Category: General

Why you should not worry about HARES

kao

Last week Wired published an article about HARES - Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.

I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. 🙂 Thank you, guys!

So, can HARES be used in malware?

Wired article states that:

[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.

First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today's malware won't be able to take advantage of HARES.

Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes - and that's enough for a successful detection. HARES doesn't interfere with that.

You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.

Further reading

HARES FAQ
PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting

Rapidshare is closing. And nothing of value was lost.

kao

As reported by Neowin, Rapidshare customers today are greeted with the message:
rapidshare_closing_notice

Which makes me wonder - was anyone still using Rapidshare? Really?

From my experience, their service was really crappy for last 3 years. Files were quickly deleted "due to inactivity" and free download speeds reminded me good old times with 56kbps modem.

Alexa's Traffic Rank seems to agree:
Rapidshare popularity graph

R.I.P. Rapidshare. All hail Mediafire, MEGA or Oboom.

Freeware scam artists. And some real morons.

kao

If you spend any time playing with malware, or just downloading software, you've probably seen those kinds of scams.

Take some free software, wrap it in Nullsoft Installer, add a few toolbar and "system optimizer" softwares to the bundle, make the installation dialog as confusing as possible and get commissions for each install.

It usually looks something like this:
uniblue

The reason why it works - people are stupid. They just click "Next", "Next", "Next", "Finish" and think it's gonna be alright. Sorry grandma - you just made somebody a few bucks richer!

These types of installers are usually detected as Adware or PUAs (Potentially Unwanted Programs) by most antivirus companies. The criteria for detection are really simple - if your installation dialog is designed to confuse Average Farmer Joe, you should be detected. You may not hide "Decline" button, you may not try to blend it into background, it must be clearly visible and accessible.

And now look at Elementary OS

Having said that, just look at the new and improved download page for ElementaryOS - freeware, open-source operating system:
elementaryos_download_dialog
Can you see the free download button? Neither can I. Because it's not there!

You have to explicitly click on "$ Custom", enter "0" there, and then click "Download".

Huh? Come again, please?

Apparently, someone at Elementary OS thinks it's a great feature:

We’ve opted to present users with some easy one-button choices. Right now we have ambitious $10, $25, and $50 buttons along with a “Custom” button that lets you type anything—including $0.
...
We didn’t exclude a $0 button to deceive you; we believe our software really is worth something.

You, sir, are a fucking moron.

I need adblocker for my.. TV!

kao

I really, truly, absolutely hate ads on webpages. Any device I have has some sort of adblocking solution installed. As it turns out, some marketing "geniuses" are going to take these annoyances to the next level. Let's see how..

Ads on your Smart TV.

Oh, this is real! 🙂

As reported by CNET, GigaOM and several other news websites, Samsung SmartTVs suddenly started interrupting your TV experience and showing ads.

Every movie I play, 20-30 minutes in it plays the Pepsi ad, no audio but crisp clear ad. It has happened on 6 movies today,.

Pepsi, of all things!

Luckily, the problem was limited to Australia, and is already "resolved". 🙂 But don't you worry, they will try again for sure!

Just a reminder, same Samsung SmartTVs did similar stunt a year ago.
samsung

Back then, it was possible to get rid of ads by opting-out of some obscure Yahoo crap:

To opt-out of Yahoo Broadcast Interactivity, Exit Smart Hub first, press Menu on your Samsung Remote and scroll to Smart Hub > Terms & Policy > Yahoo Privacy Policy. Scroll to “I disagree with the Yahoo Privacy Notice.” and you can toggle the option on to opt-out.

And Panasonic did the same thing 2 years ago..
panasonic
In that case, you could opt out of it by going to Menu > Setup > Display customization > Viera Connect Banner > Off.

Ads when making phone call

As reported by The Register, some companies would like you to listen to advertisements when you are making a phone call. And you can even "express product interest by pressing an action key"!

Right. While you're at it, don't forget add 10$/month fee for ad-free calling.

Luckily for us, this "product" hasn't been deployed on any mobile network so far. At least, not on the networks I know.

Conclusion

Welcome to the new world! You're paying us good money, but we'll still try make more money off of you..

Excuse the mess

kao

My host (bplaced) seems to be having issues with the server where this page is being hosted. I opened a ticket, but their support is taking its sweet time to respond. 🙁 So, if you're seeing 30+ second page load times, I really apologize for that.

Also, I'm still learning how to use WordPress in the most efficient way. So, if RSS feeds get broken or some other f*ckup happens - I apologize for that too. And please let me know if you're experiencing any issues with the site.

Hello world!

kao

Hi,
I'm kao, I break stuff.

Decent reverser, average coder.. Not a member of any team, I do what I want whenever I feel like. Most of people consider me a freelancer.

What skills do I have? Well, who needs skills, when you have an opinion? And I have opinion about everything. 🙂 On a more serious note, I've worked with certain private game servers. File format analysis, network protocol analysis, data file unpackers, that kinda stuff. Unpacking executables is another of my favorite disciplines. And, of course, reversing .NET protections.

In this blog I'll be writing about things that interest me - software, reversing, tools and technology in general.

As Linus Torvalds recently said:

I'm just not a huge believer in politeness and sensitivity being preferable over bluntly letting people know your feelings.

If you don't like my way of expression, please f*ck off. Otherwise - welcome to my blog!