Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Upstream

From: Dave Aitel <dave () kof immunityinc com>
Date: Tue, 7 Jul 2009 23:35:15 -0400
So exploits are hard. Not just "these days" but always hard. It's gritty low
level work. Lots of people consider it "grunt work" and think they're above
it or beyond it - even unconsciously. But deep down a working exploit and
not a paper or presentation is still the undisputed mark of success. In a
way, this is why the process works best when in teams. If people see that
it's _customary_ to do the grunt work of reversing another allocation
algorithm, and spending a month figuring out how to take advantage of it,
then they'll do it.

I'm packing to head back to the states, but here's my final thoughts on
SyScan Taipei:

1. Lots more women here than at any technical conference I've been to
recently. I'm not sure why. SyScan Taipei is a large conference - at least
250 people, probably more. There's a big community here, although it's hard
to interact if you don't speak Chinese.

2. "Birdman", one of the speakers talked for a while about a malware
classification and defense system he's been working on. It does a number of
things. The talk was in Chinese, but I think I grasped most of it:
    1. It goes into every process and calculates a list of the DLL's inside
it, and uses inference to try to figure out which ones are explicitly
requested to be there. If a DLL is in the process but not loaded explicitly,
it puts it into a gray list.
    2. Everything in the gray list is analyzed for behavior somehow and run
through some simple heuristics. These generate some numbers.
    3. The numbers are used for classification - anything similar to a known
malware is classified as malware. In this sense it generates "families" of
malware. It's similar to VxClass from Zynamics, but without using structural
information (to my knowledge).

Birdman's system has some flaws (I.e. would not catch MOSDEF, etc.) but
everything does and it's not high cost in terms of resources.

3. If you get the chance, head up to the volcanoe and drink while looking
down at the city. It's expensive, but awesome.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: