DEF CON 17 - Matt Richard and Steven Adair - 0-day gh0stnet

0-day, gh0stnet and the inside story of the Adobe JBIG2 vulnerability
Matt Richard Malicious Code Researcher, Raytheon
Steven Adair Researcher, Shadowserver

This talk is the story of 0-day PDF attacks, the now famous gh0stnet ring and the disclosure debacle of the Adobe JBIG2 vulnerability in January and February 2009. This is the story of international cyber-espionage using 0-days and the fierce debate over how to defend networks in the face of prolonged periods of exposure to unpatched vulnerabilities.

We seek to answer the following questions in this talk:

Who was behind the early 0-day attacks and are they the same as the gh0stnet report published in April 2009?
Did disclosure of the Adobe JBIG2 vulnerability have an impact on targeted attacks?
How effective were post-disclosure protections such as AV signatures, IDS signatures and workarounds?

Throughout the talk we dissect the 0-day artifacts and other events leading up to the partial disclosure of the JBIG2 vulnerability on February 19 by ShadowServer. Using a variety of 0day PDF samples we will analyze the 0-day attacks and attempt to correlate them to the attackers discussed in the recent paper "Tracking GhostNet: Investigating a Cyber Espionage Network".

We will also look at the partial disclosure by ShadowServer and then full disclosure on the Sourcefire blog and assess the impact on targeted attacks. We will analyze the various malicious PDF's submitted to Virustotal to determine their lineage and relationship to either the original 0day exploit and gh0stnet or new attacks that sprang up in the wake of the disclosure. The analysis tools and techniques will be shared to aid future analysis efforts.

Matt Richard is Malicious Code Operations Lead at Raytheon Corporation. At Raytheon he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. Matt was previously Director of Rapid Response at iDefense. For 7 years before that, Matt created and ran a managed security service used by 130 banks and credit unions. In addition he has done independent forensic and security consulting for a number of national and global companies. Matt has written a number of tools including a web application testing tool, log management and intrusion detection application and an automated Windows forensics package. Matt currently holds the CISSP, GCIA, GCFA and GREM certifications.

Steven Adair is a security researcher with The Shadowserver Foundation and a Principal Architect at eTouch Systems. At Shadowserver Steven analyzes malware, tracks botnets, and deals with eCrime at varius levels. He frequently deals with targeted malware attacks analyzing their techniques, malware, and command and control mechanisms. Steven also blogs on the Shadowserver website about various malware incidents, 0-day vulnerabilities, politically motivated DDoS attacks, and more at www.shadowserver.org. At his day job with eTouch he supports the Cyber Threat program of a large customer providing insight, analysis, and defense in many of the same arenas.

For copies of the slides and additional materials please see the DEF CON 17 Archive here: https://defcon.org/html/links/dc-arch...