Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Join us for The Fresh Prints of Mal-Ware Webinar Series: Explosion of the Axis of Evil!

Written by Peter Silberman

In September I had the chance to speak at Source Barcelona with Ero Carrera. We gave a talk entitled State Of Malware: Explosion of the Axis of Evil. Both Ero and I really enjoyed giving this talk and the content is so new, we’ve decided to give it again as a free webinar on Nov 5th at 2pm. You’ll get the same content, and Ero and I will be speaking. You’ll also get the added bonus of getting to ask us questions.

I know you’re wondering,  ‘Should I be interested in this talk?’ The answer is unequivocally yes. First, you get to hear my and Ero’s angelic voices, which alone is worth the price of admission (free).

Second, this talk runs the gamut of information. Ero will discuss volume, how much VirusTotal sees on a day-to-day basis. He will also cover popular families (I bet you can’t guess which is the most popular, and no it doesn’t start with my and end in doom). Ero will also discuss obfuscation, what trends Virus Total is seeing, what kinds of packers, etc.

I will discuss the Advanced Persistent Threat, specifically speaking about the malware these attackers leave behind. I will discuss how the malware commonly behaves, what it can look like, and why it’s so hard to catch these guys.

You will get interesting statistics like what percent of APT backdoors are detected by any engine VirusTotal supports. You might also see a statistic like what percent of APT uses encryption when communicating.

We’ll cover information that can be interesting to a network administrator trying to protect his company, a CSO who wants to understand the threat landscape better, forensicators who are trying to catch these guys, malware analysts who are curious about behavior, and those who just want to hear our voices!

Hope you guys can join us for a good time, I know Ero and I really enjoyed giving this talk at Source Barcelona and are looking forward to doing it again.

You can sign up for the webinar here.

Tags: , , , , ,

. 26 Oct 09 | General | Comments (0)

State Of Malware: Explosion of the Axis of Evil, slides etc

Written by Peter Silberman

Last week Ero Carrera and I spoke at Source Barcelona. As I mentioned previously on this blog we were both very excited to give this talk. The talk went very well!  We could not have asked for a better audience. The conference itself was also a blast, and I recommend Barcelona to anyone and everyone.

We’ve gotten around to uploading the slides.  They include all the statistics we came up with for this talk. When you review the slides take a look at slide 16 “Complexity of Mydoom” and slide 17 “Complexity of Kraken.” These two slides depict control flow graphs of the popular malware Craken and MyDoom.  Notice how much functionality is crammed into these binaries. As an Anti Virus company that’s a lot of data and bytes to work with to generate a successful signature.

Now look at slide 44 “Sample BA”, it’s the control flow graph of an APT sample. Notice some differences? Our hope is this talk gets people thinking about the different types of threats, different malware families make to organizations, as well as the clear differences between APT and mass malware.

Tags: , , , , ,

. 05 Oct 09 | General | Comments (0)

Source Barcelona: State Of Malware: Explosion of the Axis of Evil

Written by Peter Silberman

On Tuesday, September 22nd Ero Carrera and I will be giving a talk at Source Barcelona entitled State Of Malware: Explosion of the Axis of Evil. I am very excited to give this talk for a number of reasons. First, I’ve only heard amazing things about the Source conference. Second, well it’s Barcelona. Finally, this talk is one of a kind. I promise you this type of talk has never been given before.

The talk is made up of two completely different perspectives in the battle against malware. Ero is the CRO at  Virus Total (also a researcher with Zynamics). Virus Total processes tens of thousands of pieces of malware a day. Virus Total’s perspective is very unique; few if any companies process the amount of malware Virus Total processes. Ero will give you statistics on what Virus Total is seeing, such as the trends in packing, how many samples it processes and information about families it is tracking. This will be the first time these statistics will be made public.

I will be speaking from MANDIANT’s perspective. Our perspective differs from Virus Total in that we only deal with very high value targets and very specific custom written malware. It is no secret that MANDIANT is on the forefront of fighting the Advanced Persistent Threat (APT). Daily we are collecting and analyzing malware that has never seen the light of day. We have never given out details about the individual pieces of malware we’ve collected, and furthermore we’ve never given out statistics on how our overall collection of APT malware behaves. In this talk, you will receive all kinds of good information, such as what percentage of APT outbound communication is encrypted vs. plain text, or what percentage of APT is actually persistent on the host vs. run once. Some of the statistics I’ll be releasing may be very surprising, but also very enlightening.

Our talk will conclude with Ero and I doing our best  Ollie the Weatherman interpretation of where we think malware will evolve over the next year or two, and what we can do about it. I’m excited to give this talk because it’s a step away from what Ero and I usually present, and the content is so unique. If you’re unable to attend the conference look for the slides on our website. Hope to see you there! If you want to meet up for a beer, e-mail me peter.silberman@mandiant.com.

Tags: , , ,

. 17 Sep 09 | General | Comments (0)