Papers

Mikko Hyppönen has been working with computer security for over 20 years and has fought the biggest virus outbreaks in the net.
In 2007 he named the infamous Storm Worm and in 2010 he produced classified briefings on the operation of the Stuxnet worm. He is also an inventor for several patents, including US patent 6,577,920 “Computer virus screening”.

Mr. Hyppönen has keynoted or spoken at various conferences around the world, including Black Hat, DEF CON, DLD,[9] and RSA. In addition to data security events, Hyppönen has delivered talks at general- interest events, such as TED, TEDx, DLD, SXSW and Google Zeitgeist. He’s also spoken at various military events, including AFCEA events and the NATO CCD COE’s ICCC.

He was listed among the “50 most important people on the web by the PC World magazine” and #61 Foreign Policy’s Top 100 Global Thinkers in 2011. He received the virus Bulletin Award as “The Best Educator the Industry”, which is given every ten years.

Securing Our Future
If we want to secure our online future, we only have two problems to solve: Privacy and Security. Our online privacy is being eroded by multinational companies that make billions with our data. Services like Google and Facebook are always exploring new ways to monetize people’s personal data, exposing the fact that many business models and platforms that power digital life operate at the expense of privacy. However, there doesn’t seem to be anything illegal in that, as end users happily accept any cost to get their ‘free’ services. On the other hand, our online security is being targeted by groups that are willing to break the law. This includes both the criminals that do their attacks to make money as well as governments that do it for surveillance and espionage purposes. Where are we really? And what can we do?

Dennis Batchelder is the Director of Research for the Microsoft Malware Protection Center (MMPC).  Since 2007, Dennis has been leading MMPC’s efforts to help protect billions of customers from malware through real-time antimalware products and services, strong industry partnerships, and continuous analysis of threat intelligence using machine learning and the cloud.
Mr. Dennis has worked for more than twenty-five years in the technology industry holding various leadership roles in software development and management in the US and India. A native of New England, he currently lives in Seattle, Washington. Dennis has been a writer for more than a decade and is the author of the Soul Identity series of techno-thriller novels.

Updating…

Mr. Zwienenberg started dealing with computer viruses in 1988 after encountering the first virus problems at the Technical University of Delft. His interest thus kindled, Zwienenberg has studied virus behavior and presented solutions and detection schemes ever since. Initially he started as an independent consultant, in 1991 he co-founded CSE Ltd. where he was the Research and Development Manager. In October 1995, Zwienenberg left CSE and one month later he started at the Research and Development department of ThunderBYTE. In 1998, Norman Data Defense Systems acquired ESaSS and Zwienenberg joined the Norman Development team to work on the scanner engine. In 2005 Zwienenberg took the role of Chief Research Officer at Norman. After AMTSO – Anti Malware Testing Standards Organization – was formed, Zwienenberg was chosen as its president. He is serving as a Vice-President of AVAR and on the Technical Overview Board of the WildList. Zwienenberg left Norman in 2011 looking for new opportunities and started as a Senior Research Fellow at ESET, spol. s r.o. In April 2012 Zwienenberg stepped down as President of AMTSO to take the role as CTO. He also started on Executive Committee of IEEE ICSG. Since April 2015 Zwienenberg returned as President of AMTSO.

He has been a member of CARO since late 1991. He is also vice-president of AVAR. He is a frequent speaker at conferences – among these Virus Bulletin, EICAR, AVAR, RSA, InfoSec, SANS, CFET, ISOI, SANS Security Summits, IP Expo, Government Symposia, SCADA seminars, etc – and general security seminars. His interests are not limited to malicious code but have broadened to include general security issues and encryption technologies over the past years. His hobbies include but are not limited to being a Trekkie, playing the drums, magic and illusions and balloon modelling.

Industry Cooperation – Do or Don’t, Succeed or Fail?

The Anti-Virus/Anti-Malware Industry has, since the early days, been notable for the cooperation between companies by sharing information, samples and lots more, even to the point of sharing information that in other industries would be jealously guarded as proprietary and intellectual property. This liberal exchange of important information in the interest of the wider community is based, or was, on trust. Over the last three decades, many initiatives have been launched, some successful, others failing. Looking back over a series of both old and more current cooperative initiatives, the pros and cons of each will be highlighted, as well as considering what worked and what didn’t. Finally, we pose a question in the conclusion: is industry cooperation across company boundaries essential to the survival of the industry, and if so, how it should continue? Or should it perhaps be avoided altogether?

Nguyen Le Thanh
Founder, VNSecurity

Thanh Nguyen, founder of VNSecurity, is a security researcher with 18+ years of security experience in a wide range of technologies from high scalable, distributed architecture to low level OS development, bios, firmware, chipset and micro-architecture. Currently, he leads the security and IT of a top Internet company in Vietnam. Prior to that, he was a CPU Security Architect at Intel Corporation. Thanh has spoken at several international conferences such as BlackHat, PacSec, DeepSec, HackInTheBox…

Nguyen Phi Kha
Member, VNSecurity

Kha Nguyen is a Product Security Manager at VNG Corporation and a core member of VNSecurity. In free time, he is a hardcore gamer, reverse engineer and game (anti)cheating researcher.

