Virus Bulletin 2012 – Day 3 – The final chapter

Virus Bulletin 2012 is now over, the final chapter from this years conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.

This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools – check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.

The last day was, in my view, one of the best days, because at this time we had the chance to get familiar with everyone at the conference, and it also included some very good presentations. I had the opportunity to attend the following presentations.

  • Using an expert system to provide automated malware analysis for non-experts.
  • Correlating sentiments and topics with spam waves on social networks.
  • Anatomy of Duqu exploit.
  • Security ramifications of Windows Kernel Patch Protection.
  • My PC has 32,539 errors: how telephone support scams really work.
  • Cyberwar: reality, or a weapon of mass distraction?.

After listening to all these nice presentations I decided to write some of the conclusions instead of writing down all my personal thoughts. Three interesting conclusions that were made from both the presenters and from Q&A with the other people in the audience were:

  • Performing a deep analysis of malware is expensive!
  • Microsoft Scammers may earn more than $350 000 USD per day!
  • Cyberwar is a hot topic!

It was very interesting to see other people from Kaspersky Lab presenting their research. Even working for Kaspersky Lab, we dont always have time to sit down with researchers and experts from different departments within the company and talk about their research.

I would like to conclude my thoughts on the last day by saying that it was a very good mixture of presentations. Most of the presentations were relevant and brought up new ideas and new information which is good to share with the industry.

Just before the closing ceremony a panel discussion was held, moderated by Ryan Naraine. The other participants were Adrian Stone, Josh Shaul and Alain S. Zidouemba. This was a very relevant panel discussion about the value (and danger) of offensive security research and from time to time it was very lively.

I would like to thank everyone who attended my presentations, give all my new friends a thumbs up, and hope that maybe we will see each other at another Virus Bulletin conference.

Virus Bulletin 2012 – Day 3 – The final chapter

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox