19th-20th November 2011 - Melbourne, Australia
The topic of my proposed presentation is simple: I'll be setting up several myths surrounding what happens to malware-infected machines, and then investigating them in the style of the ever-popular Mythbusters of Discovery Channel fame. My secret weapon in this investigation process - beyond just cool videos of fire-breathing Snort pigs - is the massive malware farm that I've been running for over a year now. Based on the ClamAV submission database, which takes in ~40,000 unique pieces of malware per day, this farm automates the process of executing those samples on unpatched Windows XP SP2 boxes (because if there's anywhere malware will run, it's there), with tcpdump fork()'d off in the background to capture all of the network traffic generated once a given machine is infected. As of May 31, 2011, I've run ~3.6 million samples through this farm, and have generated well over 1TB worth of PCAP data.
Myths to be investigated include:
Alex Kirk is a senior researcher with the Sourcefire Vulnerability Research Team (VRT), and the head of that group's Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program, which is designed to increase direct collaboration between Sourcefire customers, the Snort user community, and the VRT in the interests of improved detection and coverage. In his 7 years with the VRT, Alex has become one of the world's leading experts on Snort rules, and has honed skills in reverse engineering, network traffic analysis, and systems security.
He recently contributed a pair of Snort-related chapters to "Practical Intrusion Analysis: Prevention and Detection for the Twenty First Century," and is a regular contributor to the widely-read VRT blog (http://vrt-sourcefire.blogspot.com/). His current major technical project at Sourcefire involves automated collection of network data generated by malicious binaries, and analysis of that data for detection purposes.
Alex has a strong background as a presenter at technical conferences, including two years running at both Hacker2Hacker and You Sh0t the Sheriff in Sao Paulo; the Computer Antivirus Research Organization Workshop in Prague and the Wireshark Developers' Conference in Palo Alto 2011; Sec T in Stockholm in 2010; and the LAN/WAN conference in Helsinki 2009.