Targeted Attack Operations Against Internet Industry in Vietnam

Vietnam continues to experience a huge increase in the rate of targeted attacks but we rarely see the details of such attacks. At VNSecurity and HoneyNet Project Vietnam, we have been investigating and following some attack operations targeting many leading Telecommunication and Internet organizations in Vietnam over several years. Since those attacks are highly sophisticated and being operated by professional, dedicated hacking groups, most (all) of Vietnam organizations are either not aware of attacks or unable to effectively, accurately detect and prevent them.

This presentation will share the details of some attack operations, including attack techniques, lateral movement tools, malware, C&C as well as useful techniques and tools we developed to detect and analyze related malwares.

Jan Sirmer works as a Malware analyst & Operator at Avast Software’s Virus Lab. Jan started to work in the virus lab in 2009. His work currently targets Android malware and non-executable Windows malware, including web-based malware and exploits. Jan spoke at AVAR 2011, 2012, 2013 and WebExpo 2014.Sample Sponsor Letter

Ondrej David is the developer responsible for the latest advancements in Avast’s Android antivirus engine. He also reverse engineers some bits and pieces of malware – not only because he’s committed to making the world a safer place, but also because he likes to find out how things actually work. Ondrej spoke at DevCamp 2015.

Owning Fobus: True power of Android Evo-gen
In this presentation we provide an insight into our effort of moving from standard manual detections towards automatically generated ones. We will discuss the advantages of one of these systems quite recently deployed in our product called the Evo-gen. By carefully picking key properties and structural aspects of applications we get a unique representation (fingerprint) of each application, which is then usable for fully automatic similarity based classification. We explain in detail how the detection engine works and show the benefits on real in-the-wild malware case studies.

Juan Andrés joined Kaspersky Lab in 2014. His research interests focus on intelligence analysis and cyber espionage. Before joining Kaspersky Lab, Juan Andrés worked as Senior Cybersecurity and National Security Advisor to the President of Ecuador. Juan Andrés holds a masters in Philosophical Logic from the University of St Andrews and a B.A. in Philosophy and Political Science. As a visiting scholar at the University of Oxford, Juan Andrés’ research focused on placing intricate philosophical systems and logic in a dialogue with specialized and often inaccessible topics in Computer Science and Information Security.

Santiago Pontiroli joined Kaspersky Lab as a Security Researcher in October 2013. His principal responsibilities include the analysis and investigation of security threats in the SOLA region (South of Latin America), web application security, the development of automatization tools stemming from threat intelligence studies and the reverse engineering of programs with malicious code. Before joining Kaspersky Lab, Santiago served as Development Leader in Accenture for projects like Site Concept Studio and Avanade Connected Methods. Santiago holds degrees in Systems Engineering and Systems Analysis from the Universidad Tecnológica Nacional F.R.L.P in Buenos Aires, Argentina.

Both presenters have extensive presentation experience, including conferences like CanSecWest, Virus Bulletin, CARO, and SAS as well as private presentations to government, security, and financial sector partners. Sample publications are available on Securelist.

(Cancelled due to unexpected problem)

Roland Dela Paz
Security Researcher, Fortinet Inc.

Roland is a Security Researcher in FortiGuard Singapore. His main interest is investigative cybercrime analysis, attack correlation and attribution. Having over 8 years of security industry experience, Roland regularly contributes his research through blogs, presentations and whitepapers. Roland is a graduate of University of Santo Tomas, Philippines with a Bachelor’s degree in Information Technology.

David Maciejak
Computer Security Expert, Fortinet Inc.

David is currently based in Singapore as FortiGuard Manager for Fortinet. He manages the research and development team of the APAC region. Having close to 15 years of experience in network and desktop security under his belt, David has worked with various vendor companies prior to Fortinet on IPS and security research. David holds a Pre-Doctorate’s Degree in Computer Engineering from University of Montpellier.

Confidential

Samir Mody graduated from the University of Oxford in 2000 with a Master’s degree in Chemical Engineering, Economics and Management. Immediately after graduation he joined Sophos where he spent over 9 years, the latter 3 of them as Threat Operations Manager of SophosLabs, UK. Since August 2010, as Senior Manager TCL, he has been running the Threat Control Lab at K7Computing’s head office in Chennai, India. Since 2010 Samir has actively contributed to the IEEE Taggant System project, and other industry initiatives such as AMTSO. He has co-authored and/or presented papers and participated in panel discussions at various security conferences including EICAR 2006, VB2010/VB2013, AVAR 2010-12. Samir’s personal interests include reading (philosophy, politics, history, literature, and economics), sport and classical music.

Gregory R. Panakkal graduated from Model Engineering College (CUSAT), India in 2005 with a Bachelor’s degree in Computer Science and Technology. During his college days he worked part-time as a security consultant for Rediff.com, a leading online portal in India. Immediately after graduation he worked as Software Engineer for Wipro Technologies, Bangalore. He joined K7 Computing in 2007 to pursue his passion for malware analysis and its detection technologies. He currently works on various anti-malware components that are part of K7 security suite. He has co-authored and/or presented papers at various security conferences including CARO2013, VB2014, AVAR 2013/AVAR 2014. His other interests include reverse-engineering and vulnerability-research.

