Re: [Full-disclosure] The Mystery of the Duqu Framework
https://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Framework_solved The code was written using a custom OO C framework, based on macros or custom preprocessor directives. This was suggested by your comments, because it is the most common way to combine object-oriented programming with C. Not Told [ ] Told [x] Here let me re-quote my email for prosperity Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. So, next time I would suggest actually reading and understanding what I post to the mailing list instead of cheerleader with that crappy told and not told meme. On Sat, Mar 10, 2012 at 1:40 PM, Laurelai laure...@oneechan.org wrote: On 3/10/12 2:16 PM, William Pitcock wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I think William just told everyone...again. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Tue, Mar 20, 2012 at 12:50 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Here let me re-quote my email for *prosperity* I don't think that word means what you think it means. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Tue, 20 Mar 2012 01:38:52 BST, Mario Vilas said: On Tue, Mar 20, 2012 at 12:50 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Here let me re-quote my email for *prosperity* I don't think that word means what you think it means. No, it means what Sang said - sholuld be able to parley that I guessed it before any of the Kaspersky crew into a nice job offer eventually. :) pgp89E2obwu0t.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
I think EVERYONE said it was a C implementation + something to get it to C. The interesting part that they glossed over, was the randomness in how arguments were passed. They specifically left that part out of the solved analysis. Just my 2 cents. On Mon, Mar 19, 2012 at 8:59 PM, valdis.kletni...@vt.edu wrote: On Tue, 20 Mar 2012 01:38:52 BST, Mario Vilas said: On Tue, Mar 20, 2012 at 12:50 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Here let me re-quote my email for *prosperity* I don't think that word means what you think it means. No, it means what Sang said - sholuld be able to parley that I guessed it before any of the Kaspersky crew into a nice job offer eventually. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 2:13 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. OO C would be structs and function pointers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 10 March 2012 21:43, Alberto Fabiano wrote: [...] Well, looks like COM, smells like COM , and acts like COM, but C++ is´nt the unique language that use COM, still has a way familiar... can be another language. Maybe it's Eiffel... ;-) -- Marco Ermini root@human # mount -t life -o ro /dev/dna /genetic/research http://www.linkedin.com/in/marcoermini Jesus saves... but Buddha makes incremental back-ups! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
--- On Sun, 2012/3/11, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. I don't know enough about COM to have an opinion on this analysis (I don't do any work in Windows anymore) -- but if this is the case why is it stumping not just Kaspersky, but others as well? The reason I mention Lisp is the ease with which it can be implemented in arbitrary ways via Bison -- not because there is anything even approaching a canonical implementation that always does things a certain way. The huge variety of Lisp implementations is why I wouldn't quite so quickly say things like there would be no destructor, because that is implementation specific. Ruby is/was written this way (not sure if the late versions are, haven't kept up), as are a large number of the GNU constellation language implementations (I think there was an Ada implementation written this way as well). The end result is pretty unpredictable if you just look at the language spec and then a binary with nothing in between, because the way the language compiler or preprocessing is done can really change things around a lot. After posting I read through a few comments on the Kaspersky post and some interesting discussion focused around both Lisp and SOO, but the timeline for SOO doesn't match up. Anyway, I'm idly curious now to see what the final verdict is -- and if its COM that would give me a chuckle. Thanks for writing a real response, by the way. I don't understand what is going on with this list being overrun by HaX0rz and the noisy. -IY ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
Well, I'm suspecting that O'Caml is compiled with ocamlc, will analyze a bit to confirm my suspicion. []s On Sat, Mar 10, 2012 at 16:16, Laurelai laure...@oneechan.org wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. -IY 1. [Caveat] I say Lisp but some other languages come to mind as well; maybe Haskell would come out that way. I'm not sure because I'm most familiar with Lisp and know it can be cobbled with C/C++ without complications because of the way most of its C-based implementations work. Anyway, if I were looking for a lock on how this code was produced, I would ignore C-based languages and focus instead on languages that behave this way natively first, because I think that's the least exotic explanation for the features this segment of code exhibits. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Lisp? Are you serious? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Alberto Fabiano C. de Medeiros albe...@computer.org PGP Key ID: 232D3D06 - . -... . ... - .-- .- -.-- - --- .--. .-. . -.. .. -.-. -- . ..-. ..- - ..- .-. . .. ... - -- .. -. ...- . -. - .. - .- .-.. .- -. -.- .- -.