/*
16 Feb

Why you should not worry about HARES

Last week Wired published an article about HARES - Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.

I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. smile Thank you, guys!

So, can HARES be used in malware?

Wired article states that:

[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.

First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today's malware won't be able to take advantage of HARES.

Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes - and that's enough for a successful detection. HARES doesn't interfere with that.

You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.

Further reading

HARES FAQ
PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting

2 thoughts on “Why you should not worry about HARES

  1. After I originally commented I appear to have clicked the
    -Notify me when new comments are added- checkbox and from now on every time a comment is added I recieve
    4 emails with the same comment. There has to be a means you can remove me from that service?
    Thank you!

    • That's the most original spam message I've seen in last few weeks. Thanks! :)

      No, there really isn't a "-Notify me when new comments are added-" checkbox in WordPress.

Leave a Reply

Your email address will not be published.

Number

*/
16 Feb

Why you should not worry about HARES

Last week Wired published an article about HARES - Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.

I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. smile Thank you, guys!

So, can HARES be used in malware?

Wired article states that:

[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.

First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today's malware won't be able to take advantage of HARES.

Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes - and that's enough for a successful detection. HARES doesn't interfere with that.

You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.

Further reading

HARES FAQ
PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting

2 thoughts on “Why you should not worry about HARES

  1. After I originally commented I appear to have clicked the
    -Notify me when new comments are added- checkbox and from now on every time a comment is added I recieve
    4 emails with the same comment. There has to be a means you can remove me from that service?
    Thank you!

    • That's the most original spam message I've seen in last few weeks. Thanks! :)

      No, there really isn't a "-Notify me when new comments are added-" checkbox in WordPress.

Leave a Reply

Your email address will not be published.

Number