Internet Security Systems - AlertCon(TM)

What I'm seeing at Blackhat

Posted by Jon Larimer on July 21, 2010 at 12:25 AM EDT.

BlackHat Las Vegas is coming up soon, and me and a few people from our team will be out there. Aside from hanging out with old friends and having a few drinks and playing some blackjack, I'm also planning on attending some of the presentations. There are a lot of good talks on the schedule this year (especially the ones from Chris Valasek and Tom Cross!).  As a malware researcher, I'm mostly interested in the talks on reverse engineering and malware analysis. These are the ones I'm planning to see:

Malware Freak Show 2010: The Client-Side Boogalo. This talk from Nicholas Percoco and Jibran Ilyas from TrustWave SpiderLabs will be showing off some custom malware they found on various engagements around the world. We’ve seen a wide variety of custom malware using a ton of different techniques here on the X-Force, so it’ll be interesting to see what others have run into.

Malware Attribution: Tracking Cyber Spies and Digital Criminals. Greg Hoglund, who literally wrote the book on Windows Rootkits, will be presenting some techniques to track down the origins of malware samples. This type of information can be very useful during forensic investigations.

Adventures in Limited User Post Exploitation. Nathan Keltner and Tim Elrod will discuss what can be accomplished with code execution vulnerabilities on non-Administrator Windows accounts. Malware already makes use of many techniques to achieve persistence with limited access to the OS, and if any new techniques are presented here you can be sure that they’ll show up in malware soon.

Blue Screen of Death is Dead. Mattheiu Suiche is going to present his MoonSols Windows Memory Toolkit, which aims to make it easier to collect and convert Windows memory and crash dumps. Tools like this are important in forensic investigations.

Voyage of the Reverser: A Visual Study of Binary Species. Sergey Bratus and Greg Conti will introduce “visual dictionaries” of binary structures. This knowledge could provide insight into other unknown binary structures that forensic investigators and malware researchers run into daily.

TitanMist: Your First Step to Reversing Nirvana. Mario Vuksan and Tomas Pericin (from ReversingLabs) are releasing TitanMist, an open source collaborative reverse engineering tool based on their TitanEngine toolkit. This collection of tools and signatures should make reversing malware samples a bit easier, so I’m very interested in this talk. Also, Tomas owes me a t-shirt for cracking the ReversingLabs Summer Challenge.

Virt-ICE: Next Generation Debugger for Malware Analysis. Quynh Nguyen Anh will introduce Virt-ICE, a VM-based debugger (using QEmu) that uses dynamic binary instrumentation and VM introspection techniques to become “undetectable”. While the goal of being undetectable is unrealistic, this tool could become a very important part of a malware researcher’s toolkit.

dirtbox, a highly scalable x86/Windows Emulator. Georg Wicherski is presenting a high performance malware analysis tool that emulates Windows at the syscall level. There are some interesting techniques he uses to achieve high performance and to avoid detection. This was also presented at ph-neutral and REcon, but I missed those so I’m looking forward to seeing this at BlackHat.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.