News Stay informed about the latest enterprise technology news and product updates.

Tool defeats binary diffing, automated reverse engineering of Windows security patches

At Black Hat, a researcher unveils a tool that obfuscates fixes in Windows security patches, making them invisible to binary diffing suites and automated reverse engineering.

It's no secret hackers are pretty adept at reverse engineering vendor patches in order to learn more about the vulnerability being repaired, and in turn, quickly write malware to exploit the bug.

More on Windows
patch management
How to ensure the validity of Microsoft Windows updates: Ever wonder if what you've downloaded from Windows Update is a complete scam? Learn how to check that the programs you have installed are actually from Microsoft.
Assess your security state in five steps: Prioritize your security spending by identifying how data moves and users interact, and what vulnerabilities exist in infrastructure, systems and applications.
How to fill patch management gaps using Microsoft MBSA: Microsoft Baseline Security Analyzer examines and quantitatively summarizes the state of your organization's Windows security.

This is especially true with Microsoft's monthly Windows security patches that are released the first Tuesday of every month. Hackers -- and researchers -- have at their disposal an array of commercial and open source tools and techniques available to help with patch analysis called binary differs.

Binary diffing suites especially effective in analyzing Windows patches where fixes are in relatively concentrated areas of the binaries. By comparing past and current binaries, the diffing tools spot the differences, contrast what's new and point hackers in the right direction.

At the recent Black Hat USA 2009 conference, Jeongwook Oh, a researcher with eEye Digital Security, unveiled an anti binary-diffing tool called Hondon (which translates to chaos in Korean). Hondon, Oh said, obfuscates binaries so that patched elements are essentially invisible to diffing tools without impacting the stability and usability of the patches.

"It should not have any serious side effects other than preventing binary diffing. It will just make the patched code parts invisible and buried among obfuscated fake patched parts," Oh said.

The idea behind anti-binary diffing is to extend the time it takes for an attacker to analyze patches and create a working exploit. Oh called these 1-day exploits, in contrast to zero-day exploits that appear before vulnerabilities are known. Oh says all Windows patch binaries have either been manually or automatically diffed; he estimates some can be analyzed in as few as 30 minutes and a working exploit can be developed within a day. This certainly beats the timeframe many midmarket companies have for testing and rolling out patches within their IT environments.

"The binary diffing technique is very useful against Windows binaries because Microsoft monthly is changing only small bits of the binaries," Oh said. "You can find it easily."

It should not have any serious side effects other than preventing binary diffing. It will just make the patched code parts invisible and buried among obfuscated fake patched parts.
Jeongwook Oh
ResearchereEye Digital Security

Binary differs have been around for 10 years; the first called BMAT was similar to a signature-based tool that would match symbolic names before applying a hash value to the binaries and comparing the matches. Usually vendors don't release these symbols, but Microsoft does as soon as patches are released, Oh said.

Noted hacker Halvar Flake built on that work and at Black Hat 2004 introduced ARE, or automated reverse engineering, a tool that automated the process. Soon tools were introduced that conducted structural and graphical comparisons of executable objects. Eventually, Flake introduced bindiff, a commercial tool sold by Zynamics, formerly known as Sabre Security.

IDACompare followed in 2005. It is a plug-in for the IDA disassembler platform and is primarily used to analyze changes in malware variants; it can be adopted to perform patch analysis as well. EEye released its eEye Binary Diffing Suites to open source in 2006, and Tenable Network Security let loose with Patchdiff2 in 2008 before eEye followed up with DarunGrim2, the next version of the Binary Diffing Suites.

These tools depend on a variety of algorithms and matching techniques, including symbolic name matching, fingerprint hashing, structure-based analysis and more to find subtle and not-so subtle differences in patched versions of Windows binaries.

Oh said Windows binaries, which are readily available for download from each patch's page, are easy targets because they are patched so frequently and only security fixes, not feature enhancements, are included. Microsoft also provides symbols for system dlls, drivers and the kernel, along with the patches. This helps the attacker in his analysis of what has been modified. Also, Windows patches cannot obfuscate code because that practice would likely cause problems with other software, Oh said.

What Hondon, or anti-binary diffing does is attempt to defeat binary diffing processes by changing symbol names, reordering or replacing instructions to beat code checksums, and altering code flow graph signatures to fool identifying processes, among several other techniques.

"Some major vendors are reluctant to use a severe form of anti-debugging, because it can break things," Oh said. "They need some lightweight, non-aggressive and effective way to defeat binary differs."

Send comments on this technical tip

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Dig Deeper on Microsoft Windows configuration and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.