Kick Ass Zero-Day Malware Hunting – Putting Aside the Obvious

No ratings

Presented at BSidesLondon 2010 by

Alex Cox

The hallowed ground of kick-ass, targeted and zero-day malware hunting previously has been reserved for the few security researchers who either were lucky enough to stumble upon something truly unique, or those who spend their time collecting and reversing large amounts of samples from lots of fed up public and private enterprises whose useless anti-malware solutions had completely failed. In a world where incident response team members responsible for finding bad juju on enterprise networks are fighting a seriously uphill battle, we can’t spend anywhere from 2 to 4 hours analyzing each piece of suspect malware. Real-time / runtime analysis on suspect binaries on the host is challenging due to injection, hooking, and other adversarial subversion techniques. Static analysis on the host is equally a pain because static traits of packed and obfuscated malware too closely matches those of legitimate binaries. Looking up all kinds of information across the global security community is valuable – but what really matters? And what about sandboxing? – what are the pros and cons and dos and don’ts? This technical session will show B-Sides London attendees how to up their game and dramatically shrink the time required to identify and prioritize zero-day and targeted malware using a combination of four automated techniques: file (static) analysis, network forensics, community reputation and sand-boxing. The use of the “kick ass malware hunter” title following completion of this session is optional, but highly recommended.