Thursday, October 9, 2008

Virus Bulletin Conference 2008, Ottawa, Canada

I had the opportunity to present at the Virus Bulletin Conference this year in Ottawa, Canada. This is one of the big security conferences and a lot of well known personnel from the AV-industry attend it. It was really good interacting with the attendees, developing relations, and learning about new cutting-edge technological developments in the area of anti-malware.

My presentation was about "Applying User-mode Memory Scanning on Windows NT based systems". A copy of this paper can be downloaded from here.

The keynote talk on the first day of the conference by Alex Eckelberry from Sunbelt Software was interesting and explained the expectations of a typical desktop consumer and enterprise customer from AV-vendors. He stressed the importance of customer support in gaining consumer confidence and keeping the business running. The presentation about MBR rootkit by Kimmo Kassilin from F-Secure was very technical and particularly gripping to me. This explained one of the most sophisticated piece of malware we have seen in recent times.

There were some thought provoking discussions and presentations surrounding AV-software testing and one of them was by Dr. Igor Muttik from McAfee. There was also the new proposal from Dr. Richard Ford from Florida Institute of Technology about malware sample sharing that seemed very practical. His new approach and concept is sure is help the AV-industry. Last but not the least, the one presentation I was really looking forward to was by Peter Szor from Symantec, along with Dimitris and Adami from Graduate Institue of Applied Life Science. The presentation was about the evolution of computer programs (such as malware) into new forms that are functionally different from their parent, much like mutation creating new species in biological life. The presentation was very interesting and clearly exceeded my expectations.

The gala dinner on the second day of the conference was simply fun. They had each table form a team and compete against other teams in a frenzy of intelligent questioners. Although our team did not win, we still had a good time. All in all, the conference was informative and fun.

I got to stay around Ottawa a day after the conference, rent a car, and drove up the mountains in Quebec to look at the beautiful fall foliage. The sights were really pretty.


Friday, May 23, 2008

EICAR 2008 Conference, Laval, France

It has been a while since I have posted anything on my blog. Life has been busy with work and family, but things have been good. I had the opportunity to present a paper at the EICAR 2008 conference, which was held in Laval, France. It was great to be able to know some of the well respected people from computer security academia and the industry. During this time, I was also able to do some traveling with my wife and see some amazing places and meet fascinating people. It has truly been a pleasurable experience.

The conference - merging academia and industry

The EICAR 2008 conference I attended was very interesting and informative. It provided for an atmosphere of personal interaction with the attendees. The good thing about the EICAR conference is that people who attend are from a diverse group of academic and and industry backgrounds. This allows technology and knowledge transfer between the two sectors, which in my opinion, is a key factor for the growth of both. While I represent the industry steam, some of the academic presentations helped me understand how theoretical ideas could or could not be applied for practical purposes. In turn, the people in academia get insight of whether their work is relevant (or useful) to real-world practical use. I must admit that some of the technologies being developed at Universities can very well find a place in the commercial market and be used for malware analysis and mitigation. One such technology is the VILO malware defense suite being developed at University of Louisiana at Lafayette (from where I had graduated in Dec 2004 with a Masters in Computer Science). This tool demonstrates how program-matching techniques can help in triage, in-depth malware analysis and signature generation.

Presentation


The paper I presented was about "User-mode memory scanning on 32-bit & 64-bit Windows". It details about the background and theory of implementing the memory scanner as well as its pros and cons of using it from user mode. You can find the paper and presentation here.

The fun part

We were treated to a nice gala dinner on the evening of first day in the old castle (Vieux Chateau). It was quite fun and I also had the privilege of bringing my wife to it as well. We definitely had a good time and the group at our table were a fun and lively bunch to interact with. The evening was well spent while listening to authentic French live band playing in the background.


Me and my beautiful wife, Amy Adams.

Click Here to see more pictures about our stay in Laval, France.

My wife likes to blog as well and she has a nice one about this trip to Europe. Click Here to visit her blog.

Sunday, January 6, 2008

Fun with Ubuntu

A distribution of Linux I recently tried is Ubuntu. "Ubuntu" is an ancient African word, meaning "humanity to others". The operating system is extremely slick, cool, and user-friendly. Actually I like it! It is based off of Debian GNU/Linux. You can download its latest version (7.10 Gutsy Gibbon released on 18 October 2007) from the official website here. You can also learn about its desktop and server editions. Like most Linux distributions, it is free and open source.

