Conferences
It has been a while since I wrote the last time here and since I presented at Botconf, but I wanted to share my slides here too. A couple of weks after the sad terrorist attacks in Paris, Botconf was held in the city of love. Way more secure than before and with lots of security controls which almost made me lose my return train, but it was worth it. Attending a security conference focused on cybercrime, malware, reverse engineering and intelligence is always a good plan :) I really recommend you attending Botconf this year in Lyon, you will not regret it ;)
My presentation was about Andromeda. This is the abstract:
Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.
Submitted by jesparza on Sun, 2016/02/07 - 23:09
As I already announced in the last blog post, I was in Las Vegas giving a workshop about how to analyze exploit kits and PDF documents at BlackHat. The part related to exploit kits included some tips to analyze obfuscated Javascript code manually and obtain the exploit URLs or/and shellcodes. The tools needed to accomplish this task were just a text editor, a Javascript engine like Spidermonkey, Rhino or PyV8, and some tool to beautify the code (like peepdf ;p). In a generic way, we can say that the steps to analyze an exploit kit page are the following:
- Removing unnecessary HTML tags
- Convert HTML elements which are called in the Javascript code to Javascript variables
- Find and replace eval functions with prints, for example, or hook the eval function if it is possible (PyV8)
- Execute the Javascript code
- Beautify the code
- Find shellcodes and exploit URLs
- Repeat if necessary
Submitted by jesparza on Sun, 2013/08/18 - 22:14
BlackHat USA 2013 is here and tomorrow I will be explaining how to analyze exploit kits and PDF documents in my workshop “PDF Attack: From the Exploit Kit to the Shellcode” from 14:15 to 16:30 in the Florentine room. It will be really practical so bring your laptop and expect a practical session ;) All you need is a Linux distribution with pylibemu and PyV8 installed to join the party. You can run all on Windows too if you prefer.
Now Spidermonkey is not needed because I decided to change the Javascript engine to PyV8, it really works better. Take a look at the automatic analysis of the Javascript code using Spidermonkey (left) and PyV8 (right).
Submitted by jesparza on Wed, 2013/07/31 - 12:40
After lunch it was Sergey Bratus and Travis Goodspeed's turn to speak about the security of USB ports, telling how it is possible to compromise the whole system via a unattended USB port. This was a really interesting talk that one can explore by himself taking a look at some good documentation on Travis' blog.
The talk “We Came In Peace – They Don’t: Hackers vs. CyberWar” by FX was next. He gave his opinion about the actual cyberwarfare and the difference between the point of view of Governments and cybersecurity experts about this subject. Some ideas from his talk: avoid the use of 0-days as weapons through Full-Disclosure, learn how to protect you playing CTFs and don't give up.
Submitted by jesparza on Sun, 2013/04/07 - 14:16
Until now I had not had enough time to write about my experience at my first Troopers. Due to some good comments about it I had had in mind going to Troopers since some time ago, but for one reason or another I hadn't been able to do it. Last year I had the opportunity to share table with Enno Rey, Troopers organizer and CEO of ERNW, at BlackHat Europe. That time I saw they were a good team and good people, and this year, living closer to Heidelberg, I had no excuses to go. I arrived in Heidelberg at 3:30AM after 9 hours on the road due to the bad weather conditions. I was able to rest to be ready for the talks in the next morning. I missed the keynote by Rodrigo Branco, but I heard that it was really good. The first talk I attended was “Paparazzi over IP” by Daniel Mende and Pascal Turbing about hacking a CANON camera, equipped with a wireless adapter and other features. The result was that it was possible to see all the photographs taken, control the device remotely and intercept the images while they were about to be sent to a cloud storage.
Submitted by jesparza on Sun, 2013/04/07 - 13:52
After reading the Eurograbber report and taking into account that there were a lot of similarities with Sopelka Botnet, which I had analyzed some months before, I decided to write a blog post about it. At the same moment, the Rooted CON CFP was closing, so I submitted this subject and then I forced myself to research further to demonstrate that Eurograbber was just a hype. Thanks to the investigations by S21sec and Fox-IT there was more than enough information.
Submitted by jesparza on Mon, 2013/04/01 - 21:25
More than one month ago I gave a presentation about the NFC credit cards privacy at No cON Name (NcN), a well known Spanish security conference. It's not a new subject and, also, some researchers presented talks about it in other conferences during this year, but, until that moment, there were no proofs of concept with Spanish credit cards (at least public ones). You can take a look at the presentation here (Spanish).
As I have mentioned in some posts about this subject, NFC payments are a normal part of life in some Asiatic countries, like Japan. However, this technology has arrived this year to Spain and other European countries, supported by banks, mostly. The result is that a person could have an NFC credit card in his wallet without even knowing it. It wouldn't be a problem if data were correctly protected, but we can't assume anything in the security world and this is another proof of that.
Submitted by jesparza on Fri, 2012/12/21 - 15:51
As I mentioned in the previous post, just after Source Seattle some days ago, the ToorCon (also in Seattle) began. Some speakers took advantage of this to present the same or different presentations at both conferences. Friday the 13th was the opening day, with a small party, but the presentations didn’t begin until the following day. There were thirty talks in total, each delivered in a 15 minute period of time, with a short break for lunch. It was an entire day of presentations, from 8:30 till 10:30, quite a day!
Submitted by jesparza on Thu, 2011/06/30 - 10:10
Submitted by jesparza on Mon, 2011/06/27 - 22:58
|
