BlackHat USA 2006

The last time I attended a BlackHat Conference, somebody tried to break into my computer using a 0-day vulnerability, which I noticed and blocked due to pure luck.

Today, armed with a well sized toolbox of sniffers and packet analysers, I’m in Las Vegas. No, not to gamble my AV researcher salary, but to attend the BlackHat USA Briefings and Trainings, 10th Edition.

One of the most striking things about BlackHat conferences in Las Vegas is the huge number of people that come to listen to the presentations: about database security, rootkits, writing secure code or state of the art hacking. This information was cutting edge about 6 months ago – any respectable hacker is going to keep all the 0-day exploits to him/ herself, and only disclose a few every now and then.

This year there are about 3000 registered participants and about double that number is expected at DefCon, which is starting tomorrow. I think it’s by far the biggest computer security-related conference I have attended.

The first day went pretty smoothly, with talks ranging from US Government officials down to self confessed hackers who are known only by their nicknames. Personally, I find this very interesting – in the antivirus world, you’d never (except under truly exceptional circumstances) see a virus writer coming to a conference such as VB or AVAR to talk about his latest creations. Yet at BlackHat it’s pretty common to see people talking about better ways to evade rootkit detectors or IDS systems to the accompaniment of loud cheers from the crowd.

The packet sniffer that I have set up on my PowerBook has been pretty silent so far except for an insane amount of broadcasted packets (after all, most people here do have a laptop and are using the WiFi connection to … do…things) . But I wouldn’t be surprised if I saw a rerun of the Amsterdam 0-day experience. After all, it is BlackHat.

BlackHat USA 2006

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox