Industry Trends

Virus Bulletin 2016 Denver Wraps Up

By Floser Bacurio Jr. and Rommel Joven | October 18, 2016

VB 2016 Conference was held this year at the Hyatt Regency Hotel in Denver, CO, USA. This conference is an annual event where IT security researchers from around world gather to share their knowledge, learn, and discuss trends in the global threat landscape. This year we had the privilege to attend as well as meet, hang out with, and share ideas with some of the field’s top researchers.

The conference scheduled a great lineup of speakers and presentations, so it was tough to pick which topic to attend. We are going to share some here some of the talks that we found to be the most interesting.

Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks

As researchers with a high interest in attribution, we found the talk of Brian Bartholomew and Juan Andres Guerrero-Saade (Security Researchers from Kaspersky Labs), was an eye opener about the fact that attribution is not easy as it looks. In their presentation they took a look at the current state of attribution in targeted attack research and cases of manipulation of indicators by attackers attempting to mislead researchers.

Thanks to good attribution and threat intelligence, we have seen cases where it leads to the arrest of the threat actors. Just this past July, for example, with the collaboration of security vendors, Interpol was able to track and arrest the person behind thousands of online scams in Nigeria.

However, not all attribution leads to the perpetrator and often times it leads to nothing because of fabricated indicators. Knowing this, attribution must be done with caution since misattribution can have an immense negative impact.  More realistically, there will almost never be a solid enough attribution claim for everyone to get behind. Rather, the combination of multiple indicators helps researchers make an educated determination of the trustworthiness or accuracy of a claim.

For more information on the talk and a number of cases of manipulation that showcases the abuse currently being exploited by attackers in the wild, you can download a copy of the paper here

Challenges and Approaches of Cracking Ransomware

Since Ransomware has dominated the threat landscape lately, we were curious about what would be discussed in this talk. It seemed like a great chance to get some insights which we could possibly use in the future to better see and respond to with ransomware.

Hasherezade, a malware analyst from Malwarebytes, pointed out that to be able to crack ransomware, you need to hunt its weak point. It was also mentioned that visualization can help to identify encryption algorithm. For instance, if an encrypted file has high entropy and visible no pattern, then it often ] uses stream cipher. At the same time, if it has low entropy,[a pattern is visible, and then it uses block cipher.

The speaker also gave some tips and tricks on how to hunt its weak point. One fast check is to dump the key from the malware’s memory. Another example was to determine if the key used for encryption is strongly generated or not. With this information, adecoder can be implemented. But even with new tools for addressing and neutralizing ransomware, Hasherezade pointed out that the most important is still prevention.

For more details you about this topic, you can download the presentation here.

Locky Ransomware

Last but not the least, it was a privilege to be able to present our research on Locky ransomware. We shared our latest findings in monitoring and analyzing, as well as intelligence extraction, like harvesting Locky configuration. Hopefully this will encourages] other researchers to come up with ideas to efficiently deal with Locky. If you are interested in this topic, check out the details from our paper and slides.

It was a great experience as first timers to deliver a presentation at a big conference. Event like this provide a good opportunity to learn new ideas and compare our current standing in the industry. Even though we needed to cope with 1° – 20° Celcius weather, which is very cold to folks from a tropical country, we really enjoyed the event. Hopefully, we can participate again at the next VB 2017, which will be held in Madrid.

If you are keen to see other presentations from this year’s conference, you can download them here

-=FortiGuard Lion Team=-