16 Feb

NetBalancer: should you trust it?

Last few months people kept bashing antivirus and security software in general. Like on Twitter or their personal pages. Sure, Twitter is full of opinionated idiots who just love to complain about everything that doesn’t match their point of view. On a few occasions they are right and even I have written about some of the issues with antiviruses before.

But!

But you’d be f*king stupid to delete your antivirus just because it has some bugs. Doorlocks get picked by criminals every day and people still use them. Professional lockpickers do exist – it’s their job to break lock’s security mechanism and get you back in the house when you lose your keys. Tavis Ormandy is a professional lockpicker – only he works in the digital world. It’s his job to break digital security mechanisms and help vendors to fix the issues.

Having said that, not all software is created equal. Sometimes new and dangerous features get added to an otherwise great software. These features look good on paper but they can really ruin someone’s day. Today, I’ll demonstrate one such feature.

Introducing SeriousBit NetBalancer

NetBalancer is a Windows application for local network traffic control and monitoring. It shows you the network traffic on your computer and helps you to set limits, priorities and rules for that traffic. Some sort of a firewall – but better. It can prioritize your traffic, schedule it for specific times, do statistics, make graphs and charts and what not. And it looks really good!

Predefined Priorities

NetBalancer’s Predefined Priorities is a feature that looks great on paper.

For those of you who are not sure what priorities are best for your PC we decided in NetBalancer 8.5 to add some predefined priorities.
These priorities include the most used programs and processes, currently about 1700 total (and counting), and are set to match the needs of most users

It could be used for virtually everything:

  • giving high priority to VoIP applications and games
  • making sure background processes (eg. software updaters) don’t interrupt your Youtube experience
  • and even blocking malware

The possibilities are endless. In fact, virtually all of the antivirus products use similar databases to preconfigure their firewalls. It makes total sense after all!

However, the devil is in the details. All such databases must be maintained. New version of Skype comes out, you need to update database. League of Legends releases new update, you must update the database. And you must do it very fast, so that your users don’t suffer from misbehaved firewall. It’s a lot of work.

Since NetBalancer is made by a small company called SeriousBit SRL, I was naturally curious how they manage to do that. smile

Inside Predefined Priorities

First, I needed to obtain the complete database of the priorities. You could try to find something in C:\ProgramData\SeriousBit\NetBalancer\ but it would be more interesting to find and download correct files for the official servers, right? smile After a quick string search, I learned that priorities can be downloaded from https://netbalancer.com/api/internal/predefinedpriorities. It’s a huge JSON file but isn’t encrypted or signed in any way.

That’s a serious red flag right there. Security companies vigorously protect their databases – it’s their know-how, their crown jewels. And they use digital signatures to make sure that the databases aren’t tampered with. After all, which developer wants to see his product in news like “MalwareBytes: multiple security issues“? smile

OK, in this case JSON file is downloaded over HTTPS, therefore it’s slightly harder to intercept traffic and modify it. So, let’s ignore this issue for a moment and look at the JSON data instead.

In a minute or two, I was in the full “WTF?” mode.

Here’s an excerpt from the JSON, prettified for easier viewing:

Setting high priority for RAR and TMP files.. More than 2000 entries like that? WTF?

How about this?

Yes, I want to download my porn with a high priority, thank you very much!

But how on earth that got through the QA process? Is there any QA process in SeriousBit SRL? I highly doubt that..

Unsolicited user data gathering

All those entries made me think – how is it possible that NetBalancer’s database contains such crap information? Most obvious answer was – it’s submitted by users. To verify the guess, I took a sneak peek inside SeriousBit.NetBalancer.Core.dll. And there it was:

The call is coming from here:

There you have it – if you have enabled “Predefined Priorities”, NetBalancer will also silently upload all your priorities to their servers.

Want to wreak some havoc with unsuspecting users of NetBalancer? Post your own JSON file that blocks all traffic for all the browsers – apparently NetBalancer doesn’t validate user submissions and will happily distribute them to other users. bigsmile

Abusing existing database

I was also wondering what is the meaning of ExeNameCrc field. smile Turns out that NetBalancer uses CRC32 of filename as a key in the dictionary that manages process priorities To make matters easier, they also supply you with a proper filename in ExecutablePath field. So, if you want to make sure your malware has unlimited traffic and high download priority, just name it swarm.exe:

Indeed, CRC32(“swarm.exe”) = 1475648703, as you can verify in some online CRC32 calculator..

A quick test confirms that too:

Conclusion

Trust is a delicate subject. On the one hand, all the Cloud and Connected things make your life much easier. On the other hand, you must choose wisely who you trust and what data he/she can access. I doubt that SeriousBit intentionally created such buggy and dangerous feature in NetBalancer. But that doesn’t mean I would ever want it to be running on my machine!

Have fun and stay safe!

01 Feb

Moving to a new host

Last week MaxXor suggested that I should add HTTPS support to my blog. My existing free host (bplaced) doesn’t offer HTTPS, so I decided to finally switch to paid hosting. After thinking a bit, reading customer references, I chose Active24 – and so far the experience has been overwhelmingly positive.