Fighting Back Against and Defeating Destructive Ransomware

Modern ransomware is extremely destructive. Well-known ransomware families such as Cryptolocker, Cryptowall and CTB Locker use strong encryption algorithms with large asymmetric keys to encrypt target files, rendering them nigh on impossible to decrypt locally since the private keys are controlled by the malware syndicates. However it is possible for security software to fight back robustly against modern ransomware, and win! Low-level system-wide interception of designated events by security software allows close monitoring of the behaviour of ransomware components, thus making contextual dynamic blocking a high-percentage option. This paper describes in detail the various stages at which ransomware processes can reliably be terminated, mitigating against false positives and performance degradation. We explore in depth the blocking of suspicious events such as data-overwrite attempts at file system level, behaviour-anomalies of OS processes, and incongruous calls to cryptographic functions. The paper investigates the use of certain strategies to arrest ransomware for the Android platform. A demo PoC of a novel generic anti-ransomware solution for Windows will be presented.

Liu Zhao, senior engineer, joined Tencent in 2010 after graduated, and has focused on the field of security of Windows and Android platforms during the past 5 years. Major developer of Habo File Analysis System, which is a suite of automatic analysis system of dynamic behavior for suspected samples.

New Trick of Social Engineering in Black Industry

In the transmission means of viruses and trojans, the application of social engineering could add the disguise of samples and effectively improve the successful rate of transmission. From the start of this year, Tencent has found a new trick of social engineering application in certain kind of Android trojan, where the trojan users manually pick up valuable relation chains of victims by collecting data of cell phone contacts, messages, etc. from victims. Then they use victims¡¯ cell phone to send messages, etc. to spread trojans through the backdoor implanted by the trojan. This method further elevates the effectiveness of transmission, hence has received a wide range of application in black industry. Through analyzing these samples, Tencent, along with the police, knocked off a criminal group who used this method in a city in Guangxi, China, and further strikes are to be undertaken in the future.

Rahul Naik is associated with Quick Heal Technologies as Senior Principal Engineer. He has over 10 years of experience the field of software product development. He has persented paper in AVAR2014.

Vikas Kumar Tiwari is associated with Quick Heal Technologies as Program Manager. He has over 10 years of experience in the field of security product development. He has presented paper in AVAR2014.

Make Security Defense BIG!

In Today’s fast paced world, security products need to scan whole lot of data in real time. The amount of data keeps on increasing every day and security products can’t keep up with this. So solution is to combine the best techniques from security world and data mining world, result would be Big Data based Security Analysis.

Advanced Persistent Threats (APTs) are very trivial, they can be inactive for long period and will do little activity. For such behavior, big data analytics can help analyze large amount of data.

We are proposing algorithm to tackle the APT detection using Big Data Analytics:

• For Big Data Analysis, data could be collected from one centralized location such as network switch.
• Configure a internal DNS server and DNS queries only to this server. Block all unauthorized DNS server connections.
• Get Black listed servers and suspicious CNC server list.
• Using big data analysis, find the periodic outbound connections. If time difference between connections is same then remote server is suspicious CNC server and the local is machine is suspicious infected machine.
• Doing correlation of email attachment download log and suspicious CNC server connection will increase the probability of the PC being infected.
• Using Big data analysis, we can find the Upload-Download ratio of all the PCs in the network. Mark unusual high ratio PCs as suspicious.

This algorithm can be enhanced or customized.

We will present the sample data analysis result of the above algorithm.

Hong Jia is the head of response and research in ThreatBook Labs, a startup company based in China providing threat intelligence services. She is also the co-founder. Hong leads ThreatBook’s effort in threat incident response, threat intelligence research, data mining and correlation data study applied to research in threat intelligence.
Prior to joining and setting up ThreatBook Labs, Hong worked as the principal lab manager of response and research at Microsoft Malware Protection Center (MMPC), with labs in Redmond (WA), Vancouver (BC) and Beijing. She has been leading MMPC labs’ effort to protect billions of computer from malware through fast incident response, deep malware family threat research and machine learning driven automation for malware clustering and classification. She also served as liaison between MMPC and China security companies, and has helped in a number of MMPC security program’s deployment in China through her strong industry relationships with security organizations and vendors. Hong gained valuable experience working at Microsoft and collaborating with security industry during her 15 service in Microsoft.
Hong graduated from Tsinghua University, China with a Master’s degree in electronic engineering in 1993, graduated from University of Electronic Science and Technology of China, Chengdu with a Bachelor’s degree in electronic engineering 1990.
Feiran is a Security Research Engineer at ThreatBook. Before joining ThreatBook, he worked at JD Finance and Renren.com, in the field of information security. Over the years, he has developed various enterprise security products, such as IDS/IPS, WAF, Big Data user behavior analysis system etc.

Threat Intelligence behind “XcodeGhost”

“XcodeGhost” is a cyberattack on iPhone users in China. So far it has trojanized over 4000 iOS apps developed in China, many of which are highly popular amongst Chinese iPhone users. As a result, more than 95% of iPhone users in China have been infected with XcodeGhost virus.
On 19 Sep 2015, someone claiming to be the author of XcodeGhost published a blog under the name @XcodeGhost-Author. In the blog, he apologized for the panic and unrest caused by this incident but maintained that XcodeGhost is just a coding experiment to explore the potential exploitation of a loophole in [YY]code, which he had discovered accidentally, to enable advertisement delivery. The information collected through the affected apps, such as app name, app version, system OS version, localization, developer identifier, device name, network type etc, did not include any privacy information. He also claimed that the advertisement delivery capability has never been utilized, the apps’ original functions were not affected in any way, the server collecting information has been taken offline, and all collected data have been deleted.
While the blog post may appear to be sincere, our analysis indicates otherwise.
In this paper, we present our analysis of XcodeGhost’s build-in functionalities and its social engineering channels for spreading. We will also outline XcodeGhost’s social behavior related with Xcode Ghost development and its release. Based on the threat intelligence we have gathered and data correlation study, we can infer the true identity of XcodeGhost’s author. At the end of this paper, we also conclude what we have learned from this incident.

