Back from lunch, the conference continues with ligthing talks…
First one, “NF3D and associates, firewalls get fun” from Eric Leblond, INL. NF3D is a vizualization tool for Netfilter logs. Logs (packets logged by Netfilter) are displayed in three-dimension like a GANTT diagram. Ulogd2 is a userspace logging daemon for Netfilter. More funny, Wolfotrack allows you to manage your firewall sessions like in Wolfenstein 3D:
Second one, Picviz, presented by Sébastien Tricaud, also from INL. From the website, “Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly”.
Finally, Paul Craig was back for a few minutes and talked some trojan investigations. A VM running XP had a backdoor on port 1234. Standard tools (AVG, Rootkit Reveiler or Ollydbg) did not work anymore. The system was infected by the Moth trojan which uses WMI to register new event notifications! The funny (if we can use this word) thing are voice messages processed by the infected computer when the users tries to execute forbidden tools like the task manager or an AV program. Other example? Install the trojan when user “x” logs in but uninstall it when “administrator logs in, or start some actions when the CPU is idle etc… Quite interesting to see WMI to be used for such purpose! Need to test more? Check out here.
Back to the official planning now! Dumitru Codreanu, from BitDefender presented different ways to scan files for potential viruses. With server-side virus scanning, the client sends the whole file to the server which performs the scan. Lot of advantages (centralized logs, signatures and knowledge) but they are major risks of network congestion and it takes (loooooong) time! How to reduce the traffic? By using the next method called client-server collaborative scanning. Instead of sending the complete file, the server request only details of the file like checksums, file type, … (it’s a true two-way client-server model). Third method is quick scan. Only active threads are scanned and requires a small client which runs fast and has little bandwidth requirements. To increase the detection process, scanning the memory has a the big advantage that viruses code is already unpacked and decoded. Even if proactive detection methods are in place, the goal of AV vendors is to convert in no time any new detected malware into signatures. Why? Signature based scanned is much more powerful than proactive scan (ex: heuristic). Behavior based scanning is very expensive in resources (code emulation) but fortunately less used today as most viruses are now signed.
The next discussed topic was “The end of the internet” aka “Self replicating malware on home routers” by naxxatoe (nice name crew). Core routers passing the Internet traffic are well secured (read: they should be!). What about the small devices that everybody uses at home or in companies branch offices? Sebastian explained how SoHo routers can be hacked and be used as bots by installing malwares (well known doors are HTTP interfaces, SSH/telnet and UPnP). They are a nice targets why? Users have AV, rootkit scanners and more tools on their computers and shut them down when unused but what about routers? They are 24×7 available and in front of all those security solutions! Their web interfaces are vulnerable to XSS, auth bypass, disclosure of information or brute force attacks. It’s a fact that “SOHO” means “low development budgets, bypass security reviews and only basic features” (no time to do more). There are two types of malwares: semi-automatic & self-spreading. Installed malicious code can be used for several purposes: sniffing, MiTM attacks, DDoS, phishing, spam relay and even grid-computing! That was a very nice presentation within a special “geek” style. Loved it. Unfortunately, Sebastian has to speed up (to stick to the planning).
Next coffee break…