CARO Workshop 2010 – Day Two

Billy blogged yesterday about the first day of this year’s CARO conference. He has since developed a nervous tick whenever the words “exponential”, “growth” and “samples” are used in the same sentence. Luckily, today’s talks were much more upbeat. Instead of dwelling on the asymptotic apocalypse we’re all apparently hurtling towards, speakers presented case studies of some of the most interesting recent malware and practical methods for conducting analysis, classification and even testing.

Malware's exponential growth rate

Cristian Craioveanu of Microsoft kicked off the day with analysis of the Aurora exploit attacks, supposedly launched from China and targeted at Google and several other high-profile companies. We blogged about this at the time and mentioned that Sophos’ BOPs technology would effectively prevent the exploit from causing any damage to our customers. Cristian laid out the complete timeline of the exploit and presented prevalence data for the exploit which clearly showed that use of the exploit exploded after it was leaked to the public and subsequently made available on Metasploit.

That talk was followed up by another case study, this time by Peter Kruse and Dennis Rand of CSIS. They talked about a banking Trojan that they believed had stolen at least 2 million kroner from Danish banking customers and had also been used to attack banks in the US, Ireland, Greece and Holland. They gave the checksum of a sample in their talk and we can confirm that Sophos detects this family of banking Trojans as Troj/Alvabr-Gen.

F-Secure’s Jarno Niemela presented a thorough analysis of the use of digitally signed executable by malware authors, and found that in addition to simply copying the (invalidated) certificates of clean files, the bad guys had also been registering throwaway companies in order to properly sign their executables with various certificate authorities.

Armin Buscher of G Data showed off a fancy new web service for analysing malicious sites called MonkeyWrench. Considering that so much malware these days is spread via compromised or malicious website, these types of tools are becoming very important.

After lunch things took a turn for the technical, with Felix Leder, Bastian Steinbock and Peter Martini from the University of Bonn describing a system for classifying malware samples based on the set of possible values in each memory or register location during emulation. They showed the effectiveness of their system on seveal of the older metamorphic viruses.

In a move sure to please those tasked with analysing the current explosion of Flash-based exploits and downloads, Microsoft’s Marian Radu presented an IDA Pro plugin to load and disassemble Actionscript 2 and 3 files. Although there are Actionscript decompilers around already, having the functionality built right into IDA will allow anti-virus researchers to reuse their existing armoury of scripts and plugins against Flash-based threats.

Unfortunately, Igor Muttik’s talk called “A Brief History of Time” was not delivered via any kind of text-to-speech software but was still an interesting mathematical analysis of the correct way to rate malware detection based on relevance over time. Igor showed the problems with current proactive and reactive malware detection tests that only represent detection rates either before or after the malware attack has actually taken place — not during the most important time, when the user is actually liable to be infected by it.