Archive for the ‘gnisreveR’ Category

The other day, I saw a link to the Metasploit Blog over on Emergent Chaos. Since I’m a regular user of Metasploit, I decided to check out the new blog, and what did I find? An introduction to the Metasploit Reversing Toolkit! Needless to say, I became very excited when I saw this; I remember cutting my teeth “back in the day” – filtering through the torrent of underground literature on the topic (only the smallest fraction of which were readable, let alone truly exceptional.)

I’ll spare you the waxing nostalgic about my first copy of SoftIce or my first time I traced through BOZOSLIVEHERE – a name which I remember thinking was particularly apropos at the time (considering, at any rate, why I was tracing through it.) But it does seem to me that the Metasploit folks have it right once again; reverse engineering is even more important and useful today than it ever was, and it’s getting harder and harder to do the more complex software becomes. Back in the day, most folks interested in the topic for its own sake were probably interested in cracking software or corporate espionage. Today, there is so much more to do – we have DRM components to find on our music CDs, “drive-by” spyware infestations to analyze, spurious binary components to audit, etc.; all these activities require a set of skills that are difficult to learn and seldom actively encouraged. In any event, I’m filled with optimism that Metasploit can do for reversing what they did for exploit code, although I’m only cautiously optimistic about the fact that they’ve chosen to develop it in Ruby.

In case you haven’t been following this, the AV-Comparatives November 2005 results are out. If you follow the link, go to the Comparative #8 halfway down the page; I apologize for not providing a direct link, but I’m following their “Terms of Use” and linking to anything other than the “main page” is verboten (literally – it’s a German site.)

Here’s my take on this. On the one hand, I find the fact that AV-Comparatives is doing independent research on AV accuracy to be useful to the community. I would take issue with some of the specifics about the methodology (like the lack of easy-to-follow transparency into the lab testing,) but that’s just a minor point. On the other hand, I find the ridiculous FUD that their reports are being used to perpetuate to be reprehensible. “Majority of… Corporations are Vulnerable…”, “Alarming Findings…” etc. Granted, this noise isn’t coming from AV-Comparatives and instead from ESET, but maybe AV-Comparatives could use their copyright to distance themselves from the FUD. So, sort of “mixed props” to AV-Comparatives.

Also, I’m interested to see how StopSign plays out in the long-term. Interestingly, they have chosen to almost completely ignore the security community and are instead focusing a tremendous amount of marketing dollars on the public at large: you won’t see them in SC Magazine, Information Security Magazine, or the like but you will see them on CNBC’s SquawkBox, MSNBC, on CNNfn, etc. I’m curious to see how well this tactic works in the long-term. I haven’t used the product, so I can’t comment on how it works per se, but I’ll be keeping my eyes open.