CPEN 442: Guest Lectures and Case Studies

October 29, 11:30-12:20

Speaker: Raul Alvarez, Senior Security Researcher/AV Team Lead at Fortinet

Title: Vawtrak: Advanced Banking Malware Via Tor

Abstract:
Vawtrak, also called NeverQuest, is a banking malware that targets banks and other financial institutions all over the world. It is a sophisticated malware that challenges the likes of Zeus and other malevolent trojans. Newer versions of Vawtrak use Tor2web to access its hidden C&C servers. Vawtrak is a very sophisticated malware not only in its malicious features, but also in its code. It uses a new modern technique called layering, similar to a Matryoshka doll, wherein the original malware produces another malware from within its binaries. Using Tor2web, the malware also tries to avoid aggressive take downs of its servers by the good guys. In this presentation, we will look into how the malware uses a DGA to generate it’s C&C domain names, and how it implements a similar DGA to access its hidden servers. A demonstration will be shown on how the malware, within the context of a debugger, generates the domain names, and how it tries to connect to its hidden servers via Tor2web. Also another demonstration will be shown on how to make your own personalize .onion domains, how to make your own hidden service, and how to access that service via Tor2web. In this presentation, we will also focus into how Vawtrak implements Anti-Emulator, Anti-Debugger, Anti-Analysis, Encryption/Decryption/Hashing, Compression/Decompression, Garbage collection, and Code injection. Vawtrak uses all possible armoring tricks and techniques in order to dodge detection and analysis. We will look into how the malware uses layers in its code and how it integrates the different armoring techniques in its layers.

Speaker Biography:
Raul Alvarez is a Senior Security Researcher/AV Team Lead at Fortinet, where he conducts research on new advancement on new malware technologies. As one of the Lead Trainer in AV team, he trains the junior AV and IPS analysts on malware analysis and reverse engineering. He regularly writes articles for the Fortinet blog website. He is also regular contributor to the Virus Bulletin publication, where he currently has 22 published articles. Prior to Fortinet, he was a Senior AV Engineer/Trainer at Trendmicro, Philippines. He was also a college instructor at two universities in the Philippines: City College of Manila and Central Colleges of the Philippines. He has a bachelor degree in Computer Engineering, and holds the following certifications from Microsoft: Microsoft Certified IT Professional - MCITP Database Developer, Application Developer - Microsoft .NET - MCAD, Microsoft Certified Technology Specialist - MCTS SQL Server 2005, and Microsoft Certified Professional - MCP 2.0. He just recently presented a paper in BSidesVancouver2015, and has an upcoming talks at HASK, BSidesCapeBreton, OAS-First, BSidesOttawa, and SecTor conferences.

November 5, 11:00-12:20

Speaker: Dmitry Samosseiko, Director of Threat Research, SophosLabs

Title: Anatomy of Attacks

Abstract:
We will discuss modern malware threat landscape and how it’s different from computer viruses of the 20th century. We’ll look at how the modern attacks are orchestrated, why they exist and who stands behind them. Finally, I’ll provide an overview of modern protective measures and give a glimpse into the operation of Sophos anti-malware lab.

Speaker Biography:
Dmitry Samosseiko is the global Director of Threat Research at Sophos, a software and hardware security company. Dmitry is responsible for a globally distributed team of 80+ cyber-security researchers and analysts at SophosLabs. His main focus is on driving strategy and innovation in the areas of malware protection and e-mail spam filtering. Dmitry has over 20 years of experience in information technology, including almost 15 years of cybersecurity focus. Earlier in his career, Dmitry was one of the first developers at ActiveState, where he played an instrumental role in developing the PureMessage email security product. The product’s success led to company’s acquisition by Sophos in 2003. At the time, Dmitry was put in charge of the Vancouver SophosLabs team with a big focus on architecting and building systems for malware and spam analysis automation. Dmitry is an industry expert on computer security. He has given multiple talks at security conferences, published articles and was frequently quoted by the media on the topic of cybercrime.

November 17, 11:00-11:45.

Speaker: Larry Carson, Associate Director Information Security Management

Title: Navigating Organizational Decicion Making for Information Security Professionals

November 19, 11:00-12:20

Speaker: Alex Loffler, Principal Security Architcet, TELUS

Title: Enhancing Incident Detection and Response

Abstract:
Today’s security teams need to study many months or years of data for baselining and incident forensics, but IT operations may only want to analyze days or weeks of data for operational insights. And the two different needs can be difficult to reconcile. TELUS has implemented a powerful tool for exploratory analytics of long-term historical data in Hadoop. Combining high-volume, low-value data sources (e.g. NetFlow), not required for real-time monitoring but valuable for forensics and compliance, with more traditional high-value log sources. With this wealth of detailed historical data, the security team can also provide operational insights into platform and service usage to TELUS business and operational units as a value-added service. The security group is no longer perceived as the bad guy enforcing security rules, but as a partner supporting business growth.

Speaker Biography:
Alex Loffler is the principal security architect at TELUS, one of Canada’s largest providers of cellular, fixed-line, and television services. He has over 20 years of experience in architecting software and security solutions in the Telco Industry. Alex holds several patents in the U.S. and Europe.