securitybananas.com

The schedule is out!

http://www.blackhat.com/html/bh-eu-10/bh-eu-10-schedule.html

My talk will be at the end of day two from 16:45 till 18:00. In parallel there is a session from Moxie Marlinspike and Thanassis Giannetsos. Too bad I will miss those ones, but good luck guys!

It will not surprise you that malware authors are using new techniques to make us researchers it hard to analyze the malware they create. In the ongoing battle they came up with a known technique used by many software vendors, but now using it for their malware.

How does it work:

- When a user got infected by the first malware dropper, it’s unraveling all of the tools and then proceeds to hide the malicious payload components. After cleaning up it finally starts up the actual botnet agent.

- Once the agent is started, it looks for an Internet connection. After this check has passed it does a quick systemcheck of the computer e.g. MAC address, CPU ID, OS etc.
The agent then connects for the first time towards the Command and Control server of the botnet. It registers the victims computer and sends through this unique gathered system data.

- The Command and Control server sends a response to the victims computer: a new custom made agent based on the unique system data. It removes the old agent and the new unique agent is ‘locked’ and installed. This agent is unique to this particular victim and will not run on any other computer.

- The ‘new’ agent connects to a new Command and Control server of the botnet and the victims computer is fully in control by the botnet crew.

Botnet and malware authors are using this technique to hide their samples from anti-virus vendors. A general signature for this kind of malware will not work and a solution will not be easy. The antivirus guys must redesign the techniques it currently relies upon for sample analysis and generation of signatures.

We have the first results:

- Adam Savage
- Victoria Koblenko
- Kat von D

It is known that many of us (including myself) are using social media. A lot about security and privacy is already been written about this kind of media. Many people are posting on Twitter their moments often illustrated by pictures taken from their mobile phones. There is some nice interesting (forensic) thing about some pictures taken with an I-phone. It includes GPS-data. Let me show you an example:

Last year I was for my job in Senegal and over there I took following picture:
(I know it’s a blurry image, but the smell of rotten <->>>-< was far more worse)

Images taken by digital media contain 'EXIF'data; in short information about the picture like time, date, brand camera etc. For forensic examining pictures I mostly use the tool 'Exifviewer'. In this case I used it for the picture above:

The output of the tool showed us some GPS data. When using this data in Google Maps it exactly showed the place where the picture was taken.
Noticing this following (evil) thought came up:

Many celebs are posting on Twitter and Facebook. I would like to organise a competition about spotting the celebs. So crawl and search for twits and pictures and examine them for the GPS data.

RULE 1: I respect the privacy of any celeb/person, NO!!!! GPS data will be posted and I ask you to do as well;
RULE 2: Send the name of the celeb including the picture of Google Maps to: christiaan@securitybananas.com;
RULE 3: Top 50 of Celebs will be posted on this Forum without GPS Data; fun pictures maybe

This competition is for fun and learning and another try to make people aware of their digital traces

Today I stayed in a hotel for my job. After my quick dinner I started to wrestle through my inbox. Suddenly I noticed an e-mail from Blackhat.
My paper was accepted and they invited me to speak in Barcelona about forensics and virtualization. After squeezing myself and a lot of cold water in my face I realized it is really true. I’m really thankfull for the trust and great chance. Praise the Lord for given me this talents to use!

The rest of this month I don’t want to be disturbed; I need to finish a whitepaper and ppt and meanwhile my small workshop about basic reverse engineering malware needs also be finished and taught. Maybe some more hours into a day just for this month?