Siegfried Rasthofer is a third year PhD student at the TU Darmstadt (Germany) and his main research focus is on applied software
security on Android applications. Together with his colleagues, he developed different tools that combine static and dynamic code analysis for security purposes. CodeInspect is on of his recent work, which is a new Android Binary Reverse Engineering Framework that allows
debugging on an Android binary (intermediate representation). He is an active bug hunter in the context of Android where he reported 2 AOSP exploits and many vulnerable apps. Siegfried received a Google Patch award in 2015 and gives presentations in academic as well as non academic conferences like Black Hat Europe, Virus Bulletin, CARO, NDSS, etc.

Carlos Castillo is a mobile malware researcher at Intel Security, where he specializes in the analysis of mobile threats and Android malware.
Castillo performs static and dynamic analysis of suspicious applications to support McAfee’s Mobile Security for Android product.
He is the author of the McAfee-published white paper, “Android Malware Past, Present, and Future,” and wrote the “Hacking Android” section of the book, “Hacking Exposed 7: Network Security Secrets & Solutions.” As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America’s Best Antivirus Research contest with a paper titled, “Sexy View: The Beginning of Mobile Botnets.”
Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogotá, Colombia.

We know what you did this Summer: Android Banking Trojan Exposing its Sins in the Cloud

Backend-As-A-Service (BaaS) solutions are a very convenient way for developers to connect their apps easily with a cloud storage. There are different BaaS solutions on the market, offered by various vendors such as Amazon, Google or Facebook. All of them provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to integrate cloud storage into the app.

While usually such solutions are created for well-intentioned developers, very recently we have spotted two Android malware families that make use of BaaS solutions as well, Facebook’s in this case. Using Facebook’s BaaS solution the malware stores stolen data, delivers commands executed remotely on the infected device and performs SMS banking fraud.

Malware authors apparently are unaware, however, of how to set up a BaaS solution securely, which gave us the possibility to easily obtain access to all data they store. This gave interesting insights into their C&C communication protocol and all sensitive data they stole, including requesting the current balance of credit cards associated with the device, and the attempt to perform payments and fraudulent transfer of funds via SMS messages during June and July 2015. To extract the necessary data from malicious applications
automatically, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

Anatomy of Cyber Attacks

Vlad Craciun was born in Piatra Neamt in 1986. He joined Bitdefender Laboratories in early 2009 and since then he has been analysing different types of malware and file infectors. He finished his Master’s degree in 2012 at the “Gh. Asachi” technical University of Iasi with a thesis entitled “Advanced binary analysis using complex emulation and branch stuffing techniques”. At the moment he’s also a Ph.D. student at the “Alexandru Ioan Cuza” University of Iasi, researching the field of symbolic execution and dynamic/static analysis of possible malware applications. His hobbies include processor design, embedded systems, electronics, psychology, religious cultures and metaphysics.

Cristina Vatamanu graduated from the Faculty of Computer Science at the University of “Gheorghe Asachi” – Iasi and received a Master’s degree in embedded computers from the same University. She has worked at Bitdefender for four years. Some of her responsibilities (and hobbies) are reverse engineering, exploits analysis and automated systems.

Win32.Dorbot – A splice between a file infector and a botnet

Even more malware technologies nowadays are combining their forces in order to stay as stealth as possible while stealing the same time user data or exposing user to a couple of security threats. Win32.Doboc is combining the stealth and infection mechanism of a file infector which spreads mostly through user document files, with the power of botnets, achieving malware updates and the same time possible targeted attacks. Malware is very well designed and carries with it, all it needs to behave as expected even on latest Windows operating systems for both x86 and x64 architectures. An interesting fact about it, is that UAC became useless in its presence, even at the maximum security level, infecting successfully and silently any new clean system. The infection technique is used actually to
distribute the malware more easily using mostly network shares and removable devices, rather than solid disk drives, while the botnet features keep an ongoing loop between GET and POST actions to C&C servers not only carrying out specific server actions, but the same time posting user desktop screenshots and other sensitive user data.

Philipp Wolf started his career as a malware researcher. 15 years later, Philipp now heads Avira’s Virus Lab, leading a team of over 100 researchers. His team’s mission is to protect Avira’s customers from malware and other unwanted programs by delivering the very best detection rates. The team achieves this by leveraging state of the art technologies such as machine learning and artificial intelligence modules. Philipp has initiated projects in the anti-virus industry including the famous applications MUTE and VIREX. His interests include sports such as snowboarding, sailing and boxing

2. Matthias Ollig is Executive Vice President at Avira where he is responsible for Cloud, Services & Infrastructure. He oversees teams in Germany, Romania and the Netherlands to insure the global delivery of services to the Avira user base. Before moving to the cloud, Matthias was Lead Artificial Intelligence Researcher at Avira where he worked on advanced threat detection systems. Matthias has a MS degree in Computer Science. His thesis resulted in Avira’s NightVision machine learning system, which is now one of the core technologies powering Avira’s Protection Cloud. This applied research project was supported by a scholarship from the DAAD and was made in collaboration with the cyber security research group at Stevens Institute of Technology, Avira, and the Institute for Internet Security at the Westphalian University. Depending on the season, Matthias can be found outside the office sailing, on his mountain bike, or on a snowboard.

