- The talks. The general technical level of the talks at RECON, I feel, exceed most other cons.
- The size. RECON feels like the perfect conference size. Large enough to bring many smart minds together and small enough to keep it very informal and social. The single-track format allows you to catch everything.
- The attendees. Lots of industry rock stars gather for RECON. Just looking around the room this morning I see Ilfak, Dino Dai Zovi, Gera, Alexander Sotirov, Rolf Rolles, Nicolas Brulez and Nicolas Pouvesle.
- The city. Montreal is a great place to eat and to party. The conference organizers know this and start the con at a very reasonable time of 10:30. Plenty of time to close the bars out at 3:00am and get your beauty sleep in.
- The AV quality. Despite the limited budget and small conference size, the RECON guys put together the most usable and high quality audio / visual recordings of the talks for those of you who couldn't make it to the con. And it's made available for free.
- The organizers. David, David, Hugo and Guillaume aren't running this con for the money. Every spare penny they have goes towards a bar tab or some other perk. They do a great job putting a family feel on the con. At RECON 06 for example there was a Sunday BBQ at Guillaume's house.
- The way they treat their speakers.
Pierre-Marc Bureau spoke about the history and reverse engineering of the Storm bot net. He covered some of the various protection mechanisms the bot agents employ. How they communicate. How they spread etc... Pierre will be releasing a tool for automatic extraction of daily hash search values, for those of you interested in potential network take-overs. This task has been undertaken by another team of researchers and is similar in nature to what Cody and I did with our Kraken analysis. The most interesting discovery that Pierre made in his research was that the Storm authors copied their rootkit technology directly out of Greg Hoglund and Jamie Butlers book and that the P2P functionality is not custom coded but rather utilizes the KadC library.
Bruce Dang is a Microsoft SWI employee and spoke about the Microsoft Office document file format. He covered the file format specification, malicious file analysis techniques, exploitation methods and attack mitigations. He noted that a common shellcode technique for determining the current file handle is through a brute force loop calling GetFileSize() and comparing against a known file size. For a quick and dirty way to skip the vuln repro and execute the shellcode one can dump it to a file, open the file with notepad and force execution of the shellcode with a debugger. This will satisfy the file handle brute force loop. As an interesting attack mitigation, Bruce recommends running all documents through MOICE which will convert the binary file format into an XML doc. Granted, this assumes that MOICE doesn't have any bugs of its own.
Ilfak Guilfanov is a name that almost anyone in the business has heard of before. Ilfak is of course the creator of the industry standard disassembly tool IDA Pro. David Ahmad made a funny and true comment that everyone loves Ilfak as both attackers and defenders, white hats and black hats all use IDA. Ilfak began with an overview of the IDA architecture and IDB file format. He then focused the remainder of his time discussing the construction of plugins. During the Q and A section of his talk he mentioned some of the upcoming features of the soon to be released version of IDA. The biggest improvements he mentioned are in the debugger component. The debugger is now more robust in the handling of multi-threaded targets, furthermore the debugger server is now multi-threaded itself allowing for multiple simultaneous debug client connections.
Thomas Garnier spoke on Windows privilege escalation via LPC/ALPC. Most unfortunately I missed this talk. Sorry Thomas.
Nicolas Pouvesle, the machine of a man that he is, silenced the crowd with a walkthrough of the creation of (the worlds first?) remote Netware kernel stack overflow exploit. There were many hurdles to jump, but in the end he demonstrated a pair of fully functional exploits capable of popping a shell and creating an arbitrary super-user. Amazing work.
Cameron closed out the day with an intro talk on reverse engineering MacOS binaries. Not a lot of focus has been placed on MacOS X vulnerability hunting but that will certainly be changing in a short time. Apple is far behind Microsoft as far as OS level security protections are concerned; couple that fact with the constantly increasing OS market share that Apple is grabbing and you'll start to see more and more researchers migrating to Apple security auditing. Cameron covered the various file formats, application bundle structures and basic OSX reversing tools necessary to get started. He also spoke on reverse engineering Objective-C compiled binaries which present a unique set of problems in comparison to other compiled binaries specifically in that functions aren't called, rather messages are passed and therefore cross-references are non-existent. Naturally, scripts to solve this hurdle were presented. A positive benefit of Objective-C compiled binaries is that symbols are all preserved. This is especially helpful when there are Mac/Windows released software, you can augment your Windows binary reversing by pulling the symbols from the Mac version.
That rounds up the first day. There is a conference party tonight where a series of 5 minute lightning talks will be presented with of course the standard night time activities to follow.