  • Webhost was set up within minutes, including self-signed HTTPS certificate;
  • As soon as you update your DNS entries, Let’s Encrypt certificate is issued automatically. You don’t need to do anything yourself!
  • Unlimited disk space;
  • Unlimited traffic;
  • Unlimited cron jobs;
  • And everything “just works™”;

For now HTTPS is optional (try https://lifeinhex.com/), I’ll start enforcing HTTPS in a few days after fixing all the mixed-content warnings. smile

Have fun and stay safe (and let me know if you notice any issues)!

18 Jan

Blog not dead

I just noticed that I haven’t published a full-length post for almost 2 months already. sad Let me assure you, this blog is not dead, I just had a peaceful Christmas vacation. Here’s what else is new..

Domain renewal

I’m still having fun writing this blog. So, I’ve renewed the domain for one more year. Since I’m using a free shared hosting, HTTPS is not an option. But if you would really like to see that (or any other improvements to the site), please let me know in the comments.

WordPress update

As you probably have noticed, this blog is running on WordPress. And since my webhost has really tough restrictions on what can be done with shared hosting accounts, automatic update of WordPress is not possible. So, I updated the engine manually to the latest version 4.7.1.

Last night there was some short outage but it was more likely caused by maintenance on the webhost. But please do let me know if you notice any issues with the site!

Improved Enigma Virtual Box unpacker

One of the most requested features for Enigma Virtual Box unpacker was support for large files. I had to rewrite quite a lot of stuff to make it happen but now it works fine for files up to 4GB (and possibly more). wink It’s finished but I need to test the unpacker properly before making it public.

Improved Molebox unpacker

Again, one of the most requested features is to support huge files (500MB+). Since the original unpacker was written in 2009, compiled only with Delphi 4 and was intended to unpack regular EXE files, I had to rewrite pretty much everything from scratch – so I’m happy to say that it’s 90% done. I should be able to wrap it up in a few weeks and then make it public.

Blog post about video-to-exe DRM protections

Every once in a while someone in Tuts4You asks about video-to-exe or pdf-to-exe “protections”. Every single one I’ve seen so far has been just a snake oil. In the article I’ll document the methods used by these “protections” to encrypt video/PDF and prevent user from extracting original file out of EXE. You won’t believe how much time and effort goes into preparing a single technical blog post – so don’t expect it to be finished any time soon. wink

Have fun and talk to you all later!

15 Nov

Why morons shouldn’t be writing about security, part 2

I read Kotaku’s article called “FBI Says Alleged Hackers Used FIFA To Steal Millions From EA” this morning. And it reminded me of the crap articles Catalin Cimpanu writes at Softpedia.

What’s wrong with Kotaku’s article?

Well, pretty much everything.

First, this group did not steal from Electronic Arts. If fact, not a single penny of real currency was taken from EA.

According to an unsealed FBI indictment, Clark and his co-defendants allegedly built a tool that would send false signals to EA’s servers to spoof matches, generating these FIFA coins at a rapid rate. The FBI alleges that Clark and crew then sold the coins to third-party sellers, earning millions.

Exactly! Guys received FIFA coins from EA (it’s an in-game currency) which they later sold on underground sites. Money came from persons entirely unrelated to Electronic Arts and it was given voluntarily. And that, by definition, is not a theft.

The article continues with a plenty of other funny statements like

.. worked with the defendants to get Xbox development kits and reverse-engineer a pirated copy of FIFA 14 using a program called Interactive Disassembler. This process took several months, Alcala said, but it allowed them to create a tool for mining FIFA coins.

I just love the IDA reference in here. bigsmile These guys used disassembler, they must be real evil hackers! All in all, this article is a fun read but it got all the basic facts wrong.

Mr. Jason Schreier, please stop writing about things you have no clue about. Stick to your video game reviews or something.

What is really happening?

Thankfully, UK journalists have much better idea of what’s happening in US courts, and they wrote a much better article. According to the indictment, the charges are “conspiracy to commit wire fraud“, a stupid catch-all term used in US courts for pretty much everything done over the Internet.

That document is equally funny read and shows how desperate the prosecutors must be to make any charges stick. Let’s see:

  • the defendant assisted in creating a program (…) which sent electronic messages to EA’s servers fraudulently representing that thousands of FUT matches had been completed in the EA’s FIFA video game. EA’s servers materially relied on the completed match messages and credited various accounts maintained by the defendant and his co-conspirators with FIFA coins. – this is the only part of the indictment that actually makes sense. Kinda. There’s one teeny tiny detail – RANE Developments got virtual goods from EA. And the legal status of virtual goods is very unclear in the United States. If virtual goods are not “money or property” in the eyes of law, then there was no fraud.
  • the defendant and co-conspirators continued to create and execute new methods to circumvent the security measures by EA in EA’s effort to prevent fraudulent activity associated with the company’s FIFA video game. – that might be a breach of EULA but not a crime;
  • executed their “application” through a video game console, which they modified to circumvent security and copyright protections, and on game development kits, which they obtained from unlicensed sources. – we’re getting desperate, let’s charge them with modding their consoles!
  • executed their “application” through cloud computer servers, which allowed them to run more copies of the software and obtain significantly more FIFA coins. – if nothing else helps, let’s charge them with renting cloud computer servers! Oh, wait, what? smile

Naturally, the defendant has pled not guilty to the charge. And if his lawyer is any good, I’m guessing he’ll walk out of the court as a free man.

