Virenforensik

Malware is often the first step in invading a corporation and normally we are happy with just letting it be blocked by our antivirus or other security solution. Occasionally, Malware slips through the antivirus net, be it because a machine¹s protection was outdated, the Malware authors had done a particularly good obfuscation job or the Malware was specifically targeted at the company to avoid its defences. In these cases, we need Malware forensics to ascertain what damage has been done and how to
mitigate it.

In-depth Malware analysis is difficult and time consuming, and therefore costly. Luckily, tools have been developed that make analysis easier and more timely, at the cost of not being as thorough. If deployed in a company properly, these can be used to analyse Malware and with knowledge of the company¹s infrastructure, can give the security officer a good enough picture of the situation s/he is dealing with to mitigate the damage.

In this talk, we will look at various types of tools available to a security officer and what external resources can be used to help determine what the Malware was up to in one¹s company.

Der Vortrag wird in Deutsch gehalten.

Referent:

Morton Swimmer was born in New York City, USA, raised there and in Hamburg, Germany, then studied in England and Hamburg. It was at the University of Hamburg where he came to study computer security under Prof. Dr. Brunnstein and in 1988 he co-founded the Virus Test Center. He started his first anti-virus business in 1991, which was bought by S&S International UK (now owned by Intel Corp). Then in 1996, Morton joined IBM Research in New York to work on IBM Antivirus and create the Digital Immune System, an automated Malware analysis system capable of reacting faster to new Malware than the Malware could spread. The next switch was to IBM Research in Zurich, Switzerland to research the applicability of intrusion detection techniques to the anti-virus field with one of the world's leading research groups in intrusion detection. From this research, the DIMVA Conference was formed. Somewhere along the way he got his PhD with a thesis on Malware intrusion detection. In 2007, he became a associate professor at CUNY¹s John Jay College of Criminal Justice and in 2008 he joined Trend Micro, where he still works, with only a brief stint in between at Intel Security. He is now based in Germany.

Morton has been a CARO member since it¹s inception in 1990 and as organized the CARO Workshops twice. He is also Technical Editor at Virus Bulletin since 2003 and participates in the organization of the VB Conference. In the past, he¹s contributed to various journals and books, either as guest editor or as author.