Detection protection using cloud services
Security vendors face problems defeating the complexity of malware with traditional, reactive detection methods. Cloud services are the solution
for this problem. In this paper, we propose malware detection via static and dynamic analysis within the security vendors backend in real-time.
Our products on millions of customer computers show today that the detection rules and methods in the cloud last much longer against the attacks of the malware authors. Our detection model of malware may provide a rethinking for security researchers to enhance detection of malware.

Maik Morgenstern has a diploma degree in Engineering and is a CEO and the Technical Director of AV-TEST GmbH. He manages the planning and implementation of new test scenarios, our technical innovations and our continuous reaction to new threats. He is a regular speaker at industry conferences such as Blackhat, CARO and Virus Bulletin.

Presentation title: You are the target in the Internet of Things

“The Internet of Things brings comfort and many exciting new features to everyone. Smart Home systems make your life easier and fitness trackers will help you to live more healthy. These are just two prominent examples. But with every good thing there come bad things as well. IT-Security is a major problem in many of the devices, sometimes nonexistent and sometimes badly designed or implemented.

In 2013 we have started to look into different kinds of devices and have since then analyzed over 30 different products. We have found numerous vulnerabilities that allow unauthorized access to data or even the manipulation of data and functionality.

Right now, users aren’t suffering from attacks. Criminals have other ways of earning money and have still to figure out a business model when attacking IoT devices. But as we all know, the bad guys will find ways to get money out of their attacks sooner or later. Therefore it is necessary to be prepared.

This talk will present the experiences we have gathered in the last years and show which mistakes are repeatedly made by vendors of these devices. In the end it is all about the data that is generated or gathered by the different devices. We will discuss who would like to attack, what the targets and objectives are and why they want to do it. On top of that we will propose several steps in order to get more secure devices or at least to be able to use them more securely”

Ivan Macalintal has had more than 13 years in the Antimalware and Security Industry and progressed from antimalware engineer, analyst and researcher roles to founding, establishing, managing and leading operations and threat research teams as well multiple high-impact projects, processes and services for global industry partners and customers, in Trend Micro for more than a decade, and in Microsoft for more than 2 years now, currently with the Antimalware Team of the Engineering Productivity and Release Services group.

Passionate about threat analysis, research and threat-intelligence; puzzle-solving and connecting-the-dots; industry, partner and customer engagements, Ivan has published for and/or presented in various industry conferences for Virus Bulletin (VB), the High Technology Crime Investigation Association (HTCIA) conference, B-Sides, Digital Crimes Consortium (DCU), Microsoft TechEd North America and the Microsoft Security Response Alliance (MSRA) summit.

During his free time, he is leading efforts and projects on non-profit community building, starting to write novels whose synopses have been shelved for some time now, finding the perfect cup of coffee and just simply doing stuff with family and friends to “make a Life, not just a Living.

Hai-Tri Le has over 10 years of experience  managing various aspects of Software Release at Microsoft Corporation.   He has held various roles in range of organization, most recently with the Product Release and Security Services group, and currently Engineering Productivity and Release Services.  He has seen the evolution of software distribution from floppy diskettes, to CD-ROM, DVD-ROM, USB flash drive, and digital distribution.  Software has grown in complexity, from major launches every few years, to continuously updated offerings such as Office 365.  Distribution mechanisms have evolved to encompass packaged product, online bit distribution,  Point of Sale, Software as a Service, software powered devices, etc.   Mr. Le’s expertise and experiences uniquely position him as a specialist in all aspects of software release.

Using CFMD Against (Asian) APT
Microsoft earlier this year launched our CFMD or Clean File MetaData sharing initiative, and in partnership with VirusTotal as well as with our partners in the antimalware arena, we have seen a very positive and huge impact in mitigating further damages caused by false positive incidents and thereby helping secure the overall Microsoft ecosystem.

Furthermore, as blogged in a recent targeted attack campaign using the Bioazih RAT, as well as presented in various other industry conferences, we have also shown how CFMD can be a key ingredient in a more complete and reinforced forensics and detection solutions in targeted attack and APT or Advanced Persistent Threat research and investigations.

In this presentation, we will further show how CFMD could have or can still help in adding more data points towards solution hardening and attribution pertaining to recent and future campaigns targeting Asia such as the one dubbed as Operation Tropic Trooper, as well as the one specifically targeted against journalists and activists in Vietnam.

Jean-Ian Boutin is a malware researcher in the Security Intelligence
program at ESET. In his position, he is responsible for investigating
trends in malware and finding effective techniques to counter new
threats. He has presented at several security conferences, including
Virus Bulletin, CARO and ZeroNights. Jean-Ian completed his Master’s
degree in computer engineering at Concordia University in Montreal in
2009. His main interests include investigation of information-stealing
malware, and threats targeting specific regions.