17 Aug

Gone for summer vacation

Last few months were quite busy for me.

On the good side: I solved 2 tracks of Labyrenth CTF – Windows and Documents. Unfortunately they still haven’t published the Honor Roll, so I have no clue if I placed 1st, 2nd or 44th..

On the bad side: there are lots of changes happening in my office. I don’t mind changes per se but the uncertainty of the future of the company.. Well, that’s not great.

So, I’m leaving for summer vacation. I’ll spend almost 4 weeks on islands with very spotty mobile coverage and almost certainly without Internet access. Will be back in mid-September, relaxed and ready to do some serious reversing again.

Have fun and talk to you all later!

20 Jun

Six-factor authentication (it’s not)

Today I read an article in The Register called Tor torpedoed! Tesco Bank app won’t run with privacy tool installed.

It’s a fun read about Tesco’s Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:

I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.

  • Initial Customer code
  • Security password as there is no cookie so PC is not recognised
  • pre-agreed image
  • pre-agreed phrase
  • Customer Number
  • Security code

and if I use a Windows PC it whinges that I don’t have cRapport which would ‘improve my security’
So 6-Factor security isn’t good enough and you want an extra package to help???????

Sir, if you ever read what a multi-factor authentication is, you wouldn’t be stating such nonsense. All six of the steps you mentioned are of the same factor – “something you know”. As such, they provide no additional security, as one keylogger/screengrabber will capture them all.

Why your bank insists on you jumping over so many redundant hoops, remains a mystery..

03 Jun

Quickpost: addicted to meaningless jargon

This is a great article about one journalist’s experiences in the RISE conference.

“We visually organize your email and cloud-based content for ultra fast access,” says Kalpesh, reading from his promotional materials. “It’s visual storytelling with any type of content.”

Say what? What does this thingy do? I have no clue.

Apparently I’m not alone. Luckily, article author translated it to plain English:

Translation: Cubes is actually an app that pinpoints anything that’s not plain-Jane text in your email or Dropbox accounts (a photograph, an excel file, a YouTube video), takes snapshots of those things, and then bundles them together in a standalone app.

OK, now I get it. Thanks! smile

However, the sad thing is, it’s not just startups. If you’re working in a large company, you’ve probably seen these kinds of emails sent by your pointy-haired bosses. They are stuck in their bubbles talking about “disruption”, “alignment” and “engagement”. How about this:

To ensure synergies and alignment between the finance strategy and business needs, Mr.X will co-operate closely with all finance functional leads, including aligning closely with Mr.Y and his team to ensure the consistent dissemination of financial information.

No, I really don’t know why our company is going to pay $100k a year to this guy. Do you?

31 May

BTVStack.exe requesting access to Skype on every startup

Background

At home I’m using a desktop computer. It has ASUS motherboard with Atheros Bluetooth chip. I have all the drivers installed but I’m not using Bluetooth at all.

Problem

Some time ago I started getting these notifications every single time I started Windows:
btvstack_skype

btvstack.exe is requesting access to Skype. Only allow access to programs downloaded from a trusted source as they will be able to use information such as your Skype contacts and messages.

No matter what option I selected, it would ask me again on next reboot. Bloody hell!

If you google for the solution, you’ll notice that:

  1. It’s a quite common problem;
  2. Most common solution is to deny/allow access either using the dialog above, or Tools->Options->Advanced->Advanced Settings->Manage other programs’ access to Skype;
  3. Another solution for Windows 8+ is to deselect “Allow Bluetooth devices to send you PIM items such as business cards, calendar items, e-mail messages, and notes. ” in Bluetooth Control Panel applet;

Unfortunately, first solution was not working for me. And second solution is not feasible because there is no such option in Windows 7 Control Panel.

Solution

Since I don’t need Bluetooth but I don’t like to have broken drivers, I decided to disable just the offending DLL. From the elevated command-prompt I ran

and the problem has disappeared. Great success! smile

Hope this helps someone else too.

20 May

Beautiful code

After making quite a few unpackers and other RE-related tools, publishing sources for them and having to maintain and bugfix them, all I can say is: “Read this. Remember this. Worship this.

All code is born ugly.

It starts disorganized and inconsistent, with overlaps and redundancies and gaps.

We begin working it into an imperfect solution for an often poorly defined problem.

As we start building up like clay, a solution starts taking form. The feedback guides us in moving, removing and adding material. It allows us to add and remove details. We learn from our mistakes.

Thank you, Dennis, you made my day so much better.