Tuesday, June 14, 2005

I've been thinking...

Having see some botnets in action, and how long it takes for AV companies, update their signature data to pick up new variants, surely... it makes sense to them to have a tool with which you can analyse a suspect binary and generate a sig from the suspect binary (NOTE this sig does not necessarily need to be an all singing all dancing version) and then load THAT sig file into the enterprise AV engine. This way the botnet can be blocked as soon as it is detected... instead of waiting a week or in some cases 2 weeks for the AV companies to role out a generic sig file? Or are there AV companies doing this?

Any way it looks like a new attack vector has been found, and that is VM software to host different OS'es, the gist of the technique seems to be that the these VMs need to communicate in some form with the "host" or main OS NOW... if your VM is hosting a vulnerable OS a malicious bit of code can infect the VM hosted software and "jump" across to what could be secure OS...

http://www.codeproject.com/system/VmDetect.asp?print=true

http://chitchat.at.infoseek.co.jp/vmware/vmtools.html

Tuesday, June 07, 2005

Long time no blog...

I've been on hols and just lax really... in the meantime

1) the AES timing crack was published, simple and cool...proving Occam's razor STILL rules!
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

2) blue-tooth pairing crack was published again simple and cool...
http://www.newscientist.com/article.ns?id=dn7461

3) NT rootkit techniques go main stream in the myTob virus.
4) Oh, and Apple stunned the world...
http://www.theregister.co.uk/2005/06/06/apple_intel_migration/

I worked on some VCL.NET perf issues, more on that later...