 02:06
|
|
|
Is it just me, or did malware go from really annoying obvious things with very obvious program names to something that became more subtle and harder to detect? Not from an antivirus software, but just from a user's point of view.
|
|
#
?
Jul 20, 2015 02:35
|
|
|
I'm not a highly technical person, though i've tried some simple programming, but this topic is super loving interesting to me because it's the most 'human' part of development, with all the gaps and opportunities being due to human error or fresh ideas, and using the same tools against that problem. It reminds me a bit of the back and forth between cheaters and anti-cheat software that i encountered from playing FPS games a good few years ago. I'd be interested in the kind of personalities you meet in that industry, it'd be easy to imagine everyone involved being linux sysadmin stereotypes or normal but hardworking folk, were there any exceptions or unexpected people that come to mind? You mentioned it being a hobby, and as with many CS subtopics any depth probably requires it being a hobby as well as an interest. Also, to get a better background, how did you get your reverse engineering chops? Unless the cracking side of things excludes most public discussion of that. Did you get into it through communities, online resources, one or two key tools/methods that got you going? Wallrod fucked around with this message at 02:53 on Jul 20, 2015 |
|
#
?
Jul 20, 2015 02:51
|
|
|
Cool, I was thinking about going into the field, but then I tried to get into x86 assembly and boy, was that not fun.
|
|
#
?
Jul 20, 2015 04:06
|
|
|
Forgall posted:Is there an antivirus that's not garbage? If you would prefer to not endorse any specific company or product that's fine. In the past, I got a lot out of Malwarebytes and GMER. I wish I had something more scientific for you  For funsies, I read the AV test site to learn their testing methodology. They claim to test with "zero day malware". I don't know what this means. I'm guessing it means malware other vendors haven't discovered yet. If so,
|
|
#
?
Jul 20, 2015 17:49
|
|
|
Curious as to what tools/programs you use. Is there a difference since you're reversing stuff on phones vs windows exes?
|
|
#
?
Jul 21, 2015 05:31
|
|
|
22 Eargesplitten posted:I know you're not a pen-tester, but are there any in here? I'm curious if that leads down the road of keeping your phone's battery out until you need to make a call, refusing to buy a car with OnStar / other wireless connection, and keeping all of your money hidden in your mattress. Because if not, that does actually sound like a really cool section of IT. I don't hear a lot of people call themselves pentesters these days but its a big chunk of what I do as a security engineer. Its a fantastic job where I get to follow my curiosity across the codebase to find both subtle and obvious security issues. I've loved it since I started, jesus, a decade ago. "Pentesting" as most people categorize it stops there. As a consultant I would fly in, blow some lovely software up for as many days as someone was paying me and then drop a report on their desk before flying off to do it somewhere else. Being a security engineer is a superset of that work, its finding fixing and preventing security vulnerabilities through manual analysis, attention to detail, tooling, experiments and sometimes a good old fashion meeting with another engineer about why their design is fundamentally insecure. Security in general is pretty cool because it has all these specialized pockets, network/infra/application/malware-security. To your question - I know acutely how terrible all software is, its not your cell phone or onstar but your pacemaker, the way companies settle payments to the bank (sftp a big .csv file to a server), BGP, how every website outside the alexa1000 was cobbled together with bubblegum and stack overflow answers. It doesn't worry me a ton, if something bad happens (http://gizmodo.com/hackers-threaten-to-expose-40-million-cheating-ashleyma-1718965334/1719170821) thats just life. Of all the things I worry about I try to align it with what will actually kill me, driving, heart disease cancer etc. Driving is really scary when you think about it, there is nothing stopping from just crossing the median except the other schmuck doesn't want to die either. notlibber fucked around with this message at 07:31 on Jul 21, 2015 |
|
#
?
Jul 21, 2015 07:27
|
|
|
Thanks. That does sound like a great job, but I don't think I could stand the constant travel. How consistent was the work? I guess if you took a couple days at the nice places after the job, it could be like mini-vacations.
|
|
#
?
Jul 21, 2015 17:25
|
|
|
That was when I was a consultant, I left that behind after a few years as the travel, even at 50% and eventually 30% was too much and it stopped being fun. Now I do that type of work but the other side as well, working at one company where I try to make everything secure. Its a pretty normal 9-5
|
|
#
?
