Sunday, September 20, 2015

Joxean Koret: "The antivirus companies cursed me"

Joxean Koret. Author of "The Antivirus Hacker's Handbook".

Joxean Koret belongs, as PancakeHugo Teso or Reversemode to the collective 48bits, a group of excellent hackers, lovers of the reverse engineering, internationally actives and in their full 30s. Joxean, born in Portugalete, arrived to the IT security, as he says, studying by himself: "I was in a boilers and welding course and I simulated to be injured because I don't wanted to be in the workshop, with the risk of an accident, so they moved me to the computer room to design metal structures. When I finished, I started to work as a welder and to pay a programming course" 

"In six months I was working in a consulting as a Visual Basic 6 programmer (we all have a dark past), with a half-day contract, working 12 hours a day and earning less than the 40% of what I was earning as a welder. But I was happy because I had access to a computer. During 4 years I jumped from an "IT services company" to another one, always sub-sub-contracted and /or with ilegal contracts. In 2004 I saw a vulnerability warn from a Scottish, David Litchfield, affecting Oracle Database. I saw that they were easy to find and I started to look for more, developing my own tools for it"

- You've just published a book as its co-author, "The Antivirus Hacker's Handbook". How did you have the idea?

- I was working in an antivirus years ago and I give it up. Some years later, they asked me if I would give a lecture "Fuzzing for dummies" style in a very underground conference (LaCon) an to prove the suite I used antivirus. Afterwards, I looked to them deeply and I realised about their real danger. I've been studying them for two years more or less and only in the first year I had material for several editions of this book... One day I asked in Twitter if someone would be interested in a book like this and a work mate answered: "Yes, (the editorial) Wiley".

- Pierluigi Paganini, from SecurityAffairs, has told that most of the vulnerabilities you show in the book "are nothing new", but that it's the first time they are publicly unveiled.

- No. The first time someone showed it, it was Sergio Álvarez (shadown) with his lecture "Antivirus (In)Security" in 2007. He talked about over 80 vulnerabilities, not public, so nothing changed. The next year  Feng Xue, in BlackHat, did the same thing. Tavis Ormandy, in 2012, brought a beatiful report about a deep analysis in Sophos and, when all was public, at least Sophos was forced to change (a bit). Later, in 2014, I published the first results of my reseaqrch, in the SyScan Singapur.

- And you opened Pandora's Box?

- I didn't show anything not known. Simply, I made it in an "irresponsible" way according to most of the antivirus companies: I published a lot of 0days and techniques and I didn't want to collaborate "for free" with people who didn't contact me or simply because I didn't want to. That was the turning point. There are many reasons but mainly, that I don't want to collaborate with multimillion companies absolutely irresponsible which sell smoke with "cool" graphic interfaces and a label with colorful letters which say "SAFE". Without talking about their damage to the IT security with the antivirus marketing campaigns  telling things such as "Install and forget about it!" when companies such as Kaspersky have been hacked by opponents of level state/nation without being concerned till a lot of time later (as it's logic) and their "protection" tools were of no use (something that I understand as "Buy our software! It didn't serve us when Israel attacked us, but...It doesn't matter!")

Which part of the book you would recommend to a friend?

- Chapter 2, about reversing antivirus :) It's one of the most tedious parts, but it's worthwhile. In this chapter, for example, I teach how to create bindings in Python for an AV (Avast in this case) and how to make them native for others (Comodo, in the book's case).

- Any antivirus company put a horse head in your bed?

- No, no. But I've been accused of being in the malware industry, of working for the NSA or whatever. But nothing really important, only some anger and corporative blog entries cursing me and saying I have no idea. Or fail attempts of using my researchs to promote their products. Meanwhile, their workers send me not public messages congratulating me or laughing and, what is more striking, other people, security researchers always in a not public way, tell me things such as "kudos for going public".

- Talking about industry, what do you think about the last by FireEye, reporting reversers for finding holes in their programs? 

- It was an expected answer. A not audited software 100% safe which bases all its security in marketing campaigns and which is difficult to acquire, so it's difficult to audit, and a company which gets angry when somebody audits it and find such trivial things like a stack overflow analyzing IRC traffic when the command "/NICK <long-string>" is sent, and wants to make that information public. How bad is Felix [Felix is the researcher].

- You're the author, among other tools, of Diaphora, which looks for differences between binaries, of the fuzzing suite Nightmare, and you've found a lot of vulnerabilities, such as the "Oracle TNS Poison", which allows to do man attacks in the middle of Oracle databases. For which of them you'd prefer to be remembered?  

- I'd prefer to be remembered for inviting more people to enter this world than for things like that.

- Do you have any ritual to focus before diving into a code?

- Nothing special. Read documents, look for old failures, start fuzzing stupidly and open the code in IDA (or Understand). The most similar thing to this is to use some classic music pieces to do reversing.

- And to switch off?

- Switch off... Could you please explain me that strange concept? Now, seriously: it costs me a lot and I don't know how to do it well. A short story: once, talking with a guy I'd met 2 days before, we started to talk about possible logic vulnerabilities in MySQL after dinner, with some beers. I started to use my mobile phone to look for what I think it could be. Then, another friend told me: "Are you auditing MySQL in Taipei at night with your mobile?". I think that it can give an idea of how easy is to me to switch off. It's a problem that your work is also your hobby.

Last, where do your nick, matalaz, come from?

- Matalaz (pronnounced more or less "matalas"), was the alias of Bernard de Goyheneche, a basque priest from Zuberoa, who organized a revolution against the french nobility in 1661. The revolution was crushed in 3 days. He was beheaded and his head put in Maule square till somebody pick it and disappeared.

Text: Mercè Molist


Post a Comment