How To Notice When You Are Re-Owned presented at t2 2010

by Halvar Flake (zynamics ),

Tags: Security Others


Summary : This session is going to discuss our research in the area of automated malware clustering and (recently) automated generation of large quantities of different byte signatures from real-world backdoors and rootkits.

Through automated graph-theoretical methods, code similarities between superficially different pieces of malicious software can be identified. Furthermore, these algorithms can be extended to extract "stable cores" for an entire family of malware -- portions of code that are, in some form or the other, present in all executables in a family.

From these stable cores, other algorithms can generate a large quantity of different byte signatures. These can be used with amusing effects - from mutating byte signatures to performing a bsearch on AV users to identify the malware authors, a lot of applications will be discussed.

While this talk won't prevent you from getting owned, it might make it a little bit more complicated to re-own you with the same infrastructure.

Halvar Flake: Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 11 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA). Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors. Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.