Similarity of android applications or "rip-off indicator"

The original article is here.

Additional information about the libperseus challenge

Hi guys

(French version below)

I have received (strange) questions about the Perseus lib chalenge asking to provide the binaries/source code that has been used to produce the two files for the challenge. Well,

the source code is for months available here. And the binaries have been produced from it directly.

It is important to stress on the fact that the problem is algorithmic by nature (mathematical problem) and that you will have to do more than simply trying to base your attack on flaws or anything like that. It is here useless. It would be simple. Just consider that you have wiretapped the files (this is the operational reality) and you have the source code (Kerckhoffs conditions).

Indeed security is a little bit more difficult to overcome when there is no flaw.

(French version)

J'ai eu des questions récemment (étranges) concernant le challenge Perseus me demandant de fournir le code source et les binaires ayant servi à produire les deux fichiers du challenge. Le code source est disponible depuis des mois sur le site de la librairie et le binaire a été produit directement à partir de ce code source.

Il est important de rappeler que le problème est par nature algorithmique et que vous devrez faire une peu plus que de chercher à fonder une attaque sur une vulnérabilité (qui en l'espèce n'existe pas). Cela n'a ici pas de sens. Considérez que vous avez intercepté les fichiers (cas des conditions opérationnelles) et que vous connaissez le procédé (règle de Kerckhoffs). C'est suffisant.

Contourner la sécurité quand il n'y a pas de faille d'implémentation est certes plus dur mais c'est plus excitant.

Bon courage à tous et à samedi aux RSSIL

E.F.

iAWACS/RSSIL 2011 LibPerseus challenge

Hi to all

(French version below)

The LibPerseus challenge purpose is to evaluate the Perseus technology and to prove/show that it is indeed unbreakable unless having tremendous time/computing resources at one's disposal. Hence the aim is to test Perseus technology strength and security in a real context (and not with respect to academic conditions).

Technical scheme: three files have been protected by means of the Perseus library. They have been eavesdrop. No information about the computer from which they have been produced is available.

• File 1 protected by an random punctured convolutional encoder E1. SHA-1 Digest 5628084D6EF360406B19C6E57F5F4BD0CF019910. Size 190,986 bytes.
• File 2 protected by an random punctured convolutional encoder E2. SHA-1 Digest 7C5F5BE3F8C3143D428402C8B6B01C04033DEA0B. Size 263,996 bytes
• File 3 protected by an random punctured convolutional encoder E3. SHA-1 Digest CAE5BF0CD032EBC9652CE3B3318ACD500BEE84D6. Size 26,482,752 bytes
• Binary file (windows) of the program (warning: this is a beta version which is non optimized and that may contain residual bugs to be reported. As soon as frozen, source code and documentation will be published). SHA-1 Digest value 20CEF319E3D209D6EC288998F90C0E737720ED17. Size 5,022,669 bytes. A Linux version of the binaries can be provided upon request.
  
• The solution E1, E2 and E3 are UNIQUE and the files (before protection by Perseus) to recover are plaintext (not encrypted). So anyone finding a solution is able to determine whether it is the correct one or not. Since E1, E2 and E3 are unique, the files to recover are also unique (no encoder collision).
• Solution (plaintext file) 1 has the SHA-1 Digest value AAE42E6E0F80B1803A218CB1BE7A1ED12AD29B06
• Solution (plaintext file) 2 has the SHA-1 Digest value F35BBE9B4754DE431FA1C45C96C2561282679D84
• Solution (plaintext file) 3 has the SHA-1 Digest value 0F03FF24CC007A37DE82BB567674CEBCDF9FE4DE
  

Here are the condition for the challenge:

• Opening date: May 25th, 2011. Reset on June 17th, 2011.
  
• End of the challenge: March 31^st, 2012.
• The solution (plaintext file) must sent to iawacs@esiea.fr.
• There is only one prize (award) of 4,000 euros which cannot be divided. One prize, one winner only.
  

Rules of the challenge:

• The prize (4,000 euros) will be awarded to the first people (internet time will be taken as reference in case of multiple answers) only who is able to recover at least one of the t hree documents protected with Perseus.
  
• The method used will have to be described on a technical basis and the source of the attack algroithm provided to the organizers of the challenge.
  
• Any partial solution, hint or valuable information will be considered for a honor award.
• Results and solutions will be published on this blog.

Have a nice challenge and good luck guys!

E.F.

