Dailydave mailing list archives
Upstream
From: Dave Aitel <dave () kof immunityinc com>
Date: Tue, 7 Jul 2009 23:35:15 -0400
So exploits are hard. Not just "these days" but always hard. It's gritty low level work. Lots of people consider it "grunt work" and think they're above it or beyond it - even unconsciously. But deep down a working exploit and not a paper or presentation is still the undisputed mark of success. In a way, this is why the process works best when in teams. If people see that it's _customary_ to do the grunt work of reversing another allocation algorithm, and spending a month figuring out how to take advantage of it, then they'll do it. I'm packing to head back to the states, but here's my final thoughts on SyScan Taipei: 1. Lots more women here than at any technical conference I've been to recently. I'm not sure why. SyScan Taipei is a large conference - at least 250 people, probably more. There's a big community here, although it's hard to interact if you don't speak Chinese. 2. "Birdman", one of the speakers talked for a while about a malware classification and defense system he's been working on. It does a number of things. The talk was in Chinese, but I think I grasped most of it: 1. It goes into every process and calculates a list of the DLL's inside it, and uses inference to try to figure out which ones are explicitly requested to be there. If a DLL is in the process but not loaded explicitly, it puts it into a gray list. 2. Everything in the gray list is analyzed for behavior somehow and run through some simple heuristics. These generate some numbers. 3. The numbers are used for classification - anything similar to a known malware is classified as malware. In this sense it generates "families" of malware. It's similar to VxClass from Zynamics, but without using structural information (to my knowledge). Birdman's system has some flaws (I.e. would not catch MOSDEF, etc.) but everything does and it's not high cost in terms of resources. 3. If you get the chance, head up to the volcanoe and drink while looking down at the city. It's expensive, but awesome. -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Upstream Dave Aitel (Jul 07)