Jul 21, 2015 18:58
|
|
|
Wallrod posted:I'm not a highly technical person, though i've tried some simple programming, but this topic is super loving interesting to me because it's the most 'human' part of development, with all the gaps and opportunities being due to human error or fresh ideas, and using the same tools against that problem. It reminds me a bit of the back and forth between cheaters and anti-cheat software that i encountered from playing FPS games a good few years ago. You're right. It's a lot like cheats vs anti-cheat. And in the same way that you gotta be good at writing cheats to design a good anti-cheat system, you need to know how to be sneaky to find sneaky malware. This is why I tend to lump people into "hacker" or "engineer". Hackers tend to be really passionate about what they're doing. Computers are their hobby and now they're getting paid to do it. They usually spent some time on the dark side. Maybe they hung out with "anonymous" on IRC and did random acts of badness, wrote hacks, wrote malware, or cracked software. If you ask how they got into reversing / security, they might say something clever like "Software licensing" or "The westboro baptist church's website" (actual answers). Engineers tend to be in the industry because it's a well-paying college job, and not because of passion or love. This probably makes work / life separation easier (I wouldn't know). Really good engineers are stone cold problem assassins. If you give them a clearly definable engineering task, like building a spec, adding a feature, or writing a new tool or service, they can do it. In my experience, you run into trouble when you give engineers tasks that aren't clearly definable, like crawling the Play store. The problem is you'll get banned, and it's not clearly definable how to avoid getting banned. It requires research or previous experience evading or building that type of system. Are the accounts registered from the same IP address? Do they have the same IMEI? Are there patterns in the account name? Do they share IP addresses? Do they operate at inhuman intervals, like a request every 5.0 seconds? And so on forever. This is the sort of problem you let a hacker build a prototype of, and then hand it off to engineering to clean it up, add tests, productionize it, etc. Of course, there are people that "dual class", and there are lots of different personality types in each group. Honestly, if you want to see common personality types, just watch Silicon Valley. I laughed non-stop when they introduced Jared, since he is exactly like a product manager I know. And I know someone who looks, sounds, and acts just like Gilfoyle, right down to wearing flannel and being a satanist. Wallrod posted:[...] oRenj9 posted:How do you break into this field? The way I got into the scene was through reversing android apps. It started with wanting to know how an app I bought worked. I wanted to know how it validated my serial. I found out it was doing everything in a method that returned true or false depending on of the serial was valid. I figured out how to change it to always return true and discovered Android apps are very easy to reverse and modify. It seemed like the whole mobile scene was in its infancy compared to PC, so I could get in early. This was several years ago and there was hardly any information on how to do any of this stuff, so I decided to share what I was learning. To do that, I created a secret identity. I invented some background info, common phrases I'd use, etc. I'd intentionally make typos or grammatical / english mistakes. I'd always use tor or a tor proxy to connect to anything. Eventually, I published what I learned about the first app to a forum. To my surprise, a lot of people suddenly became very interested in me. Turns out, if you display any kind of skill, people will start sending you apps asking you to crack them. Once you start cracking apps for a few people, it means an unlimited supply of all the premium paid apps you can eat. I'd always wanted to know how the cracking scene was organized. In case you're curious, there are three roles someone might play in a cracking group: cracker, supplier, releaser. Most suppliers are also releasers, but a lot of crackers don't give a poo poo about anything except cracking. Releasers are the people that "release" the cracked app. There's actually a lot of work in doing this right. You gotta make sure no one else has released it yet, or there isn't a correctly cracked release, and write the release / forum post / piratebay post, whatever. This means making or finding screen shots for the app, getting some affiliate download links to get paid, hunting down the changelog, etc. It's also pretty tense because you're competing with other releasers to be the first to release. There was one guy that we swore had to be