*************************************************************************************

Version française

Le challenge Perseus vise à évaluer la technologie Perseus en la soumettant à l'analyse de tous. Il s'agit de démontrer qu'à moins de disposer de ressources temps/mémoire exorbitantes, il est effectivement impossible de casser en pratique cette technologie. Le but au travers de ce challenge est de tester la force et la sécurité de Perseus en conditions opérationnelles (et non académique).

Thème technique : trois fichiers ont été protégés avec la librairie Perseus. Ils doivent être considérés comme le produit d'une interception et par conséquent aucune information relative à l'ordinateur les ayant produit n'est disponible.

• File 1 protégé par un codeur convolutif poinçonné bruité E1. SHA-1 Digest 5628084D6EF360406B19C6E57F5F4BD0CF019910. Taille 190,986 octets.
• File 2 protégé par un codeur convolutif poinçonné bruité E2. SHA-1 Digest 7C5F5BE3F8C3143D428402C8B6B01C04033DEA0B. Taille 263,996 octets.
  
• File 3 protégé par un codeur convolutif poinçonné bruité E3. SHA-1 Digest CAE5BF0CD032EBC9652CE3B3318ACD500BEE84D6. Taille 26,482,752 octets
  
• Binaires Windows du programme ayant généré ces fichiers (attention il s'agit d'une version bêta, non optimisée, susceptible de faire l'objet d'une remontée de bugs ; cette application, son code source et sa documentation seront publiés prochainement une fois le code stabilisé). Empreinte SHA-1 20CEF319E3D209D6EC288998F90C0E737720ED17. Taille 5 022 669 octets. Une version Linux peut être fournie sur demande.
  
• Les solutions E1, E2 et E3 sont UNIQUES et les fichiers (avant protection par Perseus) à retrouver sont des fichiers en clair (non chiffrés). Ainsi, toute personne pensant avoir une solution peut elle-même déterminer si cette solution est la bonne ou non. Comme E1, E2 et E3 sont uniques, les fichiers à retrouver le sont aussi. (aucune collision de codeur possible dans l'espace des paramètres imposés).
• Solution (fichier clair) 1 a pour valeur d'empreinte SHA-1 AAE42E6E0F80B1803A218CB1BE7A1ED12AD29B06
  
• Solution (fichier clair) 2 a pour valeur d'empreinte SHA-1 F35BBE9B4754DE431FA1C45C96C2561282679D84
• Solution (fichier clair) 3 a pour valeur d'empreinte SHA-1 0F03FF24CC007A37DE82BB567674CEBCDF9FE4DE

Conditions du challenge:

• Ouverture : 25 mai 2011. Réinitialisé le 17 juin 2011.
  
• Fin du challenge : 31 mars 2012.
• La solution (un des trois fichiers en clair définis ci-dessus au moins) doit être envoyée à iawacs@esiea.fr
• Un seul prix de 4000 euros, indivisible (un seul prix, un seul gagnant possible) sera attribué.
  

Règles du challenge :

• Le prix (4000 euros) sera attribué à la première personne qui enverra au moins l'un des trois documents protégés par Perseus (document original AVANT codage tel que définis supra). Le temps Internet (date du mail) sera utilisé pour départager les éventuels concurrents ayant fourni une solution correcte.
  
• Le procédé utilisé devra faire l'objet d'une description technique et le code source devra être communiqué aux organisateurs.
  
• Toute information technique partielle sera étudiée et pourra faire l'objet d'un prix d'honneur.
• Les résultats seront publiés sur ce blog.
  

Bonne chance à tous

E.F.

iAWACS 2011 Forensics challenge

Hi to all

(French version below)

The Forensics challenge for iAWACS 2011 is now open. It is inspired from a real case on which a new information hiding techniques has been created. The aim is to test its strength and its security on a almost real implementation (and not with respect to academic conditions).

Tactical scheme: a terrorist attack against the RSSIL 2011 event has been prepared according to some intelligence reports. A terrorist has been caught by the French police forces while he was about to recuperate a cell phone hidden in a geocache. Despite the efforts of the Police forensics and technical teams, the analysis of the cell phone has not been successful yet. However, the analysis proved that the Dcim directory is containing a secret message hidden.

The terrorist confessed that he was waiting for a call to him on this cell phone to receive instructions about another geocache. This second one contains a SD card with the application to access the secret message. Unfortunately, this call will never happen (newspapers have leaked on this arrest).

