Didier Stevens

Thursday 31 July 2008

F-Secure Reverse Engineering Challenge 2008

Filed under: Reverse Engineering — Didier Stevens @ 13:41

It’s back: http://www.khallenge.com.

And here’s a promo video I made last year.

Tuesday 22 July 2008

Authenticode Challenge

Filed under: Puzzle — Didier Stevens @ 21:03

Here’s a new puzzle, and “by popular demand”, it’s a couple of magnitudes harder than previous puzzles.

The puzzle is a Windows console application, you can download it here. When you run the program, it prints “Authenticode Challenge version 1” to stdin. The challenge is twofold:

1) make the program print “Authenticode Challenge version 2” (that’s easy)

2) update the digital signature to keep it valid (not so easy)

When you check the digital signature of the puzzle, you’ll see this:

And after you changed the program to print “Authenticode Challenge version 2”, you’ll see an invalid signature:

The challenge is to keep the signature valid, using a certificate with the same public key.

All the data you need from me is in the executable. You’re not allowed to hack my servers in search of the private key.

FYI: this puzzle was reviewed by a PKI expert, who confirmed the solution.

Good luck, I hope there will be many challengers, and better yet, with another solution than mine!

Monday 14 July 2008

A New Version of WhoAmI? and Another Little Puzzle

Filed under: My Software,Update — Didier Stevens @ 0:57

I’ve updated my WhoAmI? Firefox add-on for version 3.

You can download it here or get it from the Mozilla site. It has remained in the Sandbox since my first post, but now I’ve nominated to leave the Sandbox. If you use it, please post a review on the Mozilla page to help it on its way out of the the Sandbox (or keep it there if it’s too buggy).

And now for the little puzzle: what is special about this other version of my WhoAmI? add-on?

So don’t get confused by these 2 versions:

  • The real version of WhoAmI? is here
  • Download this other version only if you’re interested in a little puzzle

Saturday 12 July 2008

Infectee or Infector?

Filed under: Malware — Didier Stevens @ 10:32

My first and second little poll lead up to this post.

I’ve been quite surprised that the most downloaded file from my site is SafeBoot.zip. Since I published it more than a year ago, there have been 20,000+ downloads. And I’m also under the impression that the number of downloads per day is steadily increasing. One would be tempted to conclude from this that the number of malware infections that disable Safe Mode is on the rise, but this is indirect evidence.

First of all, I believe the increase is due to search engines. As more and more sites link to the Safeboot blogpost, the page will rise in the ranking of search results. One can argue that visiting the Safeboot blogpost and downloading the SafeBoot.zip file are two different things: you can land on the page just out of curiosity, but if you download the registry fix file, then you’re surely infected with a Safe Mode disabling virus.

Well, not necessarily. From my interactions with people using my registry fix, I’ve observed that some of them apply this fix even if their Safe Mode keys are intact. They just have another PC problem (for example the CD drive doesn’t work anymore), and they hope that my fix will fix this too.

So I’m not sure that Safe Mode disabling malware is on the rise, but I do know that it’s becoming more sophisticated. As the first virus I analyzed would only delete the Safe Mode keys once, now there are viruses that delete the Safe Mode keys and monitor them, deleting them again if they are restored.

Ironically, another large group of people that visit my site are not in search of a solution to a malware infection, but are looking for malware! Here are some of the most popular search terms that lead to my blog:

  • download virus
  • virus download
  • download a virus
  • how to get a virus
  • get a virus
  • give me a virus

The reason that search engines direct users to my site when they search for a virus, is an unfortunate side-effect of my Google Adwords post. This is my most popular blogpost by far, and has been linked to by countless sites. Although I have offer no malware to download, this Adwords blogpost contains the words of the search terms and is highly referred to, so it ranks high in search engine results.

So if you’re landing on my blog via a search engine, it’s very likely you’re an infectee or an infector. 😉

Thursday 10 July 2008

A Second Little Poll

Filed under: Poll — Didier Stevens @ 6:51

The answer to the question I asked yesterday is: SafeBoot.zip. Excellent deduction work Matthew.

And now a second question: what are the most popular search term variations (two or more words) that land people on my blog https://blog.DidierStevens.com (according to WordPress.com)?

Post a comment with your answer.

Wednesday 9 July 2008

More Fireworks

Filed under: Malware — Didier Stevens @ 15:31

More fireworks.

Tuesday 8 July 2008

A Little Poll

Filed under: Uncategorized — Didier Stevens @ 20:45

According to you, what’s the single most-downloaded file from my site http://DidierStevens.com? It’s neither welcome.html nor robots.txt.

Post your guess as a comment.

Friday 4 July 2008

4th of July, Business as Usual

Filed under: Malware — Didier Stevens @ 8:39

VirusTotal coverage: 17/33 (Caveat emptor)

Let me draw your attention to VirusTotal’s Hash Search function:

The MD5 of the malware I uploaded is: 213391f50aac3580fa8b7b5e8a671afe

Thursday 3 July 2008

bpmtk: A New Version With bpmtk.dll Included

Filed under: Hacking,My Software — Didier Stevens @ 8:41

Here is a new version of the Basic Process Manipulation Tool Kit (bpmtk).

Some noteworthy changes:

  • bpmtk.dll has been added
  • for ASCII: and UNICODE:, now you can specify a string with spaces by enclosing it in double quotes (ASCII:”My Name”)
  • write and search-and-write use VirtualProtectEx to change the virtual page protection when a write fails

So now you can also load the bpmtk as a DLL in a process and it will execute its configuration. The configuration is embedded in the DLL as an ASCII string. To change the configuration, you’ve 2 options:

  1. edit the source code and recompile the DLL
  2. binary edit bpmtk.dll and insert your config between the strings #BPMTK_CONFIG_BEGIN\r\n and #BPMTK_CONFIG_END\r\n. Terminate all lines of your config with CRLF

Blog at WordPress.com.