Decon 17 presentations

It's been a long time since I've posted here, and I'm sure anyone with this link left in their RSS feed is wondering if it's still live. The real news is that I have two upcoming presentations at Defcon 17 that should be a lot of fun. Both of these presentations are with other researchers with whom I have done a lot of past work with.

"Making Fun of Your Malware" is sure to be a great time. In this talk MHL and I will walk through some of the funniest mistakes we've seen in malware. To put it in MHL's words:

Would you laugh if you saw a bank robber accidentally put his mask on backwards and fall into a man hole during the getaway, because he couldn't tell where he was going? Criminals do ridiculous things so often, its impossible to capture them all on video. Rest assured, when the criminals are malware authors, we can still make fun of them through evidence found in pictures, binary disassemblies, packet captures, and log files. This talk evenly distributes technical knowledge and humor to present the funniest discoveries related to malware authors and the fight against their code.

Links:
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Ligh
http://volatility.tumblr.com/post/109305786/making-fun-of-your-malware

"0-day, gh0stnet and the inside story of the jbig2 debacle" is filled with intrigue, controversy, fun hacker hunting and lots of opinions. Steven Adair and I will be doing this talk together based off of some work we did earlier in the year with the jbig2 0day. This issue turned into a passionate debate around the merits of full disclosure, partial disclosure and lame vendor response. We'll be sure to keep the spirited discussion rolling as well as show some interesting connections between this vulnerability and the gh0stnet paper revealed earlier this year.

This talk is the story of 0-day PDF attacks, the now famous gh0stnet ring and the disclosure debacle of the Adobe JBIG2 vulnerability in January and February 2009. This is the story of international cyber-espionage using 0-days and the fierce debate over how to defend networks in the face of prolonged periods of exposure to unpatched vulnerabilities.

We seek to answer the following questions in this talk:

• Who was behind the early 0-day attacks and are they the same as the gh0stnet report published in April 2009?
• Did disclosure of the Adobe JBIG2 vulnerability have an impact on targeted attacks?
• How effective were post-disclosure protections such as AV signatures, IDS signatures and workarounds?

Throughout the talk we dissect the 0-day artifacts and other events leading up to the partial disclosure of the JBIG2 vulnerability on February 19 by ShadowServer. Using a variety of 0day PDF samples we will analyze the 0-day attacks and attempt to correlate them to the attackers discussed in the recent paper "Tracking GhostNet: Investigating a Cyber Espionage Network".

We will also look at the partial disclosure by ShadowServer and then full disclosure on the Sourcefire blog and assess the impact on targeted attacks. We will analyse the various malicious PDF's submitted to Virustotal to determine their lineage and relationship to either the original 0day exploit and gh0stnet or new attacks that sprang up in the wake of the disclosure. The analysis tools and techniques will be shared to aid future analysis efforts.

Links:
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Richard