During registration, it became evident that most of the event attendees represented anti-virus companies. I ventured towards the main hall to the opening keynote speech by Kenneth Geers, the U.S. Representative of the NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE). Kenneth’s talk revolved around strategies to mitigate cyber-attacks. He expressed thoughts into the far-reaching implications of the Internet in our everyday lives. He cited how information exchange can bring about political and military changes to a nation. As our dependence on the Internet grows, governments must make proportional investments in network security, incident response, technical training, and international collaboration. He then listed four strategies required to mitigate cyber-attacks: IPV6, art of war, deference and arms control.
Following Kenneth’s speech, I took in one of a few 15-30 minute overview talks as part of a HITB SIGINT series. The talk was titled “Compiling Features for Malicious Binaries” by Muhammad Najmi Ahmad Zabidi, a PhD student. Muhammad touched on using python as the main tool to analyze malware binaries. He combined different open-source malware analysis tools written in python to devise a complete malware analysis process. He mentioned that the three key aspects to consider when analyzing malware are API calls, virtual machine detectors and outbound connections.
I then attended two particular sessions on the analysis of mobile malware and about profiling dangers in social networks. The first mobile malware session was entitled “Reverse Engineering Android Malware,” presented by Mahmud Ab Rahman of MyCERT. The other session, “Mobile Malware Analysis” was hosted by Alex Kirk, a senior member of Sourcefire VRT. Both speakers stressed the importance of the using the AndroidManifest.xml file as a starting point in analyzing mobile malware. This manifest contains essential information about developing applications for the Android OS, in addition to the permissions that must be built into applications in order to access the Android API. Both gentlemen also emphasized looking at suspicious API permissions requested by the application as a starting point of the analysis. Alex cautioned that, based on his study, the median number of permissions is 7 for malicious applications and 3 for legitimate applications. He did note that some legitimate applications can have more than 7 permission requests.
Mahmud and Alex presented case studies of different malware samples. Alex added discussions on the two methods of analysis, static and dynamic. He enumerated the pros and cons of each method but also mentioned that both can be combined to come up with a better analysis of the malware. Alex ended his talk by saying, “With the increasing number of smartphones, chances are high, their use as ‘standard’ bots will grow.”
My day ended with an enlightening talk from Marco ’embyte’ Balduzzi, PhD Researcher with EURECOM. Marco pointed out how human profiling can be achieved by mining user profiles from social networking sites like FaceBook, LinkedIn and Twitter. Relying on a single e-mail address can make it easy to map various social networking profiles back to an individual, allowing spammers to launch targeted attacks. Profiling can also be used to conduct recursive queries of user profiles via e-mail fuzzing. Profiling enables spammers to know your age, beliefs, preferences, gender, relationship status, and so much more. Marco’s team created an automated profiling system and managed to collect behavioral and demographic statistics about a sampled set of users. One curious statistic was that 12% of users profiled pretend to be of the opposite gender online.
The day started with a keynote speech from Jennifer S. Granick, an attorney who has represented several high profile hackers. Jennifer discussed Internet privacy, secrecy, freedom and power. She reflected on the transitory nature of information before the advent of the Internet. Now, however, track records are being compiled to create long-lasting, digital footprints. She even exclaimed that “Certain constraints of personal privacy and government secrecy have been dissolved.”
Two sessions on automated malware analysis followed, which, at the time, related heavily to a project I was working on within zveloLABS. The first talk titled “Automated Binary Analysis” by MyCERT, discussed a tool called MyKotakPasir that automatically analyzes a binary sample submitted through a web interface using a Python + Django framework. I assumed Python was also used to write the program that passed the submitted binary to the virtual machine. Inside the virtual machines were likely more Python scripts that monitored changes in the registry, processes, files and network connections. This tool is still being enhanced by adding support for a multi-platform analysis environment and to perform “timewarp” analysis, wherein the time or date is altered to see if the malware behaves differently.
Xandora is another tool for automated malware analysis developed by KaiJern Lau of Panda Security. KaiJern introduced the tool and mentioned that sandboxing is a great way to run untrusted code within an isolated locked-down environment. He chose not to use any of the available sandbox solutions like GFI Sandbox and NormanSandbox because of their limitations. The limitations range from inadequate processing speed to the lack of reporting capabilities. KaiJern implemented different software and hardware accelerations in order to achieve an optimized virtual machine fork. This enabled him to attain the optimum number of 20 virtual machines running at the same time using qemu on a machine with 8 core processor and 16GB of RAM. It is interesting to note that Xandora was subdivided into three main modules: Pre-processing, where processes such as MD5 check and AV scanning are conducted, the execution of the binary in a virtual machine and the post-processing of the file, registry, process and network logs. He did not provide much detail about the implementation of the sandbox which is expected.
Both MyKotakPasir and Xandora have similar analysis frameworks to the current behavioral analysis service in zvelo’s ThreatHound™ automated and real-time malicious website detection systems. The main difference is that ThreatHound performs both static and dynamic analysis on a suspected malicious URL and not on a binary sample. zvelo is continuously enhancing the detection capabilities of this system in order to identify known and emerging web threats. It is extremely important that an automated malware analysis system or process is in place. The sheer number of malware samples collected each day makes it impossible to manually analyze each one. By the time one gets to the last sample, a new variant of the malware has already cropped up. This holds especially true for malicious URLs. The analysis turnaround and responsiveness is very crucial when analyzing hundreds of thousands of malicious samples.
In between the two sessions on automated malware analysis, I absorbed an amusing lecture on steganography. Paul S. Ziegler, an IT security tester and researcher, presented “Steganographic AVI Filesystem for Fun and Profit.” Paul presented a clever way of using an AVI to hide your data to make it inaccessible to others through steganography. Why steganography and not cryptography? Paul stated that the mere presence of encrypted data raises the suspicion that you are hiding something. On the other hand, steganography hides the data in a manner that no one would suspect. Paul used AVI because it is very common and has an easy structure. He utilized the gap between the data and index as storage for the data.
In order to easily hide the data in the AVI container, Paul developed mariaFS, a FUSE-based file system. He jokingly revealed that mariaFS was initially called pornFS, but someone had registered that name already. Paul demonstrated how to add files into the AVI filesystem without breaking the original video file, meaning the AVI file, even if the contents stored inside are still playable by media players. To accomplish this, he exploited the fact that all media players only read the data indexed inside the index vector of the AVI file structure. Therefore, data added to the AVI file not in the index table will not be read by media players. Paul’s presentation certainly made a positive impression on me.
Overall, Hack in the Box was a great experience. It was refreshing to learn tricks-of-the trade from other esteemed information security professionals, and I look forward to making this conference an annual habit.