a room full of chinese kids. He'd release seconds or minutes after an app was updated, at all times of day, 24/7. No idea how he did it. Suppliers procure the apps and supply them to the crackers. I found suppliers to be the most shady. Some of them were carding or did carding in the past. A lot of them made enough money through affiliate links in releases to buy more apps. Once a guy hopped into our channel and dropped 400$ worth of apps on us. I think he had access to some funds that weren't his own, and wanted some credit for supplying the apps. So much of what people do is for e-peen. Another guy worked for a company and could get access to apps before they were released. He did that for about a year before he stopped coming online. Someone that knew him IRL said people in suits came by his desk at work to ask him some questions and scared the poo poo out of him. Another supplier got "really involved with anonymous" and disappeared. Crackers crack the apps. These people tend to care the least about e-peen, and they may not even want their names mentioned on the release. These people tend to be a little older and more mature. The ones I've talked to tend to reverse as a hobby, and have other jobs. For the next few years, I reversed 4-10 hours a day, almost every day. I was going to school at the time, and my job was with computers and I could get all my work done without much mental strain. I think this period of insane obsession and hard work is key. I'd spend weeks writing tools and researching new techniques. Many times I wanted to quit. Many times I didn't think I could reverse something. I'd just force myself to keep going, and eventually I'd figure it out. I think most people never get to this level of obsession, or work this hard at anything. In fact, even after getting into a field full of highly motivated people, few of them work this obsessively. The ones that do are the most successful. Eventually, I was contacted by someone on IRC who said he worked at a company that did reverse engineering and I should send in my resume. I laughed and politely told him no, and that I had no interest in telling anyone who I was. I didn't delude myself into thinking I was some kind of loving internet kingpin and the feds were hot on my tail. But I made up my paranoid rules and was sticking to them. It was fun. He idled in our IRC channel for a few weeks and eventually contact me again. This time he explained how he'd reversed some of my stuff. Now, this got my attention. I went way, way out of my way to make reversing anything I created a total shitshow. I invented techniques to break disassembly tools, and my code was written in a way that I knew would be hard for -me- to reverse. I thought: "This guy is loving good. He can't possibly be the government." In a manic burst of "gently caress it", I sent in my resume. The next day, I got a phone call to schedule an interview. A few weeks later, I was interviewing.
|
|
#
?
Jul 21, 2015 19:20
|
|
|
So I'm like super dumb and way far from modern tech, but what exactly is the revenue stream here? Guy says I want app cracked, it gets cracked (and malware gets added), and then they redistribute but now its loaded with poo poo that either ends with direct pay for blackmail or skimming a ton of info they then sell? I feel really dumb and also Holy poo poo technology has BLOWN by me
|
|
#
?
Jul 22, 2015 02:17
|
|
|
While holding your devices for ransom is certainly a thing (and probably the most prominent idea of malware that springs to mind), a lot (the majority?) of the time, it's just harvesting peoples' computing power/IP. Say you sneak a program onto 1000 computers that lets you issue commands to a terminal invisible to its user. Then you start up a website that offers to sell "Likes," in bulk, for someone to make their facebook page look popular. You get paid, then issue a command to each of those 1000 (or however many paid for) computers, telling them to open a browser, create a fake facebook account (or hell, use the one that's likely already logged in), add a couple of the other fake accounts as friends, and like the paid-for page. Boom, 1000 Likes from 1000 different IPs, relatively hard to identify as fraudulent unless someone does some digging, and the users of those devices might be none the wiser, the only hint being a 20 second slowdown of their computer. DDoSing also comes to mind as a possible application, just have everyone in your botnet ping someone and stifle all their web traffic. If they decide to get really nefarious (and bold), they might attempt to use your device as a proxy, taking advantage of your connection to make transactions that they wouldn't want associate with their own computer. I'm definitely no expert, so take those ideas with a handful of salt. tekproxy probably has a much better answer.
|
|
#
?
