Earlier this month I was at EICAR 2010, a very nice conference, with interesting technical talks and nice people to discuss with. I can't resist posting a few brief notes and comments on the talks I enjoyed the most:
Parasitics: The Next generation - Vitaly Zaytsev, Josh Phillips, Abishek Karnik The authors note that viruses are better and better protected against reverse engineering and, in their talk, they mainly presented a recent trend, which consists in using a Virtual Machine (in the "Java" sense of the word, not the "VMWare" one) to make analyst's life miserable... The Virtual Machines use their own set of instructions, not always the same instructions for the same operations, encrypt and obfuscate the bytecode, use different architectures (RISC, CISC...) etc. They illustrated those techniques with 3 viruses found in the wild, W32/Xpaj, W32/Winemmem and W32/Induc. Interesting and technical talk.
Entropy, the new vision - Zdenek Breitenbacher With such a title, I was frightened this would get into maths and Shannon, but the talk was so educational - with Lego bricks - that I wouldn't have noticed. The idea in this paper is to recognize a given polymorphic malware based on the typical entropy/code density that it generates. The computation of 'local entropy' basically consists in counting, for each byte, the number of identical bytes next to this byte (if you don't understand, read the paper ;)). Of course, this is only one way among others to detect malware, but it looks like it showed promising results on known viruses such as Virut, and it seems simple enough to implemenet in most AV products.**
CJ-Unpack: Efficient Runtime Unpacking System, Cristian Lungu, Marius Botis** Basically, this paper presented a new generic unpacker. Contrary to other unpackers, it focuses on finding the beginning of the malicious code, instead of finding the end of the packer (e.g ThunRTMain identifies the beginning of a VB compiler). The unpacker seemed to show reasonably good results (around 80%) even if it cannot be perfect. In particular, it encounters more difficulties for some specific compilers. To be honest, this presentation was just after mine, so I was kind of on another planet and did not manage to memorize and understand all of it...
Typhoid Adware - Daniel Medeiros Nunes de Castro, Eric Lin, John Aycock This paper discusses a Proof of Concept attack, where a 'bad guy', for instance located in an Internet Cafe, would inject ads on the fly into videos the other (good) guys are trying to watch. The attack consists in (well known) ARP spoofing, and then (newer) modifying video frames on the fly. This is possible currently because they are not signed yet (planned for MPEG 7), and also helped by the fact the resulting size of the video is not strongly checked. The analogy with Typhoid comes from the fact that, like the disease, it is possible to spread a disease (the ads) without showing any signs of infections.** ** Finally, I cannot resist mentioning my own presentation: "Symbian Worm Yxes: Towards Mobile Botnets?", for which I was very proud to receive the Best Paper Award :) I am not sure all the audience was fully awake that morning (first talk after the gal !) nor all that familiar with Symbian mobile phones, but I did have some positive return and hope people were amazed at how much mobile malware are getting more and more clever. Also, do not miss in the paper two important facts: the decryption of domain names used by the malware and the silent downloading and installation of new variants of the worm.
-- the Crypto Girl