Black of Hat

Detecting Viruses

How do you go about writing a virus scanner? Well I guess there are two obvious ways. You could study existing computer viruses. Or you could try to write some yourself. The outcome should be similar. You will understand how a virus operates. With that knowledge, you can detect and remove viruses. It sounds simple. But I bet it is involved.

Let's try to think about the second technique. How can we write a virus? Essentially we want to run our own malicious code. What better way to do that than to latch onto a trusted existing program that users run. The key here is how to latch on. The program you want to act as your host is an executable. That means it has a section which consists of the code it runs. We want to have that program run our code instead.

Therefore we have two tasks to accomplish: put our code somewhere in the file, and make sure our code gets executed. How about we just tack our code on to the end of the file? There is an existing entry point for the original executable. Let's just substitute the original entry point with the location our of rogue code which is now at the end? Sure that's a good plan. Now let's get back to our original objective. How can we produce a virus detector that can find instances where a legit program has been jacked. Easy. Just check whether the entry point for the program points to the code at the end of the file. If so, you are probably looking at an infected application.

Of course all of this is very simple. Existing virus scanner probably do all this as part of their most simple virus detection techniques. However we are on the right track. We could think up more complicated ways to achieve takeover of a program. And thinking of those methods, and the means to detect/remove them is the very topic I am interested in. Perhaps I shall spend some time furthering this idea. Come with me as I venture into the world of computer viruses.

Laptop Theft Protection

There are some software products you can put on your laptop that may assist if it gets stolen. One such software is Prey. It will phone home and tell you which programs are running on the stolen laptop. It also takes and sends you screen shots. Network information is collected and transmitted. Finally Prey can take some web cam shots of the thief and send them to you.

An open source alternative for this type of software is Adeona. The main benefit of this software is that it does not rely on a central server. The owner can track a thief with their computer. The Mac version of this software also snaps pictures of the perpetrator using the web cam.

These software solutions are not fool proof. However they can give you some details of the person who ripped off your laptop. There are other techniques to combat laptop theft. An example is Foo Zoo Lockdown which is a Mac anti theft software package.

My company and our client both have software on their laptops to combat theft. However the main goal in the corporate setting is to prevent the loss of the crucial data on the laptop. It is not as high a priority to locate the thief to retrieve the hardware. I have both my laptops set up with such software. They essentially encrypt the entire contents of the hard disk.

Prevent Decompiling

I read up on some basic tips for decompiling an executable. That is, I learned how you can take an executable, and reconstruct the source code used to build the software. There were a number of things listed that made it hard to understand how to decompile an executable. I thought I would use these difficulties to make my most secretive applications hard to reverse engineer.

One thing that slipped up the hacker is compiler optimizations. Yes this will slow down your application build. But you can turn it on at the end when you are doing the final release of your software. The compiler will work harder to make your code fast and/or small. The result is that it is more difficult for somebody looking at the binary to figure out what is going on.

Another thing that trips up decompilation is the use of user defined types. In the C programming language, that means use structures. Somehow the access to memory of such constructs makes it hard to reverse engineer. This is good news. Using structure is good programming practice anyway. We use that for our production code at work. I might a well use it on home programming projects where I want to keep the source code secret.

To truly combat the decompilation process, you probably need to spend some time trying to crack binary executables. Then you will have first hand knowledge on how to make it harder. However I figure I could take one expert’s advice and use it to my advantage. That is a way to work smarter and not harder.

Inflating Page Views

My profile on the Blogger platform shows how many times somebody has viewed the profile. This is something of a bragging point if you have a lot of views. Being a programmer, I figured I would just write a program to "visit" the profile many times.

At first I had some success. My program spawned Internet Explorer and navigated to the URL for my profile. It waited, killed Internet Explorer, and started again. However Google must have figured out what was going on. The view count capped out around 1000.

