Techhawking

One of the more popular trends in the recent years is the move of malicious code analysts towards virtual machines to test and reverse-engineer malicious code. And surprisingly the virus/worm writers have been adding mechanisms to their code to detect such environments.

I came across this particular piece of software called Themida which does exactly that. Lenny Zeltser from SANS reports about this on SANS. Whats interesting is that this kind of detection is now part of commercial packers around the world.
The question I have is this, how long will it take for someone to come up with a VMWare/Virtual Machine simulator/faker which I can run on my perfect non-virtual desktop/laptop/server and make malwares believe its running inside a Virtual machine ?

If that can kill even a small percent of fresh 0-day worms/viruses, it would be worth the effort. Wouldn’t it ?

The use of XmlHTTPRequest without refreshing the browser is one of the more common ways of differentiating an Ajax application from a more traditional approach. But while rest of the world was learning Ajax, some smart developers have figured out to do the next step and created something called “Reverse AJAX“, or as I call it “RAJAX”.

Traditional client-server applications (not over the web) which used standard TCP/IP and UDP protocols didn’t have to worry about Firewalls, NATs and PATs. Such client-server applications had the ability to intiate connections either way (from client to server, or from server to client). HTTP Protocol, which was built over TCP/IP was designed for specifically for web browsing where its always the clients asking for information and servers replying.

By moving traditional client-server applications to Web applications, the users did solve a lot of Firewall/NAT/PAT issues, but gave up a lot on usability and speed. AJAX to some extent solves the problem by reducing the amount of communication happening between the client ant the server, but it still doesn’t openly allow something which servers could do in the old client-server model. Initiate a connection back to the client.

RAJAX is a framework where multiple AJAX calls between the client and server could bridge this gap and give both the server and client the ability to ask and answer to requests. An excellent example of an RAJAX application is webified chat client. Google Talk for example doesn’t just open a connection when the user types in a message… it also keeps a connection open to the server to send messages to the user in case one of his/her contacts wants to initiate a chat. Another example provided by one of the reference links below is that of allowing multiple AJAX-based-document-sharers modifying the same document.
So, in short, the client always keeps an active HTTP request to the Server and allows the server to respond to that request only if there is a message from server to client which client didn’t ask for.

References

• http://ajaxian.com/archives/dwr-20-reverse-ajax
• http://prokata.com/reverseajax
• http://en.wikipedia.org/wiki/AJAX
• http://getahead.ltd.uk/dwr/documentation
• RAJAX

Google started it, but sitemaps has since been adopted by most of the large search organizations out there. If you own a website, and have a lot of static content, you probably should be investigating at creating and updating sitemap on regular basis.

Sitemap is basically an XML file which describes the contents and change frequency of the site. If you ever had pages hidden deep inside your website which were not getting indexed before, sitemaps is an excellent way of advertising those pages to the search engine.

Sitemaps are an easy way for webmasters to inform search engines about pages on their sites that are available for crawling. In its simplest form, a Sitemap is an XML file that lists URLs for a site along with additional metadata about each URL (when it was last updated, how often it usually changes, and how important it is, relative to other URLs in the site) so that search engines can more intelligently crawl the site. Web crawlers usually discover pages from links within the site and from other sites. Sitemaps supplement this data to allow crawlers that support Sitemaps to pick up all URLs in the Sitemap and learn about those URLs using the associated metadata. Using the Sitemap protocol does not guarantee that web pages are included in search engines, but provides hints for web crawlers to do a better job of crawling your site.

More than two years ago I wrote about a neat little microsoft project called Monad which caught my eye. The project boasted of doing something which I’ve never seen anyone else do before. They created an object oriented shell interface.

One of the examples I use to explain is that unlike unix flavor of “ps” which allows listing of fields you like or not using optional command line parameters, in Monad, you can parse the output of “ps” (aka get-process) and manipulate the objects returned to print any format you want by inspecting the object. All unix admins know how to use “cut” “grep” and “awk” for different reasons, but in a true monad shell environments where every command you type is a monad commandlet, you won’t have to use the traditional string based tools anymore.

Whats interesting is that unlike in Unix/other_shells, you can pipe the output of ps command in monad and throw it on to an XLS sheet with a pie chart attached. Neat !!

Microsoft has finally released the official 1.0 version of this product (just in time for the Vista release) and its now being called Powershell. Even though the version I installed was on my XP box, it supports other flavors of Windows as well. Watch out for this blog for more of Powershell as I’m for sure going to use it.

References

• Download here
• Powershell home page
• My Old review of Monad
• Wikipedia

I knew that the Macs are the most secure operating systems around, but what surprised me is that someone took the trouble of writing a comprehensive 29 page PDF report about it.

“The research report looks at significant OS X threats including local, remote and kernel vulnerabilities and discusses overall system design weaknesses that contribute to insecurities on the Mac platform. The document also reviews the current state of malicious code, discussing the presence of several viruses and worms and the existence of three known rootkits for OS X.”