Tuesday, August 4, 2009

Black Hat Recap

Wow...its been a few months since I've last posted. Sorry about that! Things have been nuts IRL which has kept me away from posting, but if you actually read my blog you'll be happy to know I have some things lined up.

Last week I had the opportunity to attend Black Hat USA in Las Vegas. While I won't go over every single talk I attended, the highlights are below.

Advanced Malware Deobfuscation - This was actually a training course written by Scott Lambert and Jason Geffner. The course is essentially about the different techniques used to unpack malware, an area I needed some training on. If you know how to RE and are comfortable in a debugger, I highly recommend this course.

Win at Reversing - This talk was given by Nick Harbour from Mandiant on a new tool called API Thief. When performing behavioral analysis of a malware sample, the analyst typically wants to see what calls the malware is making and uses a program like Process Monitor to do so. The problem with this only system calls are grabbed and misses some potentially important API calls. Nick's tool uses inline hooking to record API calls instead of system calls. This allows the analyst to get more information and potentially do some tricks to unpack the software. I'm going to be checking out the tool more to see how I can utilize it. Currently it can be downloaded at http://rnicrosoft.net.

Reverse Engineering by Crayon - The next talk was on performing hypervisor based malware analysis and visualization. Essentially, the presenters used a software called Ether which integrates with a Xen VM in order to perform malware analysis. To be honest, I had not looked into using Xen for sandnets, but after this presentation I think it has alot of promise and will be doing some more research into it. All of the slides and notes are posted on http://offensivecomputing.net.

Fast & Furious Reverse Engineering with TitanEngine - This was the last talk of the con I attended and it really didn't get the attention it deserved. TitanEngine is an open-source SDK and framework the authors are releasing which is used to perform and automate a large number of tasks needed when unpacking malware. The framework is very impressive in what it can do and how mature it is for something that is just being released. The presenters gave a number of live demos of programs written with the framework being used to unpack programs. The last demo they gave was done using TheMida, a packer which is notoriously difficult to unpack. They packed a sample program during the presentation turning on all capabilities of the packer and then unpacked it in a few seconds with a program they made with TitanEngine. This is definitely a program I will be looking into. http://titan.reversinglabs.com

I had a great time at Black Hat and met alot of people. Unfortunately, I wasn't able to stay for Defcon but maybe another year.

No comments: