I have been in Buenos Aires attending the ekoParty security conference, which has recently exploded in popularity. This year saw more than 1,000 attendees. ekoParty is a premier technical conference in Latin America (think Defcon/Blackhat) that showcases presenters from around the world, with the bulk of them local to Argentina. The conference runs three days and wrapped up this year with local Juliano Rizzo and vietnamese colleague Thai Doung demonstrating their BEAST (Browser Exploit Against SSL / TLS) tool {more to come here shortly}.
I presented on Wednesday with a talk on modern threats that we’re currently observing in our FortiGuard Labs, including evolved flavors of Ransomware (both MBR infecting variants and document encryptors), Crimeware kits and the array of crime services available in the digital underground. This is what drives a lot of malware volume and campaigns we see today (we average over 150,000 new virus signatures biweekly). It’s amazing how easy it is to launch attacks nowadays simply by having some investments and contacts in hand. Here’s a summary of some other talks presented at ekoParty:
* Michael Price discussed his research efforts dumping SSL game communications on iOS through a modified ‘gamed’ binary (used by Game Kit). He demonstrated code, which hooks (pre-hook for SSL write and post-hook for SSL read) iPhone game communication to the game center, dumping communications in plain text. He also demonstrated code to create threads (ARM platform) and inject code into remote processes running on the phone.
* Aaron Portnoy demonstrated a new API (using a QT based GUI) for IDA Pro which stores IDA’s IDB information, such as symbols/function names, into a database for normalization and querying. This is useful for team based IDA pro analysis (since data is normalized), and for porting IDB data when new versions of libraries, binaries arise.
* Aleksandr Matrosov and Eugene Radionov disclosed low level details on x64 based rootkits (Olmarik and Rovnix), as well as the encrypted filesystem that TDL4 employs. One of our predictions at the beginning of this year was the advancement of 64 bit rootkits, and this talk highlighted the new features and efforts malware developers are putting into their wares. Indeed, TDL4/TDSS has been featured in several of our threat reports this year as one of our most detected malware variants on the move.
Apart from the talks, of course, plenty of activities were going on at the conference including lockpicking, war games, and of course retro-gear stations (Commodore 64, 128, etc) 🙂
Leave a reply