Increasingly, malware authors are closing the gap between crimeware campaigns and targeted attacks. Operation Buhtrap is one such example where cybercriminals looking for financial gains are specifically targeting russian businesses finance divisions. This campaign has been ongoing for more than a year using evasive malware to stay under the
radar and silently install spying tools on the victim’s computer.

Contrary to standard banking trojans, malware authors behind Buhtrap are using sophisticated multi-stage malware to choose which system
should be infected and deploy multiple different custom and off-the-shelf tools to take full control of the victim’s computer.
Different tools were seen in different campaigns, hinting that they adjust their techniques depending on the target. They also employ evasive techniques to thwart automatic security systems by trying to
detect signs of their usage and changing the malware behavior if something is detected. They take great care to install their malware
only on interesting systems by checking whether specific applications are installed on the computer or if specific URLs were visited. This campaign is also using several code signing certificate. Operation
Buhtrap is part of a growing trend where crimeware campaigns are targeting specific group of people to achieve maximum financial gains.

In this presentation, we will go over the technical details of operation Buhtrap. We will also describe how we were able to track it and increase our users protection againts these threats. We will finally show how they integrated new tools to their arsenal in response to our relentless tracking.

Michael John Marcos

Michael joined Trend Micro in 2014 as a subject matter expert on emerging online banking malwares. He started his career in information security in 2010 as a forensic technology consultant at Ernst and Young, where he did IT forensic, e-discovery, and incident response on cases related to white-collar crimes, corporate espionage, cybercrime, and cyber warfare. He has also appeared as a qualified digital forensic expert in court cases in the Philippines and in the Asia-Pacific region.

Michael graduated from De La Salle University, Manila with a Bachelor’s degree in computer science with specialization in network engineering. During his spare time, he enjoys outdoor activities such as mountaineering and surfing.

Rhena Inocencio

Rhena has been a threat researcher in TrendLabs, the global technical support and R&D center of Trend Micro, since 2011. On a daily basis, she monitors and analyses new and emerging malware, and creates threat reports for customers. Currently, she is focused on point-of-sale (PoS) malware footprinting. She also acts as a technical lead for the threat analysis team, and is a regular contributor to the TrendLabs Security Intelligence blog. During her spare time, she plays the piano and paints (mostly) animal faces and abstracts on canvas. She is a fan of origami and Manga/Manhwa

We have a ‘DYRE’ (dire) situation

Online banking Trojans continue to be one of the most effective ways to steal money from unsuspecting users because of their constantly evolving tactics that leave little or no evidence of compromise once they are already inside their targets’ computers. One example is Dyre, a malware family that started as a remote access Trojan (RAT) and quickly evolved into one of the most notorious banking Trojans in the wild.

Dyre steals banking credentials using new man-in-the-browser (MiTB) techniques, and is equipped with a modular architecture that allows it to enhance its infostealing capabilities at a faster rate. Since the latter part of 2014, we have observed that Dyre is in constant development, enhancing its routines on a weekly basis. Data from Trend Micro Smart Protection Network also indicates that as of the second quarter of 2015, Dyre’s detection count increased worldwide by 125% compared to the last, indicating an increased cybercriminal activity and interest in exploiting online banking weaknesses. Meanwhile, reports on the malware’s supposed involvement in cyberheists that targeted an airline company and a tech firm this year also show the damage and impact of this threat if not prevented or mitigated.
Given its growing notoriety, Dyre may even surpass more infamous threats like ZeuS. Security researchers thus need to understand its evolution in order to foresee where it might be headed. This paper will discuss how Dyre started and evolved, its noteworthy capabilities, and how end users and organizations can protect themselves against this growing threat.

Gabor Szappanos graduated from the Eotvos Lorand University of Budapest with degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants. He started antivirus work in 1995, and has been developing freeware antivirus solutions in spare time. He joined VirusBuster in 2001 where he was responsible for taking care of macro virus and script malware. Since 2002 he was the head of the virus lab. Since 2008 he is a member of the board of directors in AMTSO (Anti Malware Testing Standards Organizations). In 2012 he joined Sophos as a Principal Malware researcher.

Intruders in Asia

The first Virus creation kits were created in the early 90’s producing MS-DOS program infectors. The purpose of creating and publishing them was to enable writing viruses without knowing the underlying details of the operating system or the assembly programming. That lowered the bar of virus creation.

Nowadays the main purpose is completely different:  the financial income achieved by selling these malware generators on the underground marketplaces. Office exploits are  no exception to this chance of incentive. The overall effect however is the same: lowers the barrier, and enables several cybercrime groups, who otherwise lack the skills to develop exploits of their own, to use Office exploits in their malware distribution attacks.

Of the few available kits the most influential is the Microsoft Word Intruder (MWI), developed in Russia. This generator was intensively used by the common crimeware criminal groups, distributing a wide range of malicious programs, from commercial keyloggers and remote administration tools to usual banking Trojans. Malicious documents created by the kit played essential role in the recently active Pony distribution campaigns or earlier in the famed billion dollar Carbanak case.

The presentation gives a detailed analysis of Microsoft Word Intruder.

We will explain the infection mechanism of this generator, point out the key characteristics differentiating the generated samples from other exploited malicious documents.