I thought perhaps the blocking had something to do with how frequently my program visited the profile. So I tried delaying the visit to be about 5 minutes apart. That did not help. Now my view counts are getting capped around 100 to 300. Do you think Google has logged my IP address as a script generator or something? I can only try some more tests to figure this out. The logical next step might be to use web proxies to hide my IP from Google.

Crypto API Encoding

Finally I am getting to the point where I am following the Microsoft Crypto API documentation in order to actually encode some data. But first let’s talk about what you need to get your software to compile and link. You must link in the crypt32.lib library. You may also need access to the advapi32.dll. You C or C++ code must include the wincrypt.h header file. And last you must define MY_ENCODING_TYPE in your code.

Now let’s get down to business. Here is the pattern you will follow to encode data. You start by calling the cryptmsgopentoencode function. Then you call cryptmsgupdate as many times as you have data to add. On the last data addition, you call cryptmsgupdate with the fFinal parameter set to true. To end the encoding, you call the cryptmsgclose function. These are the basics in a nutshell.

The algorithm to decode data mimics the one to encode. There is one extra step in the beginning where you call the cryptmsgcalculateencodedlength function. Then you call the cryptmsgopentodecode function. Does that sound familiar? You call the cryptmsgupdate function. And you end by calling the cryptmsgclose function.

Since we are down to the details of actual coding here, I also have the algorithms to encrypt and decrypt data. Perhaps I will share that with you in my next post. For now I will leave you with the concept of enveloping data. This is where you would like to encrypt a message for a whole set of recipients. You encrypt the message with a key. Then you in turn encrypt that key for each of the recipients on your distribution list for the message. The encryption is done in PKCS 7 format. Each recipient can then decrypt their key, and subsequently decrypt the message.

The Return of Click

I needed to up the page view count of some new pages I put up. It did not matter whether these were legitimate page views. All I wanted was it to appear like the pages were viewed a lot of times. To do this I pulled out an old program I had written called Click.

So what happened? Things were going fine for the first 250 visits to my web site. Then Google redirected me to another page, preventing my page view count from increasing. It seems Google had blocked me. They said that my query looked similar to automated requests. Duh. They were automated.

Google did not always enforce non-automation. This must be some new defense against the Black Arts. I tried to delete my cookies. Still blocked. Then I deleted all cached info in my browser. No luck. I even tried switching to another browser. Google still would not let me view the pages I had automatically visited.

As a last resort, I went to a web proxy site. From there I was able to view my web pages. What's a programmer to do? I need to code web proxy use into my program. That's what. When I am done, I will release my program here. Perhaps we shall call this The Return of Click. See you soon.

Freehackers Union

Some time back I read a rant on the web from Zed Shaw. He was planning to start up the Freehackers Union. This would be a meeting of like minded hackers in big cities around the world. You had to present some hacker project of interest to be able to attend the meetings. He was fed up with the business people getting in the way of true hacking.
Zed is an outspoken guy who lives in New York. Not surprisingly the first Freehackers Union meeting was held in New York. Zed is known for previously working in the financial markets. I think he was an employee at Bear Sterns. He was previously associated with Ruby (and maybe Ruby on Rails). I think he got into too many arguments with the powers that be in the RoR world. Zed talks like a tough guy. This may be due to his surroundings (New York), or perhaps because he knows some martial arts, or maybe even because he thinks he is a tough guy,

Enough about Zed. I listened to the first Freehackers Union audio broadcast from Zed’s web site. It seemed like a big rant about ideas. I guess that was the whole point of the meetings. Most people in the crowd did not present anything that day. There seemed to be a rule that you could not present using PowerPoint (remember that this was about rallying against the business guys).

One presenter had written an Objective C program for the iPhone. He got a lot of applause. There were a bunch of other technical presentations. I heard that there were plans to have such a meeting near my house. Initially it sounded exciting. Doesn’t everyone want to be part of some cool underground and elite group? Unfortunately it appears that the Freehackers Union did not really materialize past the initial New York meeting. Oh well. Maybe it is time to look around for a local 2600 Magazine meetup.