-- k'bɪt Y The best way to predict the future is to invent it. --Alan Kay k'bɪt X Chance favors the prepared mind. --Louis Pasteur k'bɪt Z The world is full of fascinating problems waiting to be solved --Eric S.Raymond ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 17:16, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. Well, looks like COM, smells like COM , and acts like COM, but C++ is´nt the unique language that use COM, still has a way familiar... can be another language. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Alberto Fabiano C. de Medeiros albe...@computer.org PGP Key ID: 232D3D06 - . -... . ... - .-- .- -.-- - --- .--. .-. . -.. .. -.-. -- . ..-. ..- - ..- .-. . .. ... - -- .. -. ...- . -. - .. - .- .-.. .- -. -.- .- -.-- k'bɪt Y The best way to predict the future is to invent it. --Alan Kay k'bɪt X Chance favors the prepared mind. --Louis Pasteur k'bɪt Z The world is full of fascinating problems waiting to be solved --Eric S.Raymond ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 12:43 PM, Alberto Fabiano albe...@computer.org wrote: ... C++ is´nt the unique language that use COM, still has a way familiar... can be another language. where does the application framework end and the domain specific language begin? lean event machine for invoking syscalls direct, routing params. pretty handy ... ocamlc? i thought i saw a six subject call in there ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Mystery of the Duqu Framework
http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:31 AM, Sanguinarious Rose wrote: Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ My post was Williams response to Kaspersky, wasn't directed to you. Do try and keep up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
Trying to cover up you being told, that's Cute 3 On Sat, Mar 10, 2012 at 3:34 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:31 AM, Sanguinarious Rose wrote: Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ My post was Williams response to Kaspersky, wasn't directed to you. Do try and keep up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 4:36 AM, Sanguinarious Rose wrote: Trying to cover up you being told, that's Cute 3 On Sat, Mar 10, 2012 at 3:34 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:31 AM, Sanguinarious Rose wrote: Not really, it looks like speculation same as I just admitted my idea was. There is no proof as of yet besides for just a single tweet suggesting an idea much in the same mine just was. Unless someone does the proper research into it, it is just that, 140 chars speculation. Told [x] Not Told [ ] umad? On Sat, Mar 10, 2012 at 3:23 AM, Laurelai laure...@oneechan.org wrote: On 3/10/2012 4:13 AM, Sanguinarious Rose wrote: Yea, I have been thinking on ideas for that as well, I see no one has thought outside the box yet. I would look into OO'ed C (www.planetpdf.com/codecuts/pdfs/ooc.pdf) as being a possibility. Long before in the time when the mighty C++ was young, it was translated to C code for compilation. I have not had the time to dig into it yet to see how you could code it in OO C style code yet. You can implement much of the functionality of OO parts of C++ including virtual functions and other things. Well, these are my thoughts on it. More speculation at the moment but might be of use to someone. On Fri, Mar 9, 2012 at 11:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. -- -Joe. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ https://twitter.com/#!/nenolod/status/178352865667067904 https://twitter.com/#%21/nenolod/status/178352865667067904 not told [ ] told [x ] Put the crack pipe down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ My post was Williams response to Kaspersky, wasn't directed to you. Do try and keep up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Did you even read the tweet? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. -IY 1. [Caveat] I say Lisp but some other languages come to mind as well; maybe Haskell would come out that way. I'm not sure because I'm most familiar with Lisp and know it can be cobbled with C/C++ without complications because of the way most of its C-based implementations work. Anyway, if I were looking for a lock on how this code was produced, I would ignore C-based languages and focus instead on languages that behave this way natively first, because I think that's the least exotic explanation for the features this segment of code exhibits. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. -IY 1. [Caveat] I say Lisp but some other languages come to mind as well; maybe Haskell would come out that way. I'm not sure because I'm most familiar with Lisp and know it can be cobbled with C/C++ without complications because of the way most of its C-based implementations work. Anyway, if I were looking for a lock on how this code was produced, I would ignore C-based languages and focus instead on languages that behave this way natively first, because I think that's the least exotic explanation for the features this segment of code exhibits. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Lisp? Are you serious? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/12 2:16 PM, William Pitcock wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I think William just told everyone...again. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
