A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #17323  by R136a1
 Fri Dec 21, 2012 1:54 pm
Hi there,

in the latest Valhalla E-Zine (valhalla III) there is a very interesting interview with Eric Filiol about the AV industry, malware crpytology, real cyber-weapons, ...
Computer virology and cryptanalysis are just techniques and tools. Cyber war is
the art to use those tools (along with many others like conventional weaponry in
a combined perspective) while conducting a general war maneuver. Most people
forget that there is a huge difference between having a powerful malware and to
use it in the most clever and efficient way. This why (see further) I consider
that Stuxnet and later avatars is a amateur work. To be more illustrative, you
can have the most powerful guns, if you ignore how to use it, if you are unable
to organize your troops in order to use those guns efficiently you will fail.
...
Well I am strongly puzzled about Stuxnet and later avatars. I think that most of
this is a huge buzz organized by Kaspersky. First Gauss is a classical malware
that just spies on specific data (financial data). The technology inside is not
significantly different from that of very nice oldies from the 80s and 90s.
Stuxnet is a little bit different but from a code point of view Aurora codes
were similar except for the number of simultaneous 0-days used and of course for
the stolen cryptographic certificates. In fact the success of Stuxnet comes from
that: to be able to look like a legitimate resource. Duqu (and the very comic
buzz around a allegedly unknown programming language by Kaspersky who seems to
ignore what a formal language is a pity). Lastly Flame is a mediatic scandal.
Whale and Dark Paranoid malware were very similar and probably far better
designed and implemented.

For me those malware are not cyber weapons (or the "military" authors have to
change for another job). I cannot believe that the US or Israel armies would do
such hugs mistakes. A military purpose malware has to be stealth, efficient and
very targeted. In fact you will never learn about it and you will never detect
it. You do not let evidences (or alleged evidences like in Stuxnet code) that
can identify you as the malware author or user. Unless intelligence services
intend to send a message. In this case it would be a technical, strategic and
operational error since now all rogue countries are aware and are prepared.

In fact cyberweapons are already used for a while by governments in a more
clever way. This has begun directly in the 80s but no one except a limited
number of experts in the domain has ever heard about them. Secrecy is a
mandatory aspect (which includes not to be detected) if you want to gain a
tactical and strategic advantage. And of course if you want to replay attacks. I
have analyzed two real, very sophisticated attacks which were very likely (the
last in 2004) from foreign intelligence services. The code has been discovered
because we suppose that the leak of secret data could be explained by the use of
spying malware. We have found it on three computers of a try sensitive company.
They were installed for months ahead and never detected by any users or AV
software. The analysis clearly proved that the crypto was of governmental nature
as well as the operational management of the malware. We never managed to
identify the author and the users. We have here a true cyberweapons.
...
The claim of the AV community is not only wrong from a scientific point of view
but also either it is the proof of their scientific incompetence and ignorance
or a marketing lie. We have proved and designed malware for which we can prove
that they cannot be detected (for exempt if you use suitable underlying formal
grammars for code mutation, or if you use sophisticated code armoring
techniques). Moreover the time is THE key issue. Malware have time, not AV (just
imagine if every time you or the system do anything, the AV blocks it and
analyzes for tens of minutes). AV just allocates a (very) limited number of
cycles for analysis. We have designed a lame but very efficient malware as
follows (the malware moreover embeds code mutation techniques): the malware
encrypts itself and throw the secret key away (the key is changing regularly
since the malware generates keys at random). Then to operate the malware has
first to decrypt itself which can be tuned up between 10 or 30 minutes. It is
what we have called tau-obfuscation (tau standing for time). From a general
point of view, if you want do design a truly undetectable malware you have to
use mathematical tools from the computability and complexity theory. So the
answer is yes and we have already did it. We test all AV regularly and none of
them have been ever able to detect our malware.
...
Valhalla III: http://spth.virii.lu/main.htm
 #17325  by kareldjag/michk
 Fri Dec 21, 2012 7:24 pm
hi
As a military man, his opinion about the av industry is objective.
When i have discussed and linked him my Kaspersky test a few years ago, he suggested to present the testing philosophy at EICAR conference
http://www.eicar.org/16-0-Eicar-Board.html
A waste of time, since there is people who do not know what is an indeterminate equation, there will always be an av industry.
His statements about av limits and excessive marketing practices motivated Eric Filiol to launch the European Open Source antivirus DAVFI http://www.davfi.fr/index.html
He also collaborates to Misc, a French engineering mag.(hope Valhalla will grow from a zine to a mag...), as an example for a test of Dr Web http://www.ed-diamond.com/feuille_misc38/index.html

rgds