Jul 22, 2015 14:10
|
|
|
Not a Children posted:While holding your devices for ransom is certainly a thing (and probably the most prominent idea of malware that springs to mind), a lot (the majority?) of the time, it's just harvesting peoples' computing power/IP. Say you sneak a program onto 1000 computers that lets you issue commands to a terminal invisible to its user. Then you start up a website that offers to sell "Likes," in bulk, for someone to make their facebook page look popular. You get paid, then issue a command to each of those 1000 (or however many paid for) computers, telling them to open a browser, create a fake facebook account (or hell, use the one that's likely already logged in), add a couple of the other fake accounts as friends, and like the paid-for page. Boom, 1000 Likes from 1000 different IPs, relatively hard to identify as fraudulent unless someone does some digging, and the users of those devices might be none the wiser, the only hint being a 20 second slowdown of their computer. DDoSing also comes to mind as a possible application, just have everyone in your botnet ping someone and stifle all their web traffic. Don't forget turning host PCs into bitcoin mining slaves!
|
|
#
?
Jul 22, 2015 17:47
|
|
|
Hydrogen Oxide posted:Curious as to what tools/programs you use. Is there a difference since you're reversing stuff on phones vs windows exes? https://www.hex-rays.com/products/ida/ IDA pro is basically the only real quality option out there, regardless of platform. edit: actually with android there are probably java decompilers that work too, but I can't comment on that from experience. For general software disassembly though, it's all about IDA astr0man fucked around with this message at 18:29 on Jul 22, 2015 |
|
#
?
Jul 22, 2015 18:27
|
|
|
Jasper Tin Neck posted:What kind of vectors do mobile malware use, besides the app store? I'm going to talk about Android malware, since most mobile malware is Android and I know it the best. There are a few ways, briefly:
Dynamic loading An android app may be benign and even have legitimate functionality, but could at some time download and load an executable (dex file) which provides malicious functionality. This "dynamic loading" of executables isn't always bad. It lets devs provide out-of-market updates to their apps, and keeps them from needing to include all of the code in an app. Google doesn't allow this, but they don't always enforce the restriction. A malicious example is an SDK provided by a certain company. The SDK had legit functionality. It let devs integrate their apps with the home screen, facebook, etc. When you first launched the app, the SDK would "update" from its servers and download most of the functionality. At some point, they started including a bitcoin mining, without ever telling the devs or the users. This kind of poo poo is -very- hard to catch, and most companies are not geared for looking for this kind of thing. You have to be closely and intelligently monitoring what executables get loaded on the client (devices), and you have to have people who are smart enough to reverse engineer the SDK's updating mechanics. Since this type of attach is technically sophisticated, you don't see it used on the dumb & obvious malware that just steals your money. It tends to be more subtle, like mining bitcoins, aggressive adware, etc. It's what I'd use if I were hitting up some high-value targets, because it effectively side steps static and dynamic analysis, and allows you to control what and when gets updated. Third party markets / forums Welcome to the unregulated free market of apps. Usually, the releaser dropping an app has his reputation on the line and won't knowingly include malware. And any larger site will ban someone distributing malware, but it's less policed than the play store, so your risks are increased. Spam campaigns The sad reality is that if I send a badly-worded text message and a download link to 1,000 people, 10 will probably download it, and 5 will install it. The cost of getting 1000 live phone numbers and reward of getting 5 people to install my malware is probably worth it. There's not just text messages, but also e-mail, drive by downloads, fake websites / markets, twitter messages. You just need to lure enough people into visiting them and some will be stupid enough to download and install. We kept track of the number of detections for different families, and we knew that our work was preventing a lot of people from installing this type of malware. Normally, for any particular family, it was 1-10 detections a day, with about 100 *active* families. Every now and then we'd see detections spike massively, and we'd know they were "running a campaign". We didn't have good sensors out there for knowing how their campaigns were running, but larger and more established AV companies probably have honeypots setup that'll get the different kinds of spam. Pre-loading Aka. "I bought this cheap Chinese knock off phone and it's constantly installing apps without asking, halp pls!!" Every now and then we'd find a family of malware that we know was installed as a system app on devices. This means it was "baked into" the rom and came with the phone. It was impossible to know where in the supply chain it was added, but the phones were always Chinese. And those phones traveled. We got a report from some guy in Greece that bought a tablet from a little mom and pop stall on the side of the road that had some pre-loaded malware on it. Usually this type of malware will install applications (because someone paid them), collect personal info, and push text messages to your device (they don't have to actually send one, they can just add it to your sms inbox directly because they have root).
|
|
#
?
