Saturday, December 4, 2010

Our talk on icons at Malcon 2010 and Clubhack 2010

Hi to all

We have just given a talk (and also a tutorial) about Windows icons and how a malware attack can pervert and exploit them. We have experimented this -- using a undocument features in Windows -- under Windows 7 (simple user session without any privilege; UAC not allowed).

This attack enables to execute malware very easily simply using transparent icons. What are transparent icons ? Well an invisible icon that covers a normal icon. Any click on that latter will apparently lauch the normal, intended application but in fact the invisible icon is used first (executing the malware) than the malware just locate the mouse coordinate and transfers the action to the normal application. Simple, isn'it?

While we have presented this technique earlier in 2005 here, we have extended it and added new atack variant. Any mouse-intoxicated used will be trapped!

More on the slides here.

Have a nice reading!


Friday, November 26, 2010

What the interest to create a malicious registry key? A confirmation of our 2010 paper.

Hi to all

We have presented a few proof-of-concepts at the 2010 conference (one of the best hacking conferences indeed). The aim was to exploit the concept of trusted macros and trusted locations in both Office and OpenOffice documents (here are the technical paper and the slides; videos of our demos are here and here). Through a two-step attack, it is possible to execute macros automatically without triggering any alert or confirmation (from the application and of course from the AV). The only condition is to first create a simple (malicious) registry key during the first step. This kind of attack is very interesting and may have a dramatic impact when considering environments where executing sophisticated binaries is impossible (see our paper).

Well this news (and also this one) sheds a new, interesting light on our proof-of-concepts. This extract is quite explicit:

"What’s interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges)."

Do still have any doubt about the fact that Microsoft Windows is a wonderful world indeed? But for who?


Wednesday, November 24, 2010

New release of Megiddo Open source cryptographic library

Hi to all

I have just released the new version of Megiddo (0.4.0) on the relevant page. This release includes many new things:
  • A new detection program for single encrypted file. Relatively often encryption is performed by using a short cyclic sequence (from a few bytes to a few kilobytes) and to combine it to the plaintext (file, binaries...). It is for instance the case with encrypted malware. The program detect_singlefile.c program enables to detect the length of that cyclic sequence. You have just then to split your encrypted file into chunks of that length and perform the cryptanalysis as explained in the library
  • New and very detailed slides explaining how to use the open source library and especially giving interesting examples (drawn from real cases) on how trapdoors can be hidden in encryption systems. The case of dynamic cryptographic trapdoors is also presented.
Have a nice reading and fun by practicing with Megiddo-0.4.0


Welcome to the (C+V)O Lab

Welcome to the Operational cryptology and computer virology lab blog. You can follow the different activities on this lab. Please feel free to contribute in any constructive way.

Just a quick summary of the lab research activities: we work on computer, network and information security with the attackers' mind and point of view to provide better protection and defense. Our research topics covers
  • Symmetric encryption: design and evaluation of symmetric cryptosystems, design of cryptosystems with trapdoors (introduction of undetectable mathematical weaknesses allowing a less complex cryptanalysis for anyone who has knowledge of the trapdoor), cryptanalysis of symmetric cryptosystem based on the combinatorial properties (weaknesses) of those systems, reconstruction techniques of unknown algorithms (coding or encryption) using the intercepted stuff only (encoded streams, encrypted messages).
  • Analysis and design of steganographic systems. Encrypted data (COMSEC aspect only) exhibit a (too) typical statistical profile. Consequently any attacker can therefore easily identify an exchange of encrypted data. It is therefore crucial in some contexts to hide the very existence (storage, exchange) of data. It is the role of steganography (hiding the channel by considering the TRANSEC aspect). From a dual point of view, I am also interested in techniques for detecting steganographic contents (steganalysis).
  • Computer virology: formal characterization of viral techniques (known and unknown techniques), study and design of new malware technologies, formalization and design of new antiviral techniques, malicious cryptography and steganography (potential use of encryption and/or steganographic techniques by Malware and use of malicious codes for applied cryptanalysis purposes), analysis and Evaluation (passive and active) of antivirus software.

  • Analysis and technical studies of the concept of computer warfare
Once again, welcome to this blog