ISC StormCast for Tuesday, June 6th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 6 June 2017
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, June 6th, 2017 edition of the Sandsenet Storm Center's Stormcast. |
| 0:07.0 | My name is Johannes Ulrich and I am recording from Washington, D.C. |
| 0:12.0 | Malver is often obfuscated or encoded in order to bypass a basic signature-based detection algorithm. Now, one way how this is done is usually via |
| 0:24.7 | XOR. So the attacker is just taken an existing binary and then applying a key via XOR to this binary. |
| 0:34.4 | Of course, now your PE header and the like is no longer recognizable, and |
| 0:40.3 | malware analysis of course gets a little bit more difficult in order to analyze the malware. |
| 0:46.3 | You first have to figure out what is the key, and then of course undo the XOR operation. |
| 0:52.3 | Now to help you with analyzing binaries like this, DDA today has a post showing you how to find |
| 1:00.0 | the key that was used to encode a particular binary. |
| 1:05.1 | What he's really doing here is he's using a specific property of XOR. If you do XOR something with zero, nothing really changes. |
| 1:15.6 | So what you have to do is you have to find a section in the file that would have been all zeros normally. |
| 1:23.7 | And then by looking at the section, well, you can then deduct the key by just looking at the data being present in that section, hopefully, and that's actually quite common for matter. |
| 1:35.8 | The key is short enough where it fit into this section of zeros. |
| 1:42.2 | Luckily, typically, PE files do have a number of sections that are all |
| 1:47.8 | zeros, so what you're looking for here is a section with a somewhat random-looking data |
| 1:54.0 | that keeps repeating throughout the file, and chances are that this is your key. DDS promising a second part in which he'll introduce a tool that automates this process. |
| 2:08.6 | MCC catchers sometimes known under their brand name of Stingray are sometimes used in order to detect cell phone users. Law enforcement has been |
| 2:21.0 | known to use them in the past, and there have been various efforts to figure out how frequently |
| 2:28.3 | these systems are used and wear. Students at the University of Washington now for the first time as far as I know |
| 2:37.3 | managed to actually cover an entire city with detectors in order to find and then map these |
| 2:46.4 | emce-catchers and see where they are used. What they did is they built a little system that does |
| 2:54.3 | detect or attempts to detect these devices and then they deploy them with volunteers at |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.