Tool defeats binary diffing, automated reverse engineering of Windows security patches

By Michael S. Mimoso, Editor 06 Aug 2009 | SearchMidmarketSecurity.com

Midmarket Security Strategies and Tactics Digg This!     StumbleUpon     Del.icio.us

It's no secret hackers are pretty adept at reverse engineering vendor patches in order to learn more about the vulnerability being repaired, and in turn, quickly write malware to exploit the bug.

More on Windows patch management How to ensure the validity of Microsoft Windows updates: Ever wonder if what you've downloaded from Windows Update is a complete scam? Learn how to check that the programs you have installed are actually from Microsoft. Assess your security state in five steps: Prioritize your security spending by identifying how data moves and users interact, and what vulnerabilities exist in infrastructure, systems and applications. How to fill patch management gaps using Microsoft MBSA: Microsoft Baseline Security Analyzer examines and quantitatively summarizes the state of your organization's Windows security.

This is especially true with Microsoft's monthly Windows security patches that are released the first Tuesday of every month. Hackers -- and researchers -- have at their disposal an array of commercial and open source tools and techniques available to help with patch analysis called binary differs.

Binary diffing suites especially effective in analyzing Windows patches where fixes are in relatively concentrated areas of the binaries. By comparing past and current binaries, the diffing tools spot the differences, contrast what's new and point hackers in the right direction.

At the recent Black Hat USA 2009 conference, Jeongwook Oh, a researcher with eEye Digital Security, unveiled an anti binary-diffing tool called Hondon (which translates to chaos in Korean). Hondon, Oh said, obfuscates binaries so that patched elements are essentially invisible to diffing tools without impacting the stability and usability of the patches.

"It should not have any serious side effects other than preventing binary diffing. It will just make the patched code parts invisible and buried among obfuscated fake patched parts," Oh said.

The idea behind anti-binary diffing is to extend the time it takes for an attacker to analyze patches and create a working exploit. Oh called these 1-day exploits, in contrast to zero-day exploits that appear before vulnerabilities are known. Oh says all Windows patch binaries have either been manually or automatically diffed; he estimates some can be analyzed in as few as 30 minutes and a working exploit can be developed within a day. This certainly beats the timeframe many midmarket companies have for testing and rolling out patches within their IT environments.

"The binary diffing technique is very useful against Windows binaries because Microsoft monthly is changing only small bits of the binaries," Oh said. "You can find it easily."

It should not have any serious side effects other than preventing binary diffing. It will just make the patched code parts invisible and buried among obfuscated fake patched parts. Jeongwook Oh Researcher, eEye Digital Security

Binary differs have been around for 10 years; the first called BMAT was similar to a signature-based tool that would match symbolic names before applying a hash value to the binaries and comparing the matches. Usually vendors don't release these symbols, but Microsoft does as soon as patches are released, Oh said.

Noted hacker Halvar Flake built on that work and at Black Hat 2004 introduced ARE, or automated reverse engineering, a tool that automated the process. Soon tools were introduced that conducted structural and graphical comparisons of executable objects. Eventually, Flake introduced bindiff, a commercial tool sold by Zynamics, formerly known as Sabre Security.

IDACompare followed in 2005. It is a plug-in for the IDA disassembler platform and is primarily used to analyze changes in malware variants; it can be adopted to perform patch analysis as well. EEye released its eEye Binary Diffing Suites to open source in 2006, and Tenable Network Security let loose with Patchdiff2 in 2008 before eEye followed up with DarunGrim2, the next version of the Binary Diffing Suites.

These tools depend on a variety of algorithms and matching techniques, including symbolic name matching, fingerprint hashing, structure-based analysis and more to find subtle and not-so subtle differences in patched versions of Windows binaries.

Oh said Windows binaries, which are readily available for download from each patch's page, are easy targets because they are patched so frequently and only security fixes, not feature enhancements, are included. Microsoft also provides symbols for system dlls, drivers and the kernel, along with the patches. This helps the attacker in his analysis of what has been modified. Also, Windows patches cannot obfuscate code because that practice would likely cause problems with other software, Oh said.

What Hondon, or anti-binary diffing does is attempt to defeat binary diffing processes by changing symbol names, reordering or replacing instructions to beat code checksums, and altering code flow graph signatures to fool identifying processes, among several other techniques.

"Some major vendors are reluctant to use a severe form of anti-debugging, because it can break things," Oh said. "They need some lightweight, non-aggressive and effective way to defeat binary differs."

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Tags: Microsoft Windows configuration and patch management,  Security vulnerability management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows configuration and patch management Should you disable IE ESC, or manage it in Windows servers? Determine your Microsoft Windows patch level Automating Microsoft Windows patch management with WSUS Security enhancements in Microsoft Essential Business Server 2008 How to fill patch management gaps using Microsoft MBSA Assess your security state in five steps Adobe JBIG2 exploits being spammed, IBM warns Inside MSRC: Microsoft updates DNS, kernel Microsoft patches critical Windows kernel flaw Steps to secure Windows Server 2003: Volumes, policies and port control Security vulnerability management How to choose online data backup services for data protection How to choose full disk encryption for laptop security, compliance How to create a bit-image copy of a live server Get more out of your security event log data How to make data loss prevention tools affordable and manageable for midmarket Examining Conficker: When a worm becomes a botnet Stolen FTP credentials likely in latest website attacks Hackers targeting unpatched Microsoft DirectShow flaw PCI DSS requirement: Protect cardholder data Adobe shifts to Microsoft patching process, incident response plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network scanning  (SearchMidmarketSecurity.com) port scan  (SearchMidmarketSecurity.com) vulnerability analysis  (SearchMidmarketSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary