Thursday, December 27, 2007

Building Didier Stevens' SpiderMonkey in Cygwin

Here's one for your malware analysis toolkit. For some time now, I've been using Rhino, Mozilla's Java implementation of JavaScript, to help automate deobfuscation. SpiderMonkey is Mozilla's C implementation of JavaScript, including a shell much like Rhino's.

There are a couple of things that Mozilla's engine doesn't do when it comes to deobfuscating JavaScript. Specifically, you're left to manually convert eval and document.* calls yourself. That's where this really smart guy Didier Stevens comes in. He has a modified SpiderMonkey that solves both of these issues.

So you already know that I like Cygwin for lots of things, including malware analysis. Unfortunately, SpiderMonkey is really only intended to build on Win32 with Visual Studio. However, there are a couple of quick shortcuts you can take to get it to build with gcc in Cygwin. So here we go.

1. Install Cygwin with gcc and standard C libraries.
2. Download and untar Stevens' SpiderMonkey source tarball.
3. In js/src/config/ find the line that begins with MKSHLIB and change the ld linker syntax by replacing '-shared' with '-r':

$ grep -n MKSHLIB config/
50:MKSHLIB = $(LD) -shared $(XMKSHLIBOPTS)

4. Build using make with the following syntax:

$ make -f Makefile.ref OS_ARCH='Linux'

We're essentially lying to make to get it to build as if our Cygwin environment is a Linux box. This is why shared linking breaks. But it should be a non-issue.

5. The make will exit with errors, but if all went well, the JavaScript shell, js.exe, has already been built:

$ cd Linux_All_DBG.OBJ
$ ls -l js.exe
-rwxr-xr-x 1 nobody None 1493267 Dec 27 17:40 js.exe
$ cd
$ cp js/src/Linux_All_DBG.OBJ/js.exe $HOME

$ ./js.exe
js> document.write("oh word!");
js> ^C
$ cat write.log
oh word!

And that's it. Make a copy of the binary for future use and clean up.

Tuesday, December 25, 2007


A nasty storm blew threw West Michigan on Sunday and Monday with lots of wind damage. It knocked out power to major chunks of the city, including the airport, which is literally close to home for me. Fortunately, the uptime on my OpenBSD box shows 25 days, so we never lost power (or cable, which is good, because I am trying to Tivo My Name Is Earl reruns that I missed.) So if you're family and you're reading this, we're safe and warm.

And then there are the latest mutations of that ongoing Storm thingy that fortunately doesn't leave people homeless or stranded. It's still annoying, though. You can't help but get the sense that the spammers are all taking advantage of the holidays:

That's 60 new spam messages in my Postini quarantine since Friday. That's not my GMail account, which has closer to 7K, but rather my work-only address which is seldom-published and hardly sees any spam. Additionally, Postini only shows me messages it's not sure about, so that's almost always new variations of spam messages. For me to have 60 in a month is rare, let alone a few days. The dirtbags have been busy.

Friday, December 21, 2007

On a Lighter Note...

Say what you will about Bill Gates, but sometimes he does something that you just have to admire. According to Reuters, he's recently acquired a stake in FEMSA Cerveza, a Mexican beer and soft-drink conglomerate. Mexican beers don't often make it to the top of a beer snob's list, but for my taste, Bohemia is one of the better pilsners out there. Plus, it's usually cheaper than, say, Pilsner Urquell. And cheap beer is good beer when it's also good beer.

On a Personal Note...

If you're one of the people that has my blog in your feeds list, then you've no doubt noticed that I have not been posting much lately. At all. I hope to get back to it in the new year, but Q407 has been insanely crazy for me, and I had to prioritize my time across the board.

But it's not bad news. Quite the contrary, actually. Made official just this week, I am now the head of infosec as well as the corporate infosec officer at the company where I work. My good friend and mentor, Tim, is returning to his technical roots but otherwise staying put. It's pretty much a job swap for the two of us, with Tim becoming the infosec team's technical lead.

I thought long and hard about the offer before accepting, and I came to a realization. I haven't worked on a team this talented in a decade. My mentor and the man I am succeeding will remain on staff as a resource to me and I to him. I will never get a better opportunity to step up to leadership. I will never have more support and more talent behind me than I do now. It's a little much to digest, really, and I think the rambling nature of this post gives you a hint at just how much my head is still swimming at the idea.

Anyhow, I hope to resume blogging in the new year as time permits. I have a couple of ideas that, if I find some time over the next few weeks, I may polish enough to post. Anyway, I hope that wherever you are, that you find peace and prosperity in the New Year.


Thursday, December 13, 2007

Deloitte Data Disclosure Study

So, I can't decide what this study really means. The short version is that Deloitte did a survey of security & privacy staff from the US about data breaches and disclosures, and 85% of respondents had at least one incident, and 63% of respondents had six or more in the past 12 months.

But I don't know if this is the sky falling, or just the entropic nature of data. Clearly 85% of companies are not having TJX-sized breaches. But the 85% is apparently incidents where notification ocurred. Unfortunately, the report doesn't expand on what constitutes notification and whether that means specifically that individuals were notified.

Either way, this study raises a good point around incident response. Specifically, due to the ubiquitous nature of mandatory disclosure laws, it's time to revisit your incident response procedures and include language for determining if notification is necessary, and then coordinating and documenting notification efforts so that you can prove that you followed applicable laws.

Friday, December 7, 2007

2008 Security Blog Predictions

Predictions seem to be a less popular topic this year than they were last year when nearly everybody with a blog made a stab at security predictions for 2007. There are still a few who have dusted off their crystal balls and taken a stab at it.

My blog wasn't up and going last year, so there are no poorly made guesses about security trends out there for you to hold me accountable for. This year will be no different. Instead, I present to you, dear readers...

My 2008 Security Blog Predictions

  1. MSRC will continue to only post on the 1st Thursday and 2nd Tuesday of each month.
  2. Matasano will burn up their clients' 2007 budgets and start posting again in January.
  3. Richard Bejtlich will still be the only guy blogging about network taps.
  4. Raffy will still be the only guy talking about AfterGlow, even though it works with Snort and Greg Hoglund used it in his new debugging tool.
  5. Nate Lawson's blog will be surpassed by Chris Eng's as the most difficult to digest. Especially if Nate keeps posting exclusively about vintage computers and BaySec.
  6. The Wired Support Intelligence blog will finally be declared abandoned and taken offline.
  7. People will continue to read Schneier's blog, even though it's just Bruce riffing one-liners on 2-week old articles.
  8. I will finally read WebSense Labs' blog regularly because they will add an RSS feed.
  9. I will finally blog about my experiences upgrading ArcSight 3.5 to 4.0, because my hardware will eventually arrive and I will finally be able to do the upgrade.
  10. ...and last but not least, security blogging will continue to really just be all about Google page rank.

Thank you, and good night.