We will go into details about the distributed malware families, point out that the exploit generator was used in deploying practically all high profile Trojans.

Our virus lab is constantly tracing over a dozen different cybercrime groups using MWI. The presentation will detail detailed two of the distribution campaigns specifically targeting Asia.

One of them distributed the Hawkeye commercial keylogger

dominantly to Indonesia, India, Malaysia and Vietnam with the purpose of stealing banking credentials.

The other campaign targeted banks, distributing remote administration tools. This campaign heavily affected Indonesia, China and Malaysia.

Prof. Igor Muttik (PhD) started researching computer malware in 1980s when anti-virus industry was in its infancy. He is based in the UK and worked as a virus researcher for Dr. Solomon’s Software. Since 1998 he was running McAfee’s malware research in EMEA and switched to his architectural role in 2002. He takes particular interest in applied security research and design of new security software and hardware. Igor holds a PhD degree in physics and mathematics from the Moscow University. He is a regular speaker at major international security conferences and is a co-author of 3 books, more than 100 publications and >25 patents. Igor works for Intel Corporation since McAfee was acquired in 2011.

Dr., Jorge Blasco:

Dr. Jorge Blasco obtained his PhD from University Carlos III of Madrid in 2012. His dissertation was focused in the field of information security and insider threats. He is an active Android and iOS app developer with several apps being available in both OS official markets, related to steganography. After obtaining his PhD, Jorge worked as an assistant lecturer in University Carlos III of Madrid. In 2014, he moved to City University London, where he works now as a Research Fellow in a project about application collusion. His main research interests include mobile malware, steganography and covert channels. He has published several research papers in international Conferences and Journals.

Android – collusion conspiracy

Pablo Atilio Ramos:

Pablo Ramos currently works as Head of Latam Research Lab at ESET Latin America, a company dedicated to the development, investigation and commercialization of antivirus solutions and information security. He is currently finishing to study Systems Engineering at the National Technological University of Argentina. He has participated in various events and activities of that institution, and in addition to his expertise in information technology, he has applied his expertise to analysis of information, databases, business intelligence and programming video games. Before joining the company, he worked as a technical consultant in Barcelona04/Computing Group, where he had the opportunity to increase his knowledge in different platforms and databases. In 2010, he joined ESET Latin America as an Awareness & Research Specialist, dealing with awareness activities on security. In July 2012, he was promoted to Security Researcher, with the responsibility of planning and conducting research. In 2014, he started working as Head of Latam Research Lab. In his current role, he is responsible for coordinating the activities, projects and tasks related to the analysis of malware and trends within the Laboratory of ESET Latin America. He also deals with the management of statisticals systems, reception and reports malicious code samples, collection of new threats, and more. The work also includes leading research in computer security. As a researcher, his article “Dorkbot: Latinoamérica” was selected to be presented at the Virus Bulletn 2012, one of the most important worldwide conferences of information security. In addition, he works as the spokesman for ESET Latin América and represents the company in all kinds of activities such as seminars, conferences, internal training and other events of public exposure.

Diego Perez Magallanes:

Diego Pérez Magallanes currently works as Awareness & Research Specialist in ESET Latin America, a company dedicated to the development, investigation and commercialization of antivirus solutions and information security. Pérez Magallanes studies Systems Engineering at National University of San Martín. But first, he graduated as an Electronic Technician at the Technical School Nº28. He has expertise in programming languages such as Ruby, JavaScript, HTML and PHP, also has information security knowledge and techniques of penetration testing. Before joining ESET Latin América, he worked as technical support in the area of IT in Control Plus, a company dedicated to access control, with the responsibility of providing support to customers in and outside the company, in turn, working in development projects. In his role as Awareness & Research Specialist, Diego Pérez Magallanes deals with awareness activities on security of ESET Latin America, from research to publication and presentation. In this context, he is responsible for researching news and trends with regard to information security. Also, he has developed technical and awareness material on the research of malicious code and cyber threats, including training courses on information security for the Educational Platform ESET Latin America and podcasts related to the explanation of threats and ways to prevent them, among others. In addition, he works as the spokesman for ESET Latin América and represents the company in all kinds of activities such as seminars, conferences, internal training and other events of public exposure.

In this research we present how Liberpy hit our radar, how it worked, what were the attackers’ goals, and how targeted it was. Since Liberpy was controlled using HTTP, and since the exfiltration of user data used somewhat simple encryption, we were able to dismantle it and react to the attacker’s responses once their botnet was down. We’ll share the results of dns-sinkholing the botnet, our study of their activities and how the cybercriminals responded with new commands, and how and where they decided to include SSL to their communications in an attempt to keep operating xundetected.  From spamming campaigns to spreading via USB, Liberpy had a 96% success rate in the countries of their targeted victims.

Finally, we’ll share our thoughts and experiences after dissecting Liberpy and discuss what can be done to track these kinds of regional and country-based malware that keep emerging. In Spite of big malware campaigns its goal is to deliver a specific payload to certain targets and remain active as long as possible. Learning from their present actions and responses, it is possible to anticipate future campaigns and how they will be carried out.