There are also a number of interesting derivatives of Ubuntu such as:
Ubuntu Studio - Designed for multimedia editing and creation.
Kubuntu - Ubuntu with the K Desktop Environment (KDE).
Edubuntu - Ubuntu for Education.
Xubuntu - Ubuntu with the XFCE desktop environment.
Gobuntu - A flavour of Ubuntu that strives to be completely devoid of software, drivers or firmware with restrictive licenses.

Dell also offers some of its consumer systems with Ubuntu pre-installed!

My adventure with Ubuntu began with trying to evaluate a certain piece of software that required installing QEmu on Linux. In this particular case, choosing Ubuntu as the Linux flavor meant "life is easier" (i.e. I would not have to deal with missing dependencies or packages).

Installing Ubuntu

So I downloaded the ISO for the latest version (Ubuntu 7.10), for a 32-bit machine (i386 or x86), from the official website and burnt it to a CD. Note that sometimes when you burn the CD at 40x speed, the final disk acts funny or gets corrupt! A burn speed of 10x seems to give no problems. In my case, I got the server edition of Ubuntu which unfortunately does not come with the nice GUI like the desktop edition. I learned the hard way, and below I will describe how to install the GUI for the server edition.

Simply follow the installation instructions and soon you will have Ubuntu installed on your system. Note that Ubuntu does not have a "root" user nor does it prompt for a "root password" during installation. This is because, for security reasons, it does not want anyone to login as "root". In order to perform any tasks or actions via command line that require administrator privileges, simply use "sudo ". This prompts for a password for the currently logged-on user. In case of GUI programs, a pop-up box asks to enter the password for the currently logged-on user (much like UAC on Window's Vista).

Note that "sudo" will only escalate privileges of the current command and won't work in case of re-directions. Example: Say you want to write to a system file that requires administrator privileges and you type the following command:

sudo echo 1 > /proc/sys/net/ipv4/tcp_sack

You would still get "Permission denied". This is because "sudo" only performed on "echo 1" but not on "writing to file". There are two ways of tackling this:

(1) Escalate privileges of entire shell, execute your command withing the escalated shell, and then exit escalated shell. This is done as shown:

sudo bash
echo 1 > /proc/sys/net/ipv4/tcp_sack
exit

(2) A second method is by using the following command:

sudo bash 'echo 1 > /proc/sys/net/ipv4/tcp_sack'

Good ole GUI, where are you?

Well, after installing the server version of Ubuntu, I noticed that I wasn't presented with a nice GUI to play around, instead was faced with the command prompt. Nothing against command lines, but I like my GUIs :)

So I learned that typing the command "startx" will start the X server and associated GUI environment. But on executing the command, I am confronted with the following errors:

xauth: creating new authority file /root/.serverauth.38.66
xauth: creating new authority file /root/Xauthority
xauth: creating new authority file /root/Xauthority

X: cannot stat /etc/X11/X (no such file or directory), aborting
giving up
xinit: Connection refused (errno111): unable to connect the x server
xinit: No such process (errno 3): Server Error.

Aah! so I am missing X server and a GUI environment. I needed to install them first. For that, I used the following commands:

sudo apt-get install kde
sudo apt-get install xorg

This installs the KDE GUI environment and X server.

Now type "startx" and you will be presented with the KDE desktop. Do not type "sudo startx" which will cause all your applications to run with administrator privileges, and hence reducing security. On logging out, you will once again be presented with the command shell.

To rather be presented with the GUI (all the way), without having to encounter the command shell each time and typing "startx", simply install one of the GUI desktops all together, instead of the above two packages (kde and xorg). For installing one of the GUI desktops, type any one of the following commands:

To install the default GNOME desktop:
sudo apt-get install ubuntu-desktop

To install the KDE desktop:
sudo apt-get install kubuntu-desktop

After install, reboot your machine and you will be presented with a nice GUI based desktop :)

Some things I learned

In the process of trying to figure out these things, I learned some new things, which I would like to share here. Most Linux distributions have the file "/etc/inittab" that defines the "runlevel" into which the kernel boots up. Typically a runlevel of 2 means you will be presented with a command prompt, and a runlevel of 5 means you will be presented with a GUI. Example: for runlevel 5, the entry in "/etc/inittab" would be as such:

id:5:initdefault:

The following command gives the current runlevel you are in:

who -r

The following command will change your runlevel to 2 by shutting down unnecessary process's and starting up all runlevel 2 processes:

telinit 2

Each defined runlevel will have an "/etc/rcX.d/" directory where "X" is the runlevel number.
The contents of the "rcX.d" directory determines what happens at that runlevel. For Ubuntu, the default runlevel is 2. Also, the runlevels 2 through 5 on Ubuntu are all the same. There is no distinction between them, i.e. the contents of /etc/rc2.d/, /etc/rc3.d/, /etc/rc4.d/, /etc/rc5.d/ directories are all the same. This presents you with the default command line shell when you boot up, if you hadn't installed any of the GUI desktops.

