Zero Access, vulnerability disclosure and the evils of RTF

Day one of the Virus Bulletin 2013 Conference is over and it would appear that a good time was had by all.

The conference kicked off with a keynote speach by ESET North America CEO Andrew Lee.

Lee explored the ethical complications he believes the anti-virus industry faces as nation states begin to have a more vested interest in “state malware” remaining undetected.

Considering I heard a lot of support and complaints, it is fair to say that it must be an interesting topic. Interesting enough to argue over anyhow.

VB2013-Wyke-250After Lee’s talk, SophosLabs UK researcher James Wyke was up with his talk, “Back channels and bitcoins: ZeroAccess’ secret C&C communications”, where he dove into the latest developments he has uncovered about the Zero Access botnet.

Wyke explored areas beyond his previous research on Zero Access demonstrating the network traffic obfuscation, the bot herder’s quick response to research papers and novel revenue generating model.

I had the opportunity to interview James after his talk. At just shy of 8 minutes, I think it is worth giving it a listen.

Listen to this episode

Play now:

(2 October 2013, duration 7’49”, size 7.5MB)

Download for later:

Sophos Security Chet Chat #118.33 (MP3)

Tom Cross from Lancope and Holly Stewart from Microsoft presented some thought provoking data on vulnerability disclosure in their talk “Can alerting the public about exploitation do more harm than good?”.

They explored the different approaches to vulnerabilkity disclosure and compared how effective they are at protecting the public when you first consider how widespread attacks are before the wider criminal world knows about them. Thought provoking indeed.

While some consider RTF documents to be simple text files, malware researchers have known better for quite some time.

POBRTF250 Paul Baccas, a former colleague of ours, presented his research on targeted document attacks titled “Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples”.

Baccas explained how the complexity and non-uniform implementation of even seemingly simple file types like RTF are being abused by attackers performing targeted phishing attacks.

While conferences like Virus Bulletin are focused on ground breaking research and an opportunity for experts to collaborate on detection strategies, it is also about relationship building.

In a desperate attempt at defending our honour, Vanja Svajcer of SophosLabs Croatia and Gabor Szappanos of SophosLabs Hungary, took on the team from GData. We won’t discuss the results, but will leave it at “a fun time was had by all”.


Tomorrow I will bring you all the latest from Berlin, including another mini Chet Chat. Stay tuned!