Trusecure Betrusted Merger

The information security space seems to be consolidating fast these days. Reminiscent of the many US defense industry mergers. Not to mention the various cellular industry mergers.

I'm not very familiar with Betrusted but they are similar in both products and market with Trusecure. Trusecure covering North America and Betrusted holding Europe and Asia.

ICSA labs, a subsidiary of Trusecure, is looking for a Malicious Code Security Analyst. They're very friendly at ICSA labs. I believe that notwithstanding what it says in the job description they will be willing to offer relocation for the well qualified cadidate. Good opportunity at what is now a larger company.

AV buying Network Security firms

I might have gotten the situation backwards previously. Symantec has just bought @stake. With McAfee buying Foundstone last month, the situation actually becomes AV firms moving into Network Security and Security consulting.

The moves into the AV market by the various network security companies may have been lures to encourage acquisition by the larger AV firms. This is not to say that these firms were not actually looking for virus analysts.

In the case of Foundstone , pre-acquisition, they were looking for one person to bring them up to speed on virus analysis. Given the nature of newer malware threats , one expert is not sufficient for the task. Gaps in knowledge would reduce response time behind that of your competitors. Actively interviewing candidates from a small pool, such as AV people, does bring your firm to the attention of larger firms . An expert working for you is not working for them; even if you are not a large competitor you do reduce their effectiveness. This may have been the case with McAfee.

I don't believe @stake was entering the AV market. They do have experience with investigating cell phones and other embedded devices. MobilePenTester, PDAZap and RedFang come to mind.

Regarding virus analysts Symantec seems to be looking for a virus analyst with phone experience:

"Experience with operating systems for handheld devices such as Palm OS, Pocket PC, Symbian OS and/or Windows Mobile software for Smart phones a distinct advantage."

Perhaps Airscanner might be receiving an offer in the near future.

On FPs and behavior blocking; another Malware Analysis opening

False positives (FP) are a troublesome problem in the AV industry. Sometimes innocent products share enough behavioral characteristics with malware that we initially classify them as malware.

Mistakes like this affect your credibility and the credibility of your product, so fixing FPs is usually a very high priority. Therefore it was interesting to see that earlier this week one of the top 3 AV vendors was having some trouble with a good sized FP. It was something to do with ISP connection software. The detections were of course fixed quickly but the good will lost with customers may not easily be repaired.

The rate of FPs is also the reason why behavior blocking (or as it's known in the Homeland Security business , "profiling" ) has been so late in entering the market. Blocking someone's ISP software because it uses your modem to dial your ISP is forgivable if done by a human. After all, we all have deadlines and other pressures. If you are unable to connect to your ISP once every 2 weeks due to your computer security software, you are unlikely to be as forgiving.

Handling false positives usually requires human intervention. Speaking of which, There is an opening at McAfee :

Research Scientist
"Knowledge of various file formats and operating systems a plus, namely PE and ELF formats and Linux and MacOS operating systems."

ELF? ELF knowledge as a requirement for malware analysis seems to be getting more popular.

I'd think after PE, Mach-O knowledge would be more important given market share. Or even Symbian PE.

Looking into buffer overflows

CAN-2004-0143 initially looked promising when I read the heading at pentest.co.uk. Unfortunately after reading the full advisory it becomes obvious that the vulnerability type has been mis-stated. It is actually a denial of service instead of a buffer overflow. Other references listed at the CVE list correctly list it as a denial of service.

This is not quite the automatic security-bypassing download vulnerability of which whe have been warned. The main use would be in "finishing " the job after getting the malicious code past security in some yet unknown fashion. Essentially an automatic reboot to enable a boot loading component to gain control. Similar, recently to Sasser or much earlier to one or two older multipartite viruses. Regardless, an unwieldy attack.

Perhaps some of the StrongARM shellcode techniques may be more appropriate.

Makefn tool added to DmpE32

As Symbian exe files import by ordinal it is very helpful for an exe dumper like DmpE32 to map the import ordinals to the original function names.

Previously I'd been generating the import function name files(.fn) for each version of the sdk. Unfortunatley the zip of the latest .fn files was in the range of 300-400 KB. Offering these for download would require more bandwidth than I pay for (>0). Additionally, in the case of the series 60 specific files the mappings were inaccurate.

I had been using nm to dump the function names and post processing the output. Unfortunately nm sorts by object module and not ordinal. In some cases the numeric portion of the object module name matches the ordinal. A lucky coincidence but definitely not reliable.

Matt Pietrek's article on COFF libraries and source code proved very helpful. GNU's dlltool source provided insight on the various idata components.

I've added a tool for generating imported function to ordinal mapping to the DmpE32 package.


COFF Lib references:

Pietrek, Matt. "Under The Hood." Microsoft System Journal
Apr. 1998 <http://www.microsoft.com/msj/0498/hood0498.aspx>.

GNU Dlltool.c , GNU Binutils package.