Friday, October 1, 2010


I just attended my first Virus Bulletin Conference. Luckily it was in Vancouver, just a few hours north of Seattle, so it was an easy drive.   This was also my first time in Vancouver (more than a few hours) and I can say that this is a very beautiful, friendly and modern city with some fantastic food.  We also had a nice room with a fantastic view.

So the conference.

The keynote was by Nick Bilogorskiy of Facebook.  He got into all the evil ways your FB account can be jacked and what the crooks would do with it.  He got into Koobface a bit with hints that those responsible are in the cross-hairs. Graham Cluely blogged a nice summary here.  Take-away: If you must use FB, make sure you use the built-in tools to warn you if your account profile is altered.

First up after the keynote in the Corporate track was Ray Pompon, who is quite the handsome and intelligent fellow.  He did a fantastic job of breaking down how the FBI takes down a malware author.    He had to start late because of the keynote but he made his points well during both the talk and the Q&A.   (disclosure - I am Ray Pompon and this review might be a little biased)

Paul Boccas of Sophos got in some good PDF malware analysis and provided the perfect set up for an Adobe joke when he asked "Is there anyone from Adobe here?" with the response from the crowd "It's a security conference!"   Adobe is indeed the new "Microsoft" when it comes to being a security whipping boy.  The more things change, the more they stay the same.

Websense's Don Hubbard did a fantastic job of scaring the crap out of me with his breakdown of how easily it is to juice search engine results and plant fake news with links to malicious sites.    Highly recommend reading his slides if/when they are available.

I stayed late and caught a great vendor presentation from ESET on under-reporting in the financial sector.  The big problem is that banks tend to record customer stolen account fraud as "other" on the SARs.   Of course banks are incentivized to point the blame finger outside their institution (and in this case, it's partially justified) but in the end, everyone loses.   For more on bank shenanigans regarding misrepresenting risk please see The Headlines for the Past Two Years.

Gunter Ollmann's talk on measuring bot-net numbers was great.  TLDNR - bot-net numbers are misrepresented.  Why?  First, the bot-net operators themselves lie for obvious monetary reasons.  Second, what is considered a bot?  There are lots of categories that are not created equal.  1) Infected victims (the usual number reported) but may not have working rootlets.  2) Members - infected and root kitted but not under C&C.  3) Taskable - the subset of members under C&C but control is time or function limited.  and finally 4) Fully controlled zombies.   Each category is often an order of magnitude smaller than the previous category.   There's a meta-lesson there too - never take simple numbers at face value.  You need to dig deeper and understand what is being measured and how.

This led me to conclude just how generally misrepresented and misunderstood our numbers are in InfoSec.   Botnet numbers are inflated.  Bank customer fraud is under-reported.  Malware victims are under-reported (my talk).  We security folk have a serious problem here.  Not just a lack of actionable intelligence but these bad numbers just undermine our already shaky credibility with the business types.  Take heart, there are solutions out there.  Alex, I'm looking at you and your VERIS

Speaking of misunderstood, there was the Symantec Stuxnet talk.   Granted, these guys did a great job of forensics reverse engineering the SCADA payload embedded in the rootkit.  You've probably seen all the tweets, posts, and video from the presentation so I won't add much more.  Suffice to say that it was all very exciting to have news cameras rolling and an excited crowd… only to be confused and deflated (ha) by "theoretical" demo of an attack with some bizarre speculation thrown into the mix.  I wish more infosec folks would study basic intelligence analysis techniques before they attempt to speak in public about such matters.

It also gave me pause to think about Stuxnet and what it means.  It is indeed a very sophisticated piece of weaponized software.  This was no mere criminal malware and almost certainly the work of a (cough, cough) APT. Heck, even the United States could be the APT in this case.  But what does this say about the future of malware?   Will we security folks be ducking and cleaning the blowback and friendly fire of APT's shooting high-powered malware at each other.  Hey, we're all on the same Internet and it's all inter-connected.  Can we at least agree to play nice at a governmental level?   KTHX

Buried in all this, there was a diamond in the rough of a talk by Safensoft on ATM malware defenses.  The talk was the defensive response to the Barnaby Jack talk on Jackpotting an ATM.  Turns out that ATMs are heavily used in Russian for many things, including bill payment for consumers. In Russia, ATM takes your money. This makes them more heavily used and relied upon.  And of course, a lot of the ATMs are just Windows XP SP2 boxen with some ATM code running on it… and many on a network.   Based on this, it was no surprise to find that lots of Russian ATMs were "jackpotted" in 2009.  So Barnaby Jack wasn't just doing bleeding-edge proof-of-concept, he was reporting "old news".    Safensoft, a traditional anti-piracy company, was forced to use a different malware defense approach because ATM hardware was too slow for the usual AV big-blacklist-of-doom approach.  Instead, they went with a white-list focus with heavy integrity checking around program flow.  Sounds like a road map for the future of general AV to me.

General chatting at vendor booths and with other delegates revealed an interesting new fact to me.  As I'm not a deep malware guy, I did not realize just how few anti-X engines are out there.  There are the big guys like Symantec, McAfee, etc and then a lot of OEM and engine-licensing going on with other companies on top of that.  It does make me fear a little bit of a monoculture vulnerability but on the other hand, blacklist collection is tough, tough work.

Other conferences bonuses:
- Gratuitous use of 80's music on Hotel speakers between talks

- Lots of cool accents - Russian, Cockney, Hindi, Irish, Chinese.

- Lots of cool people attached to those accents.  It was a pleasure to meet so many smart and funny geeks in the malware field from all over the world. 

- Hordes of Microsofties attending - their first full year with a real AV product.  Yet overall, their talks were pretty tame.  One of the presenters actually did a magic trick during his talk.  But it was still a psych-101 talk aimed at novice infosecers.

- The Stuxnet balloon pop / May-9-1979 press by Symantec provided rich fodder for jokes… which the Symantec folks laughed along with like good sports.

- A cool presenter gift from the VB folks

No comments: