Matasano Chargen - Latest Comments in Internationalization of Malware

Re: Internationalization of Malware

Spy Phone — Fri, 03 Jul 2009 14:27:18 -0000

informative article but i don't understand "Pay close attention to the signers of samples" please elaborate it....

Re: Internationalization of Malware

sohbet — Tue, 30 Jun 2009 09:28:47 -0000

SOHBET
BURSA SOHBET
ISTANBUL CHAT
ISLAMI CHAT
IZMIR CHAT
ANKARA ARKADAS
ALMANYA CHAT
TURKEY CHAT
MYNET
SITENE EKLE
VIDEO KLIP IZLE

Re: Internationalization of Malware

nex — Wed, 09 Jul 2008 05:49:05 -0000

It's not quite 100% correct; what's wrong is the claim that game producers don't know how to make their software secure. Many popular games currently aren't possible to make hack-proof. For example, say you want hardware-accelerated, real-time 3D graphics. If an enemy shows up on the screen, hiding behind a bush, just barely visible to skilled players due to his camouflage, the server has to send the enemy's position to the client. (Not necessarily send the information that it is in fact an enemy, but this doesn't matter here.) Now there's nothing to completely prevent one from patching the client so the enemy will glow bright red instead of being camouflaged. You can't tell players to get an Internet2 connection and pay for a supercomputer server so the graphics can be generated on the server and sent as a video stream. You can't tell players they should play NetHack instead. They want to play _their_ game on _their_ computer.

What you can do is let your players voluntarily use something like PunkBuster and choose to only play with others who do the same. This still can be hacked, but now that's more difficult and script kiddies who just want to fool around a bit are more likely to do so on servers with PunkBuster disables, leaving the others alone.

I fully agree that such software shouldn't be forced on players, shouldn't be deployed covertly, shouldn't run with excessive permissions, shouldn't spy on you (reporting gathered data back over the net without your knowledge), and shouldn't take the form of a root kit. But the idea that games could even just in theory be made completely secure is completely wrong. Consider this: with an online banking app, say, you have to protect both the server and the client from attacks coming from outside. But with a game, you have to protect the client from an attacker who owns the machine on which the client runs. Major difference.

Re: Internationalization of Malware

kokanin — Tue, 08 Jul 2008 13:45:09 -0000

@skeptikal: praise you, this is 100% correct. We all remember sony planting rootkits on peoples computers, what the game companies do is in no way different.

Re: Internationalization of Malware

Skeptikal — Mon, 07 Jul 2008 16:32:26 -0000

Anti cheat software IS malware. It installs itself at an improper priveledge level, interfers with other processes, and often will 'phone home' to report user activity and other private information.

It has nothing to do with 'cultural' differences, that is simply using bigotry to shift blame.
The developers of the games are a bunch of idiots who can't figure out how to program secure code.

Since the majority of these games don't mention their anti-hack software, or if they do mention it gloss over the details (such as, 'this software will attempt to take over vital system processes and randomly terminate other applications') these programs ARE malware, by every definition of the term.
An AV software SHOULD be reporting this type of program, even if it flags the item simply as 'suspicious'.

Re: Internationalization of Malware

Wes Brown — Sun, 06 Jul 2008 15:04:28 -0000

@John Waters: Thank you for that quote. It made me laugh. Especially because when I was writing this post, I was thinking about how to explain entropy, but decided that it really didn't matter as long as it was a consistent factor. I know that I didn't think too hard about the mechanics of entropy, I just found it very useful for measuring binaries.

Re: Internationalization of Malware

John Waters — Sun, 06 Jul 2008 04:35:23 -0000

One last thing..

"You should call it entropy, for two reasons. In the first place your uncertainty function has been used in statistical mechanics under that name, so it already has a name. In the second place, and more important, no one really knows what entropy really is, so in a debate you will always have the advantage."

-John von Neumann to Claude Shannon

Re: Internationalization of Malware

John Waters — Sun, 06 Jul 2008 03:21:24 -0000

Wes,
I am an expatriate working at a large financial institution in Riyadh, Saudi Arabia. The lack of awareness and concern about Infosec at both the individual and corporate levels is tremendously worrisome to me, especially when you consider the amount of cash that consumers and businesses throw around here.

tayyib

It might be worthwhile to maybe build a small cabal of security types that are native speakers of relevant languages, or are at least familiar with them. Its only a matter of time that "an ra beh enghlisi che migooid?" starts getting uttered in the rooms that house certain western organizations pen-teams.... Not just for malware related issues, but Infosec or even general IT related consulting.

I guess I need to step up my Arabic lessons.
As always, your entries are a pleasure to read,
ma salaama, khoda hafiz, mahalo, slap mah fro, etc.
jcw

Re: Internationalization of Malware

Wes Brown — Thu, 03 Jul 2008 10:04:37 -0000

@Gabe: I used PEAT's segment entropy score algorithm. The approach used is documented in detail by Robert Lyda and James Hamrock's 'Using Entropy Analysis to Find Encrypted and Packed Malware'. You can find the article and abstract here: http://ieeexplore.ieee.org/...

@Mark Curphey: Yep, that's me. We last met in Kuala Lumpur.

Re: Internationalization of Malware

Mark Curphey — Thu, 03 Jul 2008 06:16:45 -0000

Wes Brown from ISS back in the days?

Re: Internationalization of Malware

Gabe — Wed, 02 Jul 2008 16:04:02 -0000

Wes,

Thanks for the interesting post. For entropy measurements, do you do them yourself or do you use a pre-packaged tool? If so, which tool?