Being at VB2015…

I am currently at the 25th Virus Bulletin International Conference in Prague. The VB2015 is hosted by the Virus Bulletin portal and provides three full days of learning opportunities and networking.

VB2015 focuses on the key themes:

  • Malware & botnets

  • Anti-malware tools & techniques

  • Mobile devices

  • Hacking & vulnerabilities

  • Spam & social networks

  • Network security

General Observations:

What I liked about VB2015 was the very friendly and always helpful staff. The good conference location, it never felt overcrowded or to empty and the very good catering during the conference.

The event itself proceeded very smoothly. Presentation equipment, audio, video – everything worked just fine. What was a little bit disappointing, was the small time slot of 30min for the talks (including discussions) and the really small time window to switch rooms. This made it sometimes quite stressful, if you often have to change rooms. Furthermore, I personally think a time slot of 30min (including discussion) is too small for a technical presentation (but that’s my personal view). The somewhat superficial talks are compensated with a good speaker contact and the really excellent VB2015 book, which includes almost all the talks and the related research papers in detail.


I won’t cover all talks I attended but just some of those I found interesting, since almost everything should be available online soon.

Doing more with less: A study of fileless infection attacks (By: Benjamin Rivera & Rhena Inocencio)

Detecting Persistence Mechanisms: Most often, we can determine a malware persistence mechanism by querying the system with tools such as AutoRuns and RegRipper. After the persistence mechanism was determined and analyzed .We typically go after the actual malware which in most cases is stored somewhere on the file system.

The talk “Doing more with less: A study of fileless infection attacks” presents the research of fileless infection attacks. Fileless infection is defined as: “A fileless infection (fileless malware) is malicious coding that exists only in memory rather than installed to the target computer’s hard drive.”[1]. So fileless malware is injected directly in to RAM and not stored as file on the file system. This technique usually survives no reboot since a reboot clears the RAM.

The researchers present different malware samples, for example “POWERLIKS” which uses a fileless infection technique and stays active even after a system reboot. POWERLIKS does this by creating two registry values one for the auto-start entry and a second one which holds an encoded script with an embedded .DLL file. The auto-start entry ensures that POWERLIKE executes during system start up. The second entry checks dependencies and injects the actual malware code into the system memory.

Besides the technical stuff they also present some statistics which showed how these attacks spread in 2015. Unfortunately I could not find this anywhere online, but what I can say is, that we need to be aware of such attacks in the future 🙂 .


The TAO of .NET and Powershell Malware analysis (by Santiago M. Pontiroli & F. Roberto Martinez)

This talk basically described the role of the .NET framework in malware development process and how it has decisively influenced it. Microsoft started to develop .NET framework in the late 90s. The first version of the .Net framework was released on 13 February 2002 bringing managed code to Windows. The .Net framework can be viewed in three essential components. First a set of supported programing languages. Second the base class libraries which are implementing all the basic operations and last the Common Language Runtime (CLR) which is basically the heart of the .NET framework.

Beside real world examples, the researchers showed how the number of malware has multiplied due to the ease development of .NET based malware and how easy it is for unexperienced developers to write or modify malware quickly. This fact has extreme effects during an incident analysis as e.g. already analyzed malware can easily be modified. Furthermore, they presented how Powershell is used in the incident process, since Powershell and the .NET framework are strongly associated and installed by default on nearly every modern Windows system.

Unpack your troubles: .NET packer tricks and countermeasures (by Marcin Hartung)

Marcin Hartung from ESET got a perfect assist by the previous talk in which the dramatically increasing number of managed (.NET framwork) samples was discussed. In his talk, he focused on obfuscation techniques and showed beside a good overview of a static analysis method. Plenty of tricks which always were helpful for him in analyzing obfuscated code.

Duqu 2.0 Win32k Exploit analysis (by Jeong Wook Oh & Elia Florio)

In 2015 Kaspersky Lab detected a cyber intrusion affecting several of its internal systems. They launched a large-scale investigation, which led in to a new malware platform “Duqu 2.0”. The technical analysis showed that the very sophisticated attack includes an update version of the infamous one in 2011. That’s why they called it “Duqu 2.0”. The complete set of the malware is very complicated. Nevertheless Jeong Wook Oh from Microsoft shared some very interesting findings they hat during the analysis. Beside technical details the talk will also gave you a good impression what the thread actors are capable of.

That’s enough I’d say 🙂 Have a nice (and maybe even sunny) weekend!