2011 Talks

Malware Mythbusters

The topic of my proposed presentation is simple: I'll be setting up several myths surrounding what happens to malware-infected machines, and then investigating them in the style of the ever-popular Mythbusters of Discovery Channel fame. My secret weapon in this investigation process - beyond just cool videos of fire-breathing Snort pigs - is the massive malware farm that I've been running for over a year now. Based on the ClamAV submission database, which takes in ~40,000 unique pieces of malware per day, this farm automates the process of executing those samples on unpatched Windows XP SP2 boxes (because if there's anywhere malware will run, it's there), with tcpdump fork()'d off in the background to capture all of the network traffic generated once a given machine is infected. As of May 31, 2011, I've run ~3.6 million samples through this farm, and have generated well over 1TB worth of PCAP data.

Myths to be investigated include:

  • The majority of C&C servers reside in countries like China, Russia, or Brazil
  • Domains and IP addresses used to call home into a botnet are transient, typically lasting for only hours or days at a time
  • Outside the occasional DDoS or ping to Google to verify connectivity, traffic generated by malicious programs rarely touches legitimate hosts
  • Spambots are easy to find because they're incredibly noisy and blatant
  • Malware authors are too smart to leave obvious markers in their network traffic, because that'd make them easy to spot

Speaker: Alex Kirk

 Alex Kirk is a senior researcher with the Sourcefire Vulnerability Research Team (VRT), and the head of that group's Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program, which is designed to increase direct collaboration between Sourcefire customers, the Snort user community, and the VRT in the interests of improved detection and coverage. In his 7 years with the VRT, Alex has become one of the world's leading experts on Snort rules, and has honed skills in reverse engineering, network traffic analysis, and systems security.

He recently contributed a pair of Snort-related chapters to "Practical Intrusion Analysis: Prevention and Detection for the Twenty First Century," and is a regular contributor to the widely-read VRT blog (http://vrt-sourcefire.blogspot.com/). His current major technical project at Sourcefire involves automated collection of network data generated by malicious binaries, and analysis of that data for detection purposes.

Alex has a strong background as a presenter at technical conferences, including two years running at both Hacker2Hacker and You Sh0t the Sheriff in Sao Paulo; the Computer Antivirus Research Organization Workshop in Prague and the Wireshark Developers' Conference in Palo Alto 2011; Sec T in Stockholm in 2010; and the LAN/WAN conference in Helsinki 2009.


Harder, Better, Faster, Stronger... Harder, Better, Faster, Stronger...
Operation Carpo, The Hack of an Australian Registrar Operation Carpo, The Hack of an Australian Registrar