Do you have any suggestions as to what C++ compiler could generate such code in such a case and how one could generate similar code that matches the decompiled parts? Granted their theory of a new language is moonbatty but I think they have the knowledge to recognize a common compiler. As for ctor and dtor, I am pretty sure they were marked by the researcher doing the decompiling or the decompiler and no such symbol names are in the executable. I would conclude as such for the other symbols named due to how they were named. I do agree on the new language being possibly the dumbest insane moonbat speculation of the year however I have heard a few other things that win over that hands down ;) On Sat, Mar 10, 2012 at 1:16 PM, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
VC++ generates code like this when used with COM. The COM implementation used on windows is compiler-assisted. Basically to generate assembly like this, just you know, build code that uses COM (#using, various __declspec etc.) William On Mar 10, 2012, at 5:06 PM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Do you have any suggestions as to what C++ compiler could generate such code in such a case and how one could generate similar code that matches the decompiled parts? Granted their theory of a new language is moonbatty but I think they have the knowledge to recognize a common compiler. As for ctor and dtor, I am pretty sure they were marked by the researcher doing the decompiling or the decompiler and no such symbol names are in the executable. I would conclude as such for the other symbols named due to how they were named. I do agree on the new language being possibly the dumbest insane moonbat speculation of the year however I have heard a few other things that win over that hands down ;) On Sat, Mar 10, 2012 at 1:16 PM, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
At this point, I think someone (possibly the guys at securelist) ought to define 'new programming language'. By new I take it the writers would have created their own language. While far from impossible, it's quite improbable. It's possible someone out there decided something can't be achieved in any language, and thus have created their own. On the other hand, by 'new' it seems many people seem to relate to 'unconventional languages' as well. There are many languages out there, some are far from anything related to C++ (as much as the C++ fanboys want us not to believe). So the mere speculation that it looks like 1% C++ here and there simply hinders actual serious investigation. I can think of at least 3 different languages not mentioned on securelist nor on FD. I didn't suggest any of them simply because I don't know what they generate (I'm not proficient in either of them) but I do know they do not rely on any C++ compiler. 2012/3/11 Sanguinarious Rose sanguiner...@occultusterra.com Do you have any suggestions as to what C++ compiler could generate such code in such a case and how one could generate similar code that matches the decompiled parts? Granted their theory of a new language is moonbatty but I think they have the knowledge to recognize a common compiler. As for ctor and dtor, I am pretty sure they were marked by the researcher doing the decompiling or the decompiler and no such symbol names are in the executable. I would conclude as such for the other symbols named due to how they were named. I do agree on the new language being possibly the dumbest insane moonbat speculation of the year however I have heard a few other things that win over that hands down ;) On Sat, Mar 10, 2012 at 1:16 PM, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 3:36 PM, William Pitcock neno...@systeminplace.net wrote: VC++ generates code like this when used with COM. The COM implementation used on windows is compiler-assisted. Basically to generate assembly like this, just you know, build code that uses COM (#using, various __declspec etc.) they call this kickin' it old skewl you fuckin' newbs... also, making it uber-portable. which for a framework, you want it to be ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
2012/3/10 夜神 岩男 supergiantpot...@yahoo.co.jp: ... From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. you're hilarious!! ... but keep the day job. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, 10 Mar 2012 14:16:26 CST, William Pitcock said: If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. So what you're saying here is that there's a lot of people accepting security advice and/or software from professionals who wouldn't recognize a COM object if it came up and bit them on the butt... pgpn0ieURh9Mu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 8:04 PM, valdis.kletni...@vt.edu wrote: ... So what you're saying here is that there's a lot of people accepting security advice and/or software from professionals who wouldn't recognize a COM object if it came up and bit them on the butt... cmon' valdis, if anyone you should now how short the attention span of the IT community is. everything old is new again, like fashion. le sigh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 8:24 PM, coderman coder...@gmail.com wrote:
everything old is new again, like fashion.
and you can kick it old skewl without {---C000-0046}
;)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On 3/10/2012 10:04 PM, valdis.kletni...@vt.edu wrote: On Sat, 10 Mar 2012 14:16:26 CST, William Pitcock said: If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. So what you're saying here is that there's a lot of people accepting security advice and/or software from professionals who wouldn't recognize a COM object if it came up and bit them on the butt... Either that or it's intentional misinformation. Whichever is worse is for the users of Kaspersky products to decide, I suppose. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
