It's no secret that client-side attacks are a common source of compromise for many organizations. Web browser and e-mail borne malware campaigns target users by way of phishing, social engineering, and exploitation. Office suites from vendors such as Adobe and Microsoft are ubiquitous and provide a rich and ever-changing attack surface. Poor user awareness and clever social engineering tactics frequently result in users consenting to the execution of malicious embedded logic such as macros, JavaScript, ActionScript, and Java applets. In this talk, we'll explore a mechanism for harvesting a variety of these malware lures for the purposes of dissection and detection.
Worm charming (grunting or fiddling) is an increasingly rare real-world skill for attracting earthworms from the ground. A competitive sport in East Texas, most worm charming methods involve some vibration of the soil, which encourages the worms to surface. In our context, we'll apply a series of YARA rules to charm interesting samples to the surface from the ~1M files uploaded to Virus Total daily.
Once aggregated, we'll explore mechanisms for clustering and identifying "interesting" samples. Specifically, we're on the hunt for malware lures that can provide a heads up to defenders on upcoming campaigns as adversaries frequently test their lures against AV consensus. Multiple real-world examples are provided, proving that an astute researcher, can harvest zero-day exploits from the public domain.
Pedram Amini holds a computer science degree from Tulane University with minors in business, robotics, and mathematics. He began his professional career in 2002 as one of the founding members of iDEFENSE Labs, a security start-up in the Washington DC metro area which was acquired by Verisign in 2005. At iDEFENSE he architected and managed the Vulnerability Contributor Program (VCP) which consisted of a network of over 1,000 independent security researchers worldwide. In 2005 Pedram moved to Austin, Texas to create the Zero Day Initiative (ZDI, http://www.zerodayinitiative.com) under the network security company TippingPoint. Similar to the VCP, the ZDI is a program for rewarding independent researchers for responsibly disclosing security vulnerabilities. This program has grown to be the largest and most successful of its kind. In the 5 years that Pedram ran the program, it unearthed and helped patch over 1,100 critical security flaws with contributions from over 1,600 researchers worldwide... that trend continues today. TippingPoint was acquired by 3Com and later Hewlett-Packard. After the HP acquisition in 2010, Pedram founded and developed Jumpshot, a consumer product for out-of-band malware removal. A unique software solution, Jumpshot differed from typical malware removal products in that the potentially infected computer is actually turned off. Jumpshot then took control of the system hardware and cleaned viruses and other undesirables from a forensic viewpoint with crowd-driven support from the cloud. A portion of the system was granted US patent #8812832. Jumpshot was unveiled from stealth mode in July of 2012 on the crowdfunding site Kickstarter. Soon after releasing the software to the general public, driven by excellent reviews on the efficacy of the product, Jumpshot was acquired by Avast. In September of 2013 Jumpshot was re-branded as GrimeFighter and operates as high profit margin product for Avast today. Currently, Pedram focuses the majority of his time on InQuest (http://www.inquest.net). InQuest touts a proprietary Deep File Inspection (DFI) layer which provides a novel file-centric view over traditional network intrusion detection systems (NIDS). The platform provides value in attack prevention, breach detection, data leakage discovery, and threat hunting. Pedram has presented at BlackHat, DefCon, RECon, Ekoparty, Microsoft Bluehat, ShmooCon, ToorCon, and Virus Bulletin and taught numerous sold out reverse engineering courses.