Jul 22, 2015 18:33
|
|
|
AdorableStar posted:Is it just me, or did malware go from really annoying obvious things with very obvious program names to something that became more subtle and harder to detect? Not from an antivirus software, but just from a user's point of view. As long as you can make money from malware, it'll be made, and long as AV companies improve detections, the malware will be improved. GWBBQ posted:How sophisticated is mobile device malware compared to desktop computer malware? For behavior, the incentive to make malware only increases as people use their phones more and more as a primary computing device. For many people, their phone is more important than their computer, if they even have a computer. And for many people in developing countries, they might only have a phone. Malware groups are shifting their attention to figuring out how to make better malware and take advantage of the unique properties of phones. One example is text messaging. The most common way apps steal from you is toll fraud, or secretly sending premium text messages or subscribing to premium sms services. About 1.5 years ago, I found a new money making scheme. It was added to an already complex Chinese bot. When the phone screen was off and the lock screen was up, it would start making calls to numbers it got from their server. They were probably making a kick back for every connection. As soon as the screen unlocked, it cancelled the call. Later versions even hid the calls from the call history. This type of dialer malware existed on PC back when modems were popular, and now it's making a come back on phones. As for technical sophistication, I'd watch malware start out simple, maybe just secretly sending texts. A few months later they add auto-responding to text messages based on server supplied regex rules. This allows auto-responding to premium sms service confirmations. Then a few weeks later, they add collecting contacts, text messages and hardware info. Then, they add encryption between server and client. Then, they start running all their apps through a packer or obfuscator. Tracking what they do gets harder. It takes a few weeks to write a tool to unpack it. Then, it looks like they're recording audio and taking screen shots. And so on. It was fun watching them improve. You got to know how they thought how they worked by looking at their code. Some of them were pretty clever, just didn't care that much about quality. Sometimes we'd find seemingly unrelated malware apps, but one of us would be so familiar with a family, we'd be able to make a connection. Like, this guy uses the word "plugserv" for the wakelock reason, and I've seen that before in this other family. Let me compare the two.. The number of packers and obfuscators has exploded in the past few years, mostly from China. Legit apps and malware both use them. They all started out fairly simple, but as we figured out how to unpack them and published our research, they'd quickly improve. I don't see it slowing down yet. Now is still a good time to get in compared to PC reversing, because it's not so complex that you'll have to spend years getting caught up with the state of the art. GWBBQ posted:What behavior does malware exhibit that is the most difficult to distinguish from legitimate software? We would normally tell if an app was malicious way before looking at behavior. We could usually look at simple stuff like package names, app icons, how the code looked, etc. I personally found a lot of stuff looking for package names with "android" or "google" in the name, but weren't actually released by google, e.g. "com.android.core" or "com.goog1e.backup". Legit apps have lots of code. The code is decently well written. Class responsibilities are well organized and named sensibly and consistently. There's proper use of Android and Java idioms, and generally it doesn't look like a high school CS student wrote it. If there's English, legit apps tended to have good English. Malware is the opposite. Really lovely structure, terrible english, and code that was so bad we sometimes mailed it out to engineering as a counter example of good code. Because of this, tiny and crappy Chinese and Russian utilities looked malicious, at first blush. It got more tricky if they were root enablers or did something similarly low level. The more subtle malicious behavior, like mining bitcoins, exfiltrating PII (collecting personally identifiable information), aggressive ads, installing apps without permission, etc. were usually much harder to notice because they'd usually be included in larger, better written bodies of code. We didn't consider commercial spyware as malicious unless it hid itself. This was usually meant downloading and running the app on a phone to see what it did, because there were different ways and in different places that an app might hide itself. It might look like another icon, or it might hide itself from the launcher completely. Also, these types of apps look a lot like actual spyware. Luckily for me, I didn't work on a lot of the spyware.  One thing I like to keep in mind is confirmation bias. We found stuff based only on what we looked for. I'm sure there were more interesting and insidious types of malware we missed because we weren't looking for it. Particularly, we never looked for really advanced and targeted threats. I could go into detail, but let's just say I'd research new ways of doing this and it was never prioritized. I'd spend my own time doing it and we'd find cool poo poo and everyone would be happy. But then they'd have us spend all our time doing tedious poo poo only to ask later why we haven't found anything cool in a while. Uh, because we spend all of our time on av test and it's literally killing us? I don't blame anyone personally. I think I could have communicated better. There was a distinct lack of research vision and leadership that's needed to up level our searching capabilities, which you need to find the cool poo poo.
|
|
#
?
