English (US) 
Archived Blog
Dan's presentation was titled: "P0wn the cloud. The good, the bad, and the pugly of cloud computing", whereas mine was "Last-minute malicious packer dissected". The packer ended up being too weak, so I figured I had to find a better sample at the very last minute. I managed to create a VERY last-minute talk, with a live demonstration on another malicious packer. Although that new packer wasn't even remotely complex, it was a good example of tricks used in today's custom packers to protect malicious software. It was perfect for a 20-minute talk, and the live demo showed how it was possible to manipulate the unpacking routines.
Actually, that packer created a child process as suspended, unpacked it in memory, and then resumed it. Dual processes are nothing new; Chad Nelson and I used them many years ago when we were still writing the Armadillo protection system.I know some researchers have had problems with this sort of packer because ollydbg doesn't show processes created as suspended. Therefore, I was showing a way to handle this sort of case. The demo demonstrated a way to modify unpacking buffers in the parent process to inject an infinite loop in the child process once it's resumed. In this particular packer, it wasn't really necessary. Quite often, though, the child process will have more encrypted layers when it resumes, and sometimes, it won't be totally decrypted in memory at a given time (CopyMem II-like protection). And you can't dump the process from the buffers in the parent process. Once resumed, the process does an infinite loop. Then, you can use another instance of your debugger to attach to it and start the debugging session.
In this demo, the headers were decoded in the parent process in memory. Looking at them, I could locate the entry point, calculate where it is in the parent buffer, and inject the jmp eip bytes there. It could have been the start of another stub, but in this case, it was not. All I had to do was to find the Import Address Table boundaries manually, then feed the information to Chimprec, dump the process, and fix it with a nicely rebuilt import table.
Regarding the conference itself, there were some presentations I really enjoyed. "Your computer is now stoned (...again!). The rise of MBR rootkits", by Kimmo Kasslin and Elia Florio, was very interesting. "Automatic rules-based binary analysis with IDA Pro and CLIPS", by Ryan Hicks, was also an interesting talk. Many other talks were interesting, but the last one I want to mention is "Darwin inside the machines: malware evolution and the consequences for computer security", by Peter Szor, Dimitris Iliopoulos, and C. Adami. This was really entertaining, and gave me some ideas for some further research.
Finally, there was a Gala dinner, with a quiz that included a lot of questions related to computer viruses and other Internet-oriented topics. The presentor was Graham Cluley from AVG, er, I mean Sophos (people who attended the dinner will get that one). I have to say, he really made it entertaining and funny.
I'm looking forward to giving a talk to Virus Bulletin 2009 in Geneva.
The slides and a selection of photographs from the event have been published a couple days ago at http://www.virusbtn.com/conference/vb2008/
Security Researcher: Nicolas Brulez
