I love DEF CON (and know how to stylize the name appropriately). I attended DEF CON 17, enjoyed it immensely, and knew that I just had to speak there. I was unable to attend 18, but put in to speak at 19, was accepted, and had an even better time. No other conference I've attended treats its speakers better than DEF CON, and the speakers badge always seems to draw interesting people into conversations that I might have otherwise never had. I now make it a point to respond to the DEF CON CFP each year, and have presented at three consecutive events:
- DEF CON 19 - Covert Post-Exploitation Forensics With Metasploit
- DEF CON 20 - SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor
- DEF CON 21 - Pwn the Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices
I'm happy to report today that I'll be speaking for the fourth year in a row: I've been accepted to speak at DEF CON 22. This time, I'll be contributing as part of DEF CON 101, which has expanded its format from a Thursday event to a conference-long track. Here's the abstract for my talk, Instrumenting Point-of-Sale Malware - Communicating Malware Analysis More Effectively:
The purpose of this talk is to promote the adoption of better practices in the publication and demonstration of malware analyses. For various reasons, many popular analyses of malware do not contain information required for a peer analyst to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others.
As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. A captured command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself.
If you enjoy reverse engineering, or you're looking to get started in it, you won't want to miss this. Even if you're already sold on the concept of reproducible and verifiable research, the associated case study makes for a very interesting demo in its own right. JackPOS is nothing particularly groundbreaking by itself, but it's infrequent that you get such a nicely instrumented and guided tour of a malware sample. I'll be releasing all of the harness code as well as the source code to the command-and-control server that was liberated from its production use. Everything you need to set up my multi-VM demo in the comfort of your own home lab will be made available.
As a part of the DEF CON 101 track, I hope that it draws some newcomer interest to reverse engineering, and perhaps start to change the information-hoarding culture that has a hold on much of the malware reversing community at the moment. Don't shy away from the DEF CON 101 track if you have some experience under your belt, though. It's a very fun demo, and I'm always happy to talk shop with anyone.
Buy me a drink and I'll tell you the long version of how I got the command-and-control server :).
I'll be in attendance at Black Hat USA as well, and will be posting more about the two conferences between now and then. I'm looking forward to seeing all of you in Vegas!