Tuesday, April 1, 2008

Black Hat Europe 2008 wrap up...

So I spent the last week in Amsterdam at Black Hat Amsterdam. I was there for a couple of different reasons.

The first reason involved me taking a class on Reverse Engineering: Application in Malicious Code Analysis. I have been interested in Reverse Engineering over most of my career but never really had any instruction in the art of disassembling something that often doesn't want to be taken apart. Well after this class I am going to be spending some of those late nights in hotels unravelling pieces of malware. Yes, I realize this is an open confession that I am a geek.

The class was taught by Pedram Amini (blog) and Ero Carrera (blog) (twitter).

...Commercial Break...

Quick little story about Ero: Dacort and I have just taken seats in class when Dacort laughs. I look over and ask him what he was laughing at. He pointed to his iPhone and explained that he was tracking #blackhat and #amsterdam. It seems that one of our instructors had just posted to twitter. I laughed now and asked Ero - if he was a Twit. He smiled and said he was. How did you know? We told him about tracking #blackhat and #amsterdam.

Want to know who got him on Twitter - the "Goddess of Security Twit Herding" Mediaphyter. You can find her illustrious list of Security Twits right here.

...Back to the class...

The instructors were great. If you have the opportunity to take the class and are interested in getting a solid basis for Reverse Engineering I highly recommend trying to get into the class at Black Hat: Las Vegas. Ero has already said he his going to try to incorporate some of our thoughts into the next class.

The course outline looks something like this: (note: I am leaving some areas out. This are the areas we concentrated on. The book provided by the class has a lot of great material for later reference.)

Introduction: They queried the class to determine where the general level set was. In our case most everyone was already familiar with IDA Pro but hadn't used OllyDBG as much. I don't believe anyone in the class had ever used IDAPython either.

VM's and Live Analysis: The first day more than half the class was running Windows PCs. The second day more than half the class had broken out there Macbook Pros. Note: The instructors were using Macs as were Dacort and myself. I was using an XP image on Parallels. Turns out that some of the newer malware running around out there has some checks to determine whether it is infecting a VM versus a real live machine.

PE File Format: The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture. The PE format is basically a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, OBJ, SYS (device driver), and other file types. The Extensible Firmware Interface specification states that PE is the standard executable format in EFI environments.

PE is a modified version of the Unix COFF file format. PE/COFF is an alternative term in Windows development.

Thanks Wikipedia.

There overview was a really good start to understanding what we were going to be looking at and the bits and pieces that are included in our analysis. There were lots of good graphics to help understand Directories, NT Headers, Section headers, Optional headers, and so on.

Overview of Analysis Tools: This section was where the real fun began. We got to learn about the arsenal of tools to examine malicious malware code. We discussed Debuggers, Disassemblers, Decompilers, and Python.

(Dis)Assembly: The instructors called this a crash course. I thought they did a pretty solid job of getting everyone on the same page about what was going on in the assembler.

IDA Pro: This section alone could be a class. I believe both instructors even mentioned this. They provide a solid overview of what the tool is, and then they took the class through customizing the tool for use. I had never thought about how hard it would be to teach a class that requires that we all use a very complex tool doing complex work and the necessity to have everyone looking at the same screens. Again the instructors were the stars.

note:The included CD for the class is a valuable resource. The instructors have provided code examples, solutions, and software. There are configurations, extra plugins, and so much more.

OllyDBG: the "Cracker Friendly" tool. If you have ever considered RE, read about RE or talked to an RE practitioner - the all recommend this tool. Best part of this tool - Free as in beer. There are countless features, the instructor mentioned that he is still finding new ones and super documentation. I won't talk anymore about this section - the class covers the tool extremely well.

Executable (Un)Packing: I loved this section. During the class you review a piece of malware that utilizes ROT13 to hide some of the nastiness. This section of class discusses how this works, how to pack and unpack your own code, how to use statistics to examine packed code, how to unpack traces. The instructors also provide some statistical analysis of common packers in use and what they are seeing as the future. This was one of my favorite sections of class.

As I mentioned earlier - the class/book/cd has a much more material. There are several more sections we covered, resources we were directed to, and questions answered. Again I highly recommend taking this class if you are interested in Reverse Engineering.

The other reason that I was present for Black Hat Amsterdam was to demonstrate that Director part of my title now. I helped in our booth to answer questions about the services that we offer, and our perspective on security. Ask anyone in the biz today and they have a perspective on security.

Some how along the way I ended up being interviewed for Global Security Mag. It's a french magazine about Security. The interview can be found here. I had a rough translation I had done of the interview but some how I have misplaced it on the HD. One friend's comment on the interview was, "You sound so much smarter in french." Thanks. My father offered to send the article along to my old French professor.

I was also caught on camera in a quick - alright I can ramble on if given the chance - video for Help Net Security on PCI. I am a little scared about this interview. I managed to jot a few notes down before walking in to sit in front of the camera but now in retrospect I might have been garbling all kinds of things together. We will have to wait and see what the final cut looks like. The video guy told me that this was the first time he was actually interested in what was being said about PCI. I will take that compliment and run.

So the show wrapped - managed to visit a party, hit a club, and have some amazing italian food (check out the Carpaccio al parmigiano and the Pasta Parmigiano- it's got whiskey fire, and glorious cheese.)