Live from CanSecWest: Day 1

This week I’m at CanSecWest in Vancouver, which is a pretty big single track Security Conference for “Security Professionals” (read: Hackers).   There have were a couple talks yesterday that were definitely relevant, the first one was called “I know what you (and your company) did last summer” and the other was “reverse engineering malicious javascript.”  These really show off the bleeding edge of software security and what we need to start thinking about protecting against in the next couple of years. Often these conferences show off techniques and ideas that are one or two years ahead of their time, so if we start preparing our defenses now  maybe we’ll have a hold on security before it becomes a serious problem.

Talk One

“I know what you (and your company) did last summer” by Roelof Temmingh was very interesting and talked about how to correlate different pieces of information for data mining purposes. The speaker outlined a tool (which can be demoed at: www.paterva.com/evolution.html) which attempts to transform one type of information into another. A quick and easy example of this might be IP to Geographical location by doing a geo-trace route on that IP, or converting a Domain to a phone number by looking up whois information. He mentioned that his tool had more than 27 information transformers, which means that it can dig up a lot of different types of information from a single point. The translators included use the following starting points: IP, DNS, Domain, sub-domain (brute force) Geographic Location, Phone number, Address, e-mail address, name, alternate e-mail, phrase, related phone numbers, Social Network Affiliations, and this list is growing every day.

So what’s so exciting about this? People have been data mining for years. Well this is interesting for two reasons, first because of the sheer amount of information this tool can mine and how quickly it can gather it. But second and possibly more importantly, once a person has this information it’s possible to make very interesting correlations such as “Where are all the US Marine Corp locations?” You could use the information translators to go from Domain Name to enumerating all the sub-domains, from there we can do a reverse DNS lookup to get all the IPs for each of these sub-domains, now we can track the IP addresses to Geographic locations. Once we have a geographic locations we can even do fun stuff like looking up the location on Google or Microsoft maps for a nice map of the location.

Talk Two

The other talk by Jose Nazario that I thought was very interesting was the talk on reverse engineering JavaScript malware. This one was very interesting to me because it ties so nicely into my multi-part series of AJAX and XSS vulnerabilities. This talked about all the different ways that a malware researcher deals with some very malicious JavaScript malware. For the last six to twelve months attackers have been using JavaScript as a delivery method for other malware that would exploit other vulnerabilities such as the WMF vulnerability. For this reason it’s very important to understand the JavaScript that is delivering those payloads. Often times the JavaScript bootstrappers are complexly encoded using advanced proprietary encoders, which means that they can change themselves easily and quickly to bypass Web Application firewalls or Intrusion Detection systems.

Nazario talked about a few tools that make decoding JavaScript a little easier including NJS, SpiderMonkey and Rhino that makes understanding what JavaScript malware is actually doing much easier.   He also talked about the new entrance of some interesting JavaScript attack tools which are changing the landscape of the JavaScript attack vector. These attack tools are written in JavaScript and when loaded will fingerprint the browser, enumerate all accessible CLSIDs and then report back vulnerability-exploit pairs to the host. Alternately the attacker may configure the JavaScript to simply download a payload and exploit the vulnerability.

The techniques described in the talk were still fairly rudimentary, and included simply making the JavaScript do the work for you. Execute the JavaScript in a sandbox outside of the browser, and allow it to decode itself. This technique may have to be done a number of times as double or triple encoding techniques may be used, but eventually the researcher was left with readable JavaScript code.

This conference is really interesting so far, and it’s a great chance to see some of the new attack techniques being used by people that have way too much time on their hand. I’d really like to know which conferences you enjoy going to and if you feel they’re worth their (sometimes very steep) price. If you have any questions about reverse engineering JavaScript or information transformers I’d love to talk more about them, so just leave a question or a comment in the comments section and I’ll try to answer the question or at least point you in a good direction for more information.–  Joe Basirico