So will you be clever and imaginative enough to recover the secret message and prevent the attack against RSSIL 2011?

Here are the condition for the challenge:

• Opening date: May 22^nd, 2011. The file dcim.tgz contains the Camera directory (the phone is a Samsung Galaxy S).
• Award ceremony (if any winner) or technical hints at the RSSIL 2011 event to go on with the challenge.
• End of the challenge: December 31^st, 2011.
• The solution must sent to iawacs@esiea.fr.

Rules of the challenge:

• The prize (5000 euros) will be awarded to anyone able to recover the message and the hiding mechanism only.
• The technical mechanism will not be disclosed (unless by a potential winner who is free to publish any information with respect to it) by the organizers of the challenge. Only the secret message will be published once the challenge is closed.
• Any partial solution, hint or valuable information will be considered for a honor award.

Have a nice challenge and good luck guys!

E.F.

*************************************************************************************

Version française

Le challenge forensics d'iAWACS 2011 est maintenant ouvert. Ce challenge est inspiré d'un cas réel à partir duquel une nouvelle technique de dissimulation d'information a été conçue. Le but au travers de ce challenge est de tester la force et la sécurité de ce procédé sur une implémentation en conditions opérationnelles (et non académique).

Thème tactique : une attaque terroriste contre RSSIL 2011 est en préparation selon des rapports des services de renseignement. Un terroriste a été arrêté par les forces de police au moment où il récupérait un téléphone mobile dans une géocache. Malgré les efforts de la police scientifique, l'analyse du téléphone a échoué. Toutefois, certaines pistes ayant été pu être écartées avec raison, les experts sont convaincus que le répertoire Dcim contient un message secret.

Le terroriste a avoué qu'il attendait un appel sur ce portable qui devait lui indiquer l'emplacement d'une seconde géocache. Cette dernière devait lui permettre via une application sur une SD card d'accéder au message secret et donc à ses instructions. Malheureusement ce appel n'arrivera maintenant plus, les journalistes ayant révélé la capture du terroriste.

Serez vous assez malin et imaginatif pour trouver ce message secret et ainsi empêcher l'attentat contre les RSSIL 2011 ?

Conditions du challenge:

• Ouverture : 22 mai 2011. Le fichier dcim.tgz contient le répertoire "Camera" (le téléphone est un Samsung Galaxy S).
• Remise du prix (s'il y a un gagnant) ou indices techniques pour prolonger le challenge durant les RSSIL 2011.
• Fin du challenge : 31 décembre 2011.
• La solution doit être envoyée à iawacs@esiea.fr

Règles du challenge :

• Le prix (5000 euros) sera attribué à la première personne qui enverra le message secret avec une description du mécanisme de dissimulation des données.
• Ce procédé ne sera pas rendu public par les organisateurs (en revanche le gagnant est libre de publier toute information technique à ce sujet). Seule la solution (le message secret) sera publique.
• Toute information technique partielle sera étudiée et pourra faire l'objet d'un prix d'honneur.

Bonne chance à tous

E.F.

Diffing Android Applications

The original article is here.

Specialized master in Cyberwarfare

Hi
You are interested in pentesting or want to become a cyber warrior. Our N&IS (Network and Information Security) specialized master is for you. Visit this link, read and enlist.
The scientific support is ensured by our lab.

E. F.

Post-doc or junior researchers positions

Hi,

Well sometimes Christmas comes sooner than expected. I have three potential positions for post-doc or junior researchers for a period ranging from 12 to 24 months.
The conditions are the following:

• Non-French nationality
• Having a PhD
  
• Being less than 38 years old

We are looking for researchers having the following profile:

• Computer science with a good level in discrete mathematics
• Skills in programming (C, python)
• Hacker approach and mind strongly appreciated
  
• Strong sense of contact and friendship
  

The research can be either in operational cryptology, computer virology or cyberwarfare.

If you are interested, please send an email with CV at drdi@esiea.fr

Have a nice day

E. F.

EICAR 2011 Paper on Mobile Botnets

Hi
Many people ask us why the EICAR 2011 paper on "Mobile Botnet" was announced but not presented. Well the two Chinese authors cancelled at the very last minute. "Visa problem" was the official reason.
Read the paper and make your own advice

Have a nice reading
E.F. (EICAR 2011 Program Chair)

McAfee Quarantine file and sequels from our EICAR 2011 paper

Hi
Following our talk at EICAR 2011 (first day), we have announced the release of some technical data. Of course, for fairness Peter Szor at McAFee has been contacted about our paper and the present post and his feedback and comments have been very constructive. In this respect, McAfee decision to recruit Peter is likely to be a wise and strategic decision which could result in a significantly better AV. Wait and see...

