… well, it was over already on Saturday, but I’ve been been busy analyzing malware and have not had the time to write this post earlier

Friday’s presentations showed the same quality as the ones presented during the first day of the conference. The day opened with a couple of interesting talks on how to de-obfuscate scripts: this is actually a rather interesting topic, as scripts are getting more and more to be the way in which machines get originally infected, for example when browsing the web. Several analysis techniques and tools have been presented to effectively decode scripts’ code that could otherwise turn into a researcher’s nightmare.

Then we had an interesting presentation from team members of AV-Team.org, in which they presented the results they obtained while trying to test performances of AV engines while scanning packed or protected code and while taking into consideration several factors, like the capabilities of some engines to use generic unpacking techniques and what happens when blacklisting certain packers.

Blacklisting of packers was also the topic of other two presentations, showing how “hot” this topic is. A presentation from Avert Labs’ own Gaith Taha stepped into this difficult field of trying to create a methodology to estimate the risk associated with packer’s blacklisting and generic detection.

Next, Sophos’ Boris Lau presented his work about dealing with virtualizing packers, which uses virtual machines to make code analysis complex and tiresome. The presented work was excellent, showing how to apply techniques that are usually associated with compiler science to help in the difficult fight against these complex protectors.

To close the day, Avert’s Geok Meng Ong presented his work about a different kind of obfuscation, the one that comes from a closed or partially documented file format, accompanying his speech with several case studies.

Looking to the past days in Amsterdam I can truly anything that it has been a really nice experience, a chance to meet great people and discuss with them some very interesting topics… Thanks for the great time guys!!

Now, back to malware analysis
Signing off…

Hello again, Paolo here. Yesterday afternoon the presentations moved to a more practical level, and the topics that were discussed were definitely interesting.

We started this afternoon’s session with “Hump and Dump” - an interesting study about the possibilities of Original Entry Point (OEP) discovery using a statistical technique based on histograms. The retrieval of the OEP of a packed application is important for several reasons one of which is, for example, that its execution usually marks the end of the unpacking process and that the original binary, previously invisible under the wrapper of the protector/packer/obfuscator, is now available in its rebuilt state. Although the work presented by the authors was still somewhat in the early phases it shows good ideas and it may be that with some modifications it can become effective enough to be used in research tools and Anti-Malware scanning engines.

In the following presentation Mario A. López explained to the audience how he and his coworkers at Frisk did approach some complex problems related to unpacking in their own scanning engine but I won’t go deeper as this information is probably not intended for people not directly in the industry.

Next Robert Neumann from VirusBuster presented a nice set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors - thanks for sharing Robert!

The last presentation was from Ilfak Guilfanov - the author of IDA Pro and Hex-Rays and well known in the security industry for being the developer of the unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system back in December 2005. In his presentation Ilfak did show us a few tricks to use within IDA to approach obfuscated code including one that researchers face when analyzing complex protector code.

I am very eager to see today’s presentations including the ones coming from McAfee Avert Labs researchers - Gaith Taha and Geok Meng Ong!

Stay tuned for the next update!!!

…and from the Crowne plaza hotel - home of the 2nd CARO workshop on “Packers, Decryptors and Obfuscators”.

As you may know, nowadays malware mostly comes in a packed form, in order to thwart Anti-Malware and security products. For this reason it is of great importance to be able to develop technologies that are able to “see through” these executable wrappers and detect the underlying malware in a smart way.

Easy to say - less easy to do. And this is the reason for which this workshop is really interesting

After attending this morning’s part of the workshop I have to say that the presented content has been really excellent - and technical too. Starting from the keynote speech through all the others thus far I’ve been struck by the depth of the information shared. I found Kurt Natvig’s presentation especially interesting as it covered the difficulties emulators face when dealing with modern malware - good job, Kurt!

Hopefully the presentation will be made available online too so I definetely advise anyone interested to monitor the CARO workshop website!

I need to go now as the afternoon’s presentations are starting! Talk to you later!