Saturday, November 1, 2014

FLARE On Challenge - first impressions

At the beginning of the week, FireEye released APT28: A Window Into Russia’s Cyber Espionage Operations. (PDF) Just like then-Mandiant's APT1 report from February 2013, this paper provides an incredible in-depth look at the world of nation state computer network operations (or hacking in media terms). Reading this report drove me to read up more on FireEye, which landed me on Mike Sikorski's June 2014 announcement of the FireEye Labs Advanced Reverse Engineering (FLARE) team.

The FLARE On Challenge

Along with the creation of the new team, Mike was also announcing a reversing challenge/ candidate screening: FLARE On Challenge. Now, the challenge has completed, but most of my hobbyist reversing tends to be attacking shareware protection so I figured I'd check it out.

Set up

First, it was time to dust off my virtual machines. Never execute reversing challenges, hack-mes, or live malware on your physical machine. That is just begging for a problem.
TERMS & CONDITIONS page of the challenge even includes a warning
I updated the tools in my 32 bit machine and executed file C1.exe. Which did nothing at all, the file is a 64 bit self extracting zip. So I do a quick scan of it in IDA64 and then run it... which just pops up a EULA, which is available online too. Oddly enough, I actually stopped to read it, which is what led to this blog. I was shocked by how odd it was so much that the EULA display is still up in that vm.
2. Restrictions.  Licensee will not allow any third party to): (i) reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Software
Emphasis is mine. Copying it to here caused me to re-read it and I now see that the EULA is forbidding me from allowing anyone else to reverse it, rather than forbidding me, but still. I was given a piece of software as an explicit reverse engineering challenge with a license that forbids me from allowing someone to reverse it?

Who Reads These Things Anyway?

I really doubt the intention of the EULA was actually to be read by the participants, rather it is a CYA popup so that the lawyers can point out that they had warned you. The warning being that it contains this gem:
4.   WARNING: (a) Dangerous Malicious Code - The Software contains dangerous malicious computer code that will cause damage to Your or others computers and/or networks if not used properly.  Licensor is not responsible for the misuse or accidental misuse of this Software and the End-User accepts all responsibility for any damage incurred by the End-User. (b) Safe Environment - The Software should not be run without a safe environment that can easily be restored to a prior state, such as a virtual machine.  The End-User agrees that in no case shall the Software be used by the End-User on production systems or systems that contain sensitive or valuable information. (c) Prohibition on Connecting this Software to the Internet - The End-User agrees that the Software will not be used on systems connected to the Internet due to the risks posed to the machine running the Software as well as the risks posed to the greater Internet.
Well. That is fun. Of course VMWare Player can't snapshot so this is going to require a bit more setup before I continue.

No comments:

Post a Comment