Jul 22, 2015 19:58
|
|
|
tekproxy posted:Pre-loading
|
|
#
?
Jul 23, 2015 08:25
|
|
|
Do I need to learn x86 while I'm still in school or do I really, really need to learn x86 while I'm still in school?
|
|
#
?
Jul 23, 2015 14:29
|
|
|
I teach a malware analysis and reverse engineering course at a local university... it's hard to go too in-depth because the students are in the IT track there and most don't have more than cursory programming experience. I'd love to talk to you about my syllabus/class material sometime or check out your course at Defcon (I'll be there). Which day are you hosting it, and is registration still open?
|
|
#
?
Jul 23, 2015 18:07
|
|
|
ashgromnies posted:I teach a malware analysis and reverse engineering course at a local university... it's hard to go too in-depth because the students are in the IT track there and most don't have more than cursory programming experience. That's super cool. Your university is automatically awesome. Yeah, let's talk. I'll PM you the deets.
|
|
#
?
Jul 24, 2015 00:28
|
|
|
|
| # ? Apr 25, 2024 23:28 |
|
|
Hydrogen Oxide posted:Curious as to what tools/programs you use. Is there a difference since you're reversing stuff on phones vs windows exes? astr0man mentioned IDA and he's right, it's -the- reversing tool. I don't personally use it because I think how it lays out the code is all hosed up and wrong. I hate how it organizes by method names and the first letter of each parameter. It's just not designed to show nested packages that Java / Android use. I also hate how it displays Smali. There's a lot of visual noise there. But, I know a very good reverser that uses it, and it's a great option if you want to do debugging, and about the only option if you want to reverse native disassemblies (the .so files in lib/) Yeah there's a difference between phones and windows. The two main differences are the tools and the APIs. The disassembly tool kinda depends on what language the binary was written in. IDA understands most languages, but for some types of binaries you can get away with using a free tool that's specially built for it, like C#. That language was designed to be decompiled. For that, you can use .NET Reflector. The APIs available depend on the operating system. Windows has built in methods that are totally different from Android, and a big part of knowing what an app does is learning the ins-and-outs of the API. Android apps start out as Java, then get compiled to Java bytecode, then get transformed into dalvik bytecode. Some tools can take dalvik bytecode and turn it back into java bytecode, like enjarify and dex2jar. Once you have java bytecode, you can use a java decompiler like jd-gui or luyten. These tools are free, and you'll get Java at the end. It's usually really lovely java since you lose variable names most of the time, and decompiling is lossy in general. The code may be severely hosed up, and this process is only good for surface level analysis. If you wanna go hard, and get yourself a high-fidelity disassembly, go with baksmali. I used baksmali + ultraedit for a few years. I think it's good to start with Smali because it forces you to take your time and learn about some low level stuff. It's also essential if you plan to modify apps, and there are many legit reasons for doing this, like adding instrumentation. One common example of instrumentation, is adding a bit of code to the beginning of each method to print out its parameter values. This way, when you run the app, you can see what's getting called, with what, and in what order. If you have money, or you're professional, I highly recommend JEB. It's THE poo poo. It's specifically designed to take dalvik bytecode and convert straight to Java. Because of this, the output is very high fidelity. It's also maintained very well. If you have bugs or problems, you tell them, they fix it lickety split. There's also a plugin system. AND, you can refactor, which is huuuuuuge. This is one of the main benefits of IDA, imo. Imagine a giant mess of code with method and class names like a, b, c, d, etc. It gets impossible to read, e.g. a lot of "a(b.a(c, a.b, d))". But refactoring allows you to rename methods (globally) so as you pick apart which each method does, you can rename them progressively until the code starts to make sense. E.g.:
After a few hours of renaming everything so it makes sense again, you can save all of your progress, go home for the day, and start over where you left off when you get back.
|
|
#
?
Jul 24, 2015 00:58
|
|