Blackhat 2009 – Heading to Vegas
Written by Peter Silberman
It’s getting to that time of year where everyone packs up a week’s worth of clothing, checks their health insurance, gathers up phone numbers of friends flying in, and makes the trip to Las Vegas for Blackhat/Defcon.
This year Stephen Davis, Nick Harbour and I will be presenting at Blackhat and Defcon. Nick will be giving a talk called “Win at Reversing: Tracing and Sandboxing through Inline Hooking.” This talk should be great, not only is Nick a great public speaker, and a power point ninja, he is also very smart. Having gotten a sneak peek at his tool, I can say it’s very cool. The tool is called API thief. Yes hooking and API spying have been done before. But not like this, and not by someone who is so keenly aware of how malware tries to subvert, detect and prevent analysis. API thief has a plug-in framework that gives users the potential to extend its features. It’s going to have the potential to be useful in many different areas such as vulnerability finding (think combination process stalking, data tracking) and malware analysis. If you’re on my flight you’ll probably see me writing some plug-ins for it.
Stephen Davis and I are going to be presenting on the Metasploit track a talk called “Metasploit Autospy: Reconstructing the Scene of the Crime.” This talk will be unique not just in content but also in structure. Our talk will start with Steve actually exploiting the box that we are running our slides off of. Steve will run a bunch of meterpreter commands on the presentation box then terminate the session. We will give our entire talk off the exploited machine (it’s a VM host only connection so stop thinking those thoughts). The talk will cover everything from basic memory analysis/acquisition to how attackers communicate with meterpreter, how those packets look in memory, and everything in between. We will conclude the talk with a discussion of how our proof of concept tool Metasploit Forensic Framework (MSFF) works. We will then demonstrate it working on the presentation machine. Remember how I said at the beginning Steve will exploit the machine and run meterpreter commands? Well at the end of our talk (some 40-50 minutes later) we will try to find those commands in memory, and the associated data passed back and forth between attacker and victim. Should be a fun talk, obviously the demo has the potential to go south, but don’t people watch racing for the crashes?
If you can’t make it to either Nick’s talk or ours, feel free to grab us anytime. We’ll be hanging around the conference and bars. We’re always more than happy to chat about pretty much anything, from our love of the website http://thisiswhyyourefat.com, to our Skye bots to the Advanced Persistent Threat and anything in between.
. 24 Jul 09 | The Whiteboard
Leave a Reply
You must be logged in to post a comment.
Channels
Recent Posts
- DoD Cyber Crime Conference Presentation: Recipes for Remediation
- Education and Information Sharing Top Priority at 2012 DoD Cyber Crime Conference
- Executive Breakfast Briefing with Former DHS Secretary Michael Chertoff
- Vulnerability and Exploit Terminology Webinar
- Creating an IOC to Spot the Duqu Family
Follow us on Twitter
- Mandiant: M's Michael Sikorski wrote a book, "Practical Malware Analysis" & will be hosting a webinar to discuss it! 2/29 2PM ET http://t.co/fd7Bf8Vj
- Mandiant: RT @bkchristopher: The BKChristopher Daily is out! http://t.co/G12zUzeS ▸ Top stories today via @mandiant
- Mandiant: M's looking for a Manager, MCIRT SOC in Redwood City, CA. Interested or know someone? http://t.co/TyxHEgfy #infosec #dfir #jobs