Conference review: AVAR 2017

Posted by   Martijn Grooten on   Dec 22, 2017

The first week of December was packed with security conferences, and VB2017 speakers were busy presenting their research at no fewer than four different events: FIRST in Prague, Black Hat Europe in London, Botconf in Montpellier, and AVAR in Beijing. Security researchers were spoilt for choice, and while other members of the VB team headed to Botconf in France, I journeyed slightly further afield, to Beijing, to attend my first AVAR conference.

avar2017logo.png

Though a global event, the annual conference of the Association of Anti-Virus Asia Researchers is naturally biased towards Asian attendees and speakers, giving the audience some interesting insights into the particular threats facing this most populated part of the world.

A good example of this was a presentation by AhnLab's Minseok 'Jacky' Cha, on targeted attacks faced by South Korean industry. Though some of these attacks have made the global security news – especially those linked to the Lazarus group, which is often linked to the country's northern neighbour – there are far more attacks than often we see reported in the rest of the world, and certainly not all of them come from Korea.

The Lazarus group was the subject of a talk by ESET researcher (and regular VB speaker) Peter Kálnai, who described his and Michal Poslusny's hunt for the toolset of this notorious group, based on the properties of malicious Windows executables, thus giving some new insight into the group's activities. An interesting conclusion was that there are probably multiple cells or subgroups that share the same code, yet that have different building environments.

Another toolkit used in targeted attacks is EHDevel, which was the subject of a talk by Bitdefender researcher Cristina Vatamanu. EHDevel is a specialized framework, with a plugin-based architecture, that uses some novel techniques for C&C communication. It has been linked to the Operation Hangover APT campaign.

avar2017_cristina.jpgCristina Vatamanu. Photo: SKD Labs.

Cristina's colleague, Tiberius Axinte, was one of several speakers who delivered talks similar to those they had delivered at VB2017. Tiberius revisited the topic of the macOS component used by APT28/Fancy Bear. ESET's Robert Lipovsky discussed Industroyer, as he also did in Madrid, and his colleague Filip Kafka once again spoke about FinFisher – though he did add that, shortly after his VB2017 talk, a campaign that had been using FinFisher had switched to using StrongPity-like spyware.

Unsurprisingly, a number of talks dealt with the threat coming from vulnerable smart devices. One such talk was by Ankit Anubhav (NewSky), who said that IoT-attackers will have to start working harder, as all the easy ways to attack them have already been exploited – I am still not sure whether this is a good or a bad thing.

As a means to researching smart devices efficiently, two talks discussed setting up IoT honeypots: one by Tencent researchers Jingyu Yang and Fan Dang, and one by Andrew L. Go and Wren Fer M. Balangcod from G DATA's Manilla-based research lab. The latter pair swapped roles between 'good' and 'bad' guys in their presentations, using a 'hacker hoodie' to indicate which role they were representing.

A talk from Sophos's Rowland Yu, on malware targeting Android-based POS, was also very timely, while his colleagues, William Lee and Jagadeesh Chandraiah (both former VB speakers), also spoke about Android malware: about using recurrent neural networks to detect it, and about malware that makes it onto Google Play, respectively.

avar2017_panel.jpgTesters' panel. Photo: SKD Labs.

Given that many members of the audience represented anti-virus companies, a talk by VirusTotal's Karl Hiramoto on how his company works with the community was both interesting and relevant. Equally relevant, I hope, was a testers' panel, in which I joined colleagues from AV-Test, NSS Labs and SKDLabs on stage to discuss the state of testing.

Machine learning was also featured on the programme, and a presentation by Kaspersky Lab researcher Alexander Chistyakov was one of the best I have seen on the subject, providing a good introduction into its use in cybersecurity without shying away from the important, but often very technical details. The philosophy that adding 'good' code to malware can't make the file any less bad was an important take-away from this talk.

An equally good introduction, and probably my favourite talk of the conference, was that by Symantec's Dennis Tan, who discussed spam botnets. He provided a very good overview of the subject, using details on specific botnets to highlight certain aspects of the general spam botnet landscape.

avar2017_dennis.jpgDennis Tan. Photo: SKD Labs.

This was the 20th AVAR conference, but only my first. I was pleasantly surprised both by the quality of the talks and by the organization of the event, which this year was in the hands of Beijing-based SKDLabs. The organizers deserve full praise for their hard work, and I have no doubt that next year's event in Goa, India will be just as good.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: Fantastic Information and Where to Find it: A guidebook to open-source OT reconnaissance

A VB2019 paper by FireEye researcher Daniel Kapellmann Zafra explained how open source intelligence (OSINT) can be used to learn crucial details of the inner workings of many a system. Today we publish Daniel's paper and the recording of his…

VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in depth

Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution…

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.