Philosophically Secure

This article by SecureWorks, titled “The Packer 2.0 Threat”, is a good introduction to and overview of some of the most popular JavaScript packers. It discusses both the legitimate (although possibly misguided) uses of packers, as well as their role in obfuscating malware. The packers mentioned in the article include: Dojo ShrinkSafe, MOOtools, YUI Compressor, JSMin, and the Dean Edwards Packer.

Basically, the author argues that packing JavaScript leads to several unintended consequences that are bad for security. The most obvious problem is that it becomes much more difficult for network traffic inspection tools, including IDS, to tell the difference between friendly and malicious code. Other techniques, such as gzip compression, are probably good enough to improve bandwidth efficiency.

pdp posted an interesting little article. He describes how he can take over a home router (like the kind someone might use with a cable modem) using a malicious Flash application and UPnP (Universal Plug-n-Play). Basically, all the user/victim has to do is load up a website with this particular Flash application embedded in it. Then the attacker can make whatever changes to the router he likes, such as disabling the firewall, forwarding ports to the outside, or even changing the DNS server.

As pdp states, this isn’t necessarily a bug, but rather an unintended consequence of the fact that UPnP does not require any authentication. I guess they figured since it only listens for multicast on the internal interface, that it’s not a big deal. If you don’t actually need UPnP functionality, disabling it might be a good idea.

This isn’t just any rootkit, but rather one that lives in the master boot record of your PC. That means it runs before Windows even fully boots up. It’s also at a lower level in the system than anti-virus software, which makes it quite difficult to remove. Security Fix has a good summary of what was found and where this malware probably came from.

Symantec has a technical discussion of the malware (which they call Trojan.Mebroot), now that they’ve analyzed it. Note the last line: “To help prevent similar attacks in the future, if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!”

If only more people could understand this logical point of view:

No matter that a deadly sharp can be fashioned from virtually anything found on a plane, be it a broken wine bottle or a snapped-off length of plastic, we are content wasting billions of taxpayer dollars and untold hours of labor in a delusional attempt to thwart an attack that has already happened, asked to queue for absurd lengths of time, subject to embarrassing pat-downs and loss of our belongings.

source: The Airport Security Follies

This is pretty cool. It’s the new Collaborative RCE Tool Library, a nearly comprehensive directory of reverse engineering tools. Not only does it list the tools and provide links to download them, the directory also has pretty good descriptions and resources to learn more about each topic. The tools are conveniently sorted by target type (e.g., Java, Flash, Linux) as well as tool type (e.g., debuggers, PE editors, unpackers) and the whole thing is searchable, which makes it pretty easy to find what you need. (Although, right now the search seems to be broken.)

Perhaps the best feature of the RCE Tool Library is that it’s collaborative, meaning users can improve upon entires, add new ones as new tools are created, and generally keep everything up to date. That will definitely help keep the directory from becoming stale.