Peter Kálnai is a malware researcher and analyst at the Virus Lab of Avast Software. His main responsibilities are reverse engineering of Windows, Linux and OS [YY]  executables especially connected with mainstream cyber threats. He has an experience with developing the weak automated anti-malware heuristic for Windows PEs and Android packages. As a speaker he attended international conferences like Virus Bulletin, RSA Conference, CARO Workshop and Botconf. Currently, he is a PhD student in mathematics at Charles University in Prague. In his free time he enjoys playing table football and watching shows of stand-up comedians.

Jaromír Hořejší is a malware researcher and analyst at antivirus company Avast Software. His main specialization is reverse engineering of mainstream cyber threats targeting Windows and Linux. During the course of his career, he has researched many types of threats, for example DDoS botnets, banking Trojans, click fraud and ransomware, and has written many blog posts about them. In the past, he has successfully presented his research at several IT security conferences, including RSAC, Virus Bulletin, AVAR and Botconf.

We realize similarity of samples with the ELF file format by equipping a custom database (“space”) of binary large objects (“blobs”) representing relevant static features with a distance function on its entries. The distance function is a weighted sum of partial functions on the features which include the parameters in the ELF header, program headers, section headers, imported or exported symbols, character strings, the UPX header or checksums through various parts of files. These features can be generated from the binary itself or partially parsed from an output at Virustotal, if the binary is not present to a researcher. This gives us an effective, relatively easy-to-implement and very fast heuristic that serve motivation like exclusion of clean files from sample feeds, an automated classification of new malicious samples and even an identification of particular malware families. Rather than a universal solution we propose three variants that depend mostly on the motivation and we discuss the usability of the features from Virustotal. The justification of the method will be demonstrated by showing the classification results of the most interesting examples of current in-the-wild malicious ELF executables.

When embedded devices flood

We presented a talk on Botconf 2014 conference titled “Chinese Chicken: Multiplatform DDoS Botnets” https://www.botconf.eu/chinese-chicken-multiplatform-ddos-botnets/. The talk at Botconf was mainly general and covered all desktop, server and embedded malware coming with Chinese-related context (locale. However, in the AVAR talk we would possibly focus only on IoT flooders. We will use some relevant parts of that presentation; however, we never completely recycle presentations. The threats are constantly evolving and we plan to add a lot of new information and omit outdated content. The talk was distinguished by the award “Letter of Appreciation” from the Botconf committee

In our talk, we will present the entire infection chain, from gaining access to the device to the deployment of malicious executables, followed by the analysis of the most important and interesting DDoS families. The ELF binaries have several features in common, such as the capability of being cross-compiled for a variety of architectures or the ability to be controlled  by cybercriminals via control panels or IRC daemons. We managed to collect many of their operation tools, including source codes, bot builders, vulnerability scanners, brute-forcers, port scanners, installation scripts and control panels. We will present these tools to the audience to have a better overview of how cybercriminals work.

Advanced Persistent Threat(APT) has became a critical problem nowadays. We found a new APT campaign which started operating at least since 2010. The victims come from multiple industries including consumerelectronics, healthcare, financial and government over several Asian countries. They not only deploy known remote access tools(RAT) but also developed their own tools. This session will provide you in-depth technical information about tools, attributes and their stealthy tactics.

Benjamin Rivera has more than 10 years of experience in information security. Currently, he manages both the threat research team and the training team under the Core Technology operations group at TrendLabs, the global technical support and R&D centre of Trend Micro. He oversees research projects and the engineers’ training and development courses to further build expertise in the constantly changing threat and technology landscape. He has previously managed several teams that handle critical incident and threat response, advanced threat analysis, and heuristics. He has spoken at international conferences including the Association of Anti-Virus Asia Researchers (AVAR) in 2013, Nullcon Conference, and Virus Bulletin International Conference. A sports enthusiast at heart, Benjamin runs marathons and plays lawn tennis. He holds a degree in applied mathematics.

RonJay Kristoffer R. Caragay:
RonJay Caragay is a graduate of a degree in Computer Engineering. He joined Trend Micro in 2013 as a threat analyst where he analyse different threats and creates malware reports for customers, particularly in Japan region. During his spare time, he is playing computer game, watching anime series and movies, or reading Manga. He is also into sports and outdoor activities. He is an active contributor to the TrendLabs Security Intelligence blog.

The Evolution of URSNIF: From Data-Stealing to File Infector

URSNIF is a threat primarily known with its data-stealing routines. It is also known for hooking various executable files in order to monitor browsers and system APIs to perform a wide variety of information theft, such as by stealing online banking account credentials. Note, though, that cybercriminals and threat actors constantly enhance their creations and explore the next possibilities to spread their malware. Recently, URSNIF added file infection as part of its routines. It now searches for and infects files with certain extensions, including .PDF, .MSI, and .EXE. Unlike normal file infectors, URSNIF embeds the target host file into its resource section, making it more difficult for users to revert or clean their files. With this new technique, not only does URSNIF malware have powerful information theft capabilities, it now can also cause serious damage by infecting a range of file types on compromised systems. We have also observed continuous development from this malware family, with its wide variety of behavior allowing it to avoid detection, to enhance its data-stealing effectiveness, and to continuously infect more computers worldwide. To better understand this threat, this paper will review how URNSIF started and how its active development over the years brought about its most recent enhancements. We will also discuss how this malware family is being used in cybercriminal operations, including statistics on latest infections (affected countries and targeted industries), and more importantly, how users and organizations can protect themselves from this threat.