Note that in Ubuntu, "init" has been replaced by "upstart". So, if you wish to change you runlevel, "upstart" still looks for the "inittab" file for a user set runlevel. Just create the "/etc/inittab" file and put the following line in it to boot to runlevel 5:

id:5:initdefault:

And then you have to add some new content to the directory "
/etc/rc5.d/" in order to start the X server and GUI environment by default on boot up (instead of the command line shell). This I am not sure how to do yet!

Accessing a Window's share from Ubuntu

In order to access a Window's shared folder in Ubuntu, over the network, you need to install "smbfs". Select System > Administration > Synaptic Package Manager and search for "samba server". Then select "smbfs" for install. This will install the and insert the "smbfs" kernel module (.ko - kernel object file) into the running kernel. This facilitates mounting of remote SMB share (such as the Window's share) on Linux. You can find if the kernel module has been properly inserted by executing the following command:

lsmod | grep smbfs

If you do not see it inserted, then you can manually insert the associated kernel object (.ko file) by issuing the following command:

modprobe smbfs

Also make sure that the "smb server" is up and running. In order to check this, type the following command:

netstat -antupo

Check to see if the "smb server" is listening on ports 139 and 445. If not, you can start it by issuing the following commands:

cd /etc/init.d/
./smb start

Now say the IP address to your Window's machine over the network is "192.168.1.1". Then type the following command:

smbclient -L 192.168.1.1

When prompted for "Password" simply hit "Return". This will list all shared folders on the Window's machine that do not require a password for read access. Say one of these shared folders is called "Documents". Then type the following command:

sudo mkdir /mnt/share
sudo chmod 755 /mnt/share
sudo mount //192.168.1.1/Documents /mnt/share

The first two commands will create the directory "/mnt/share/" and give appropriate permissions. The third command will mount the Window's share onto "/mnt/share/". If prompted for "Password", simply hit "Return".

In order to un-mount the share, type the following command:

sudo umount /mnt/share

Useful info and links

During my learning experience with Ubuntu, I also stumbled upon a number of useful resources, that I would like to share here:

Loads of help at Ubuntu Forums.

Documentation for Latest Version of Ubuntu.

Useful documentation for Ubuntu, browse by title.

Switching to Ubuntu from Windows.

Switching to Ubuntu from MacOS.

Ubuntu equivalents to Windows applications.

Software Equivalents in Ubuntu.

How-To: Setting up QEmu on Ubuntu with TUN/TAP and NAT.

How-To: Install and run Windows 2000 under QEmu on Ubuntu 5.10.

How-To: Install and run Windows XP under QEmu on Ubuntu.

How-To: Install and run any release of Ubuntu under QEmu on Ubuntu.

How-To: Install and run Ubuntu under QEmu or VMware on Windows.

How-To: Install and run VMWare Server (or Workstation) on Ubuntu.

Wiki page: About QEmu, and installing it on Slackware Linux

Installing Wine on Ubuntu.

Installing Internet Explorer on Ubuntu.

Seamless Virtualization with Ubuntu.

Kernel Virtual Machine on Ubuntu.

Hope this information has been useful.
Happy Ubuntu-ing... :)

Digg This | Slashdot This | Add to del.icio.us

Moderating Blogger Comments

Today I noticed a strange comment to one of my blog posts that I hadn't approved. At first I thought my blog has been hacked and some spammer or malicious writer posted this comment or inserted malicious links/IFrame tags into my posts. I quickly checked all my posts for these (by clicking on "edit post", then "edit Html", and checking each "http href"and searching for "iframe") and found everything to be clean. I then looked at the comment...

While hovering my mouse cursor on the hyper link "here it is", I see the URL "hxxp://www.yourtypingbiz.info/billion-dollar-market.php" in the status bar at the bottom of my Firefox browser window. Clearly, this is a case of SPAM.

Now how did this comment get into my post without me approving it first? Well, I found out that my comments were actually "NOT moderated"! I thought I had turned on moderation of comments, but apparently I didn't. So some spammer simply posted such a comment (with a link to their phishing website) to all blogger blogs that do not have comment moderation turned on. They probably do this via a script in order to reach a multitude of blogs.

My next step was to simply delete the comment and turn on moderation of comments.

Digg This | Slashdot This | Add to del.icio.us