We would like address the problem of the quarantine file (referring to Section Wake up! in the paper)

Why the McAfee Quarantine Wake-up Proof of Concept happened? Our PoC relies on two factors:

• The McAfee Quarantine Directory is accessible to ALL users. It can be read and by the fact extracted to other directories.
• The McAfee Quarantined files are protected by a weak key encryption
  

Our Proof of Concept is based on the EICAR test file (to avoid working with real malware):

1. As soon as the EICAR is detected by the McAfee Antivirus protection software, it is moved to the Quarantine directory and deleted.
2. All McAfee Quarantine files are under the BUP extension which in fact “extractable” from the 7zip open source software.
3. As soon as you can extract it with 7zip file, you still not able to restore the original file.
4. Details gives you all the information to restore the file (name and extension of the original virus).
5. You need to XOR all the files previously extracted by the key “0x6A”
   

Our PoC consists in reading the content of BUP file and recovering the virus under the File_0. We have demonstrated that it was clearly possible to activate all quarantined files and thus performed a lot of different attack scenarii (from DoS to covering a new viral attack).

McAfee has been informed, through its Indian development team at Tata, India, during the EICAR 2011 conference and will fix as soon as possible this critical issue (probably in the next McAfee Roadmap). It is worth mentionning that weak management in quarantine directories and weak encryption has been identified for a few other AV vendors and products. To be continues then...

Source code (PERL):

#!/usr/bin/perl

#

# Date: EICAR 2011 (Austria)

# Description: It is a Proof Of Concept of decoding the McAfee VirusScan Quarantine BUP files (All McAfee versions)

# Requirements: It uses open-source 7zip compression tool

# Todo: Implement the 7zip decompression algorithm to avoid using 7zip program

# This program should parse the Details file to be able to name File_x with their original names

my $BUPFILE = $ARGV[0] or die "BUP File is required\n";

my $cmd = `7z e $BUPFILE -oBUP/`;

opendir(DBUP, "./BUP/");

while (my $ditem = readdir(DBUP)) {

# Extract the information of infected file (Details file stores product version, detected virus, DAT signature us

ed...

if ((-f "./BUP/$ditem") && ($ditem =~ m/details/i)) {

open(fd, "<./BUP/$ditem") or die "File error $!\n";

open(fout, ">./BUP/$ditem.details") or die "File error $!\n";

while() {

print fout map { pack("c", 0x6A ^ ord($_)) } split (//, $_);

}

close(fd);

seek(fout, 0, 0);

while() {

print;

}

close(fout);

exit;

}

# Decoding the infected files if they are present.

if ((-f "./BUP/$ditem") && ($ditem =~ /File/i)) {

my $vir = rand(10) . ".vir";

open(fd, "<./BUP/$ditem") or die "File error $!\n";

open(fout, ">./BUP/$vir") or die "Error file vir";

while() {

print fout map { pack("c", 0x6A ^ ord($_)) } split(//, $_);

}

close(fout);

close(fd);

}

}

closedir(DBUP);

Regarding the ZouAV detection issues and concerns. Since our talk, this code has now two additional names. More to come in a forthcoming post.

E.F.

Android zsone malware

The original article is here.

EICAR 2011 Conference in Krems

Hi to all

We are leaving to tomorrow to Krems in Austria where the 20^th edition of the EICAR conference will take place. This conference is the oldest one in Computer Virology and this year many critical topics will be addressed, especially about Cyberwarfare, the role of AV software with respect to the use of malware techniques by Police/Intelligence/Defense organizations and many other technical topics. The main theme for this jubilee edition is “New trends in Malware and Antimalware techniques: myths, reality and context - What will be the AV role in a Cyber War scenario?” A really hot issue indeed!

The technical program is here. Slides and papers will be available on the conference website by mid May.

E.F.

Our research guest from Thailand

Hi to all

We have the great pleasure and honour to welcome Dr Bhume Bhumiratana from the Department of Computer Engineering, King Monkut's University of Technology, Thonburi, Thailand. He will stay in our lab for three months to discover the formal aspects of computer virology and especially the use of formal grammars in metamorphic techniques with application to the Android bytecode.

His webpage is here.

Welcome to Dr Bhume Bhumiratana