
A researcher’s tale of defeating traps, tricks, and complex virtual machines - okket
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
======
smacktoward
I feel like this gets at something that you don't really hear talked about
much, namely: we, as an industry, have for a very long time assumed when
thinking about how to secure our products that the attackers those products
would face would be either low-skill amateurs ("script kiddies") or, at worst,
small gangs of professional criminals. But more and more we're seeing a new
class of attacker, actual _nation-states_ (and their associated intelligence
services), who can bring resources and expertise to bear that those other
attackers could only dream of. Which means they can open up defenses that were
more than sufficient against the attackers of the past like soft fruit.

That's a big change, and I don't know that most developers have even started
to grapple with what it means for the products we build and the way we build
them.

~~~
joe_the_user
Take nation-states creating tools that can then be repurposed by anyone and
hardware that is insecure all the way down and you have a cyberworld where it
looks like offense is going to be superior to defense for a while.

This is the way real world warfare has gone historically. Guns made medieval
armor obsolete, defenses against missiles are more fig leaves than serious
factors and simple mobile units have become standard.

~~~
wyldfire
Where does it end? Or at least go next? The death of the general purpose
computer [1], that's where. Signed bootloaders show up as opt-in, luring you
with safety. Soon enough, they'll be mandated by legislation. Next ISPs will
be required to execute authentication protocols against all devices -- no more
anonymity.

[1]
[https://boingboing.net/2012/08/23/civilwar.html](https://boingboing.net/2012/08/23/civilwar.html)

~~~
oakwhiz
Cellular providers are already feature-gating users based on whether their
crapware is installed on user devices or not. Certain providers are also
basing it off of whether or not you bought the phone from them, via the IMEI
number. Updates to devices are often different based on the phone's
"affiliation." They can easily corral people into using specific firmwares.

~~~
posterboy
And they can load their code into the baseband processor without any
interaction from the user.

------
royjacobs
The amount of obfuscation going on here is very impressive. It always makes me
wonder how these things are even written and designed in the first place.

I seem to recall a C++ protection library that would allow you to define
custom versions of types like int and long. It would use operator overloading
to allow you to use the types in a fairly normal fashion, but underneath these
operators would actually be implemented as a very complicated virtual machine.
This way, your algorithm code could look fairly normal but it would compile to
an absolute beast of a protection layer.

~~~
a_t48
For a game I once did something very similar in Lua for protecting values in
memory that cheaters might like to change.

~~~
justinjlynn
MOV/SUBLEQ/CRYPTOLEQ virtual machines which decrypt self-modifying code are
the bane of my existence!

------
transpute
Microsoft gave a Jan 2018 presentation on Windows 10 "Hardening with Hardware"
features that are going to be rolled out in upcoming releases, e.g. Hyper-V
dynamic root of trust, remote attestation, per-app VM with copy-on-write
memory, GPU isolation via IOMMU, secure enclaves.

Slides: [https://github.com/Microsoft/MSRC-Security-
Research/blob/mas...](https://github.com/Microsoft/MSRC-Security-
Research/blob/master/presentations/2018_01_BlueHatIL/BlueHatIL18_Weston_Hardening_With_Hardware.pdf)

Video:
[https://youtube.com/watch?&v=8V0wcqS22vc](https://youtube.com/watch?&v=8V0wcqS22vc)

------
saagarjha
Great read. Most of my knowledge in this area is for macOS and Linux, so it’s
interesting to see how obfuscation is done on Windows. The core ideas are the
same: add weird instructions to fool disassemblers, indirect through a VM,
disable debugging and tracing, etc. but the techniques are different on each
platform. Plus you have creative solutions like the one mentioned in the
article: taking a screenshot of the screen and displaying it over everything
to give the impression that nothing malicious is going on, all while you’re
running code that displays security messages that you couldn’t figure out how
to subvert.

