Tuesday, June 14, 2016

That thing with rocking harder and the BlackHoodie story

Last year in September I realized an idea that had manifested in my brains quite some months before. I had wanted to do a workshop with a handful of friends. It should have been a weekend, where I spend time on teaching four ladies the thing I do for a living; reverse engineering malware. Those four had come up to me at different hacker events, telling me yo its cool what you do, how can I learn that? This, in general, is great, but trying to explain the how-to-RE in a few sentences is frustrating, at best. So much for the idea; lets meet somewhere, have a fun weekend, and look at a binary, I said.

And this idea, in the end, turned out to be.. a thing. I had planned to write about the workshop long ago, actually right after; then was super busy, postponed, postponed more, thought now is the time, then realised I might just as well wait a bit more and keep watching what happens. And a lot happened.

It was quite flustering, that these girls had come up to me. I've done a lot in my short career, but I'm still very much a student myself. I'm quite sure, almost certain indeed, this isn't directly linked to my mad skills, but rather for I'm someone they weren't afraid to come up to. This could have many reasons, but what I quite frankly believe is the most important one, I'm female. I'm someone they can relate to. It's taken me a while myself to understand what the hell a role model is. I like to believe thats not someone to aspire to, not an individual to adore, but someone that could be you. A person who isn’t outstanding but just normal. Sounds ridiculous? Oh dear. Like three years after I myself had realized debuggers ain't rocket science I'm still asked at every other occasion how I had this funky idea of becoming malware reverser. That.. is ridiculous. Because there shouldn't be any funkiness to this, I'm not a revolutionary, I just like to stare at assembly. For hours.

I frequently wander around tech offices and industry events where I count no more than a handful of women sneaking around the hallways. I say sneaking because lots of us, myself included, do not radiate confidence and determination, but are rather wary, a bit cautious, quite silent. If you're not like very sure of yourself it feels intimidating to walk into a meeting or a lecture full of people who are just different. This nervosity is not primarily a female problem but I'd guess an issue of any minority. But please don't get me wrong, I've never had a bad time at any conference or meetup, also I'm not talking about general fear. The infosec community I know is very welcoming, I've never experienced hostility. But that is also not the point, it doesn't require hostility to feel out of place. Thing is, most of us don't enjoy to feel exotic.

All of this said, I thought its a splendid idea to do that workshop and invite just any woman interested in reverse engineering. This way, I hoped, the binary-affine ladies out there would understand the event is something they’re supposed to attend and feel welcome to join. What it had taken for me to overcome irrational fears of IDAPro was being told that I'm goddamn supposed to use it; might just go and pass that wisdom on. I crafted a blogpost, put it live and then waited.

Truth be told, my expectation was to sit down with the initial four students, +/-2, and was stunned when the registration e-mails came rushing in. By the time we started with workshop preps there were 17 registered participants, 15 of which, no kidding, for real, showed up in person in St. Pölten downtown early September. I was.. speechless. Sou many femgineers <3 The participants were from Switzerland, France, Spain, Germany, Argentina, Israel, Russia and Austria; coming in by train or airplane, lots of them on their own expenses even. This while, St. Pölten isn't quite in the center of all happenings; you know what I mean.

Now, what is it that we actually did. Basically the participants had to complete four assignments before the actual workshop weekend. These assignments included setting up an analysis environment, a virtual machine running Windows XP, and install a number of tools needed for malware analysis tasks. Also up for homework was quite some reading; papers about x86 assembly language, common malware anti-analysis tricks and runtime packers. They had to perform dynamic malware analysis on a Citadel infector within their virtual machine and look at the traces it left with different tools. Finally, they got some exercise binaries to put in a debugger and watch EIP jumping along the execution path. These exercises all together don't teach you how-to-RE. They are meant to help build a base of understanding for malware and binaries, also they provide hints from where to go on after the workshop.

The two days of workshop themselves were meant to be painful. No, really, a weekend to learn RE is either painful, or quite useless. It is a tough subject, even for seasoned information technologists. Thus the goal was to do something that sticks, like, content thats not painful just doesn't stick. So I picked a piece of malware, one that I had worked on before, and made it our workshop content. The binary is a bit more than 20KB big, packed, and if it were a pet it would listen to the name Upatre. I've had fun with Upatre when I was learning reverse engineering, thus I knew its doable for beginners. For the inclined reader, the workshop’s subject of interest is identical to this one here.

The object of interest
When the weekend was over we were somewhere through with the packer and out of all energy. I left the payload as an exercise and called the event a success, for none of the ladies ran away screaming. Two days, 6 to 8 hours each, staring at assembly is dizzying at best, more likely frustrating. Upatre in 2013 came with few, but neat anti-analysis tricks. The protection ‘layer’ is well separated from the decompression and image reconstruction steps. The payload is simple but effective. It was a lot of content and, frankly, I don't expect anyone walked away humming strike, I got it, strike, I got it.

I remember hearing a "cool what you taught them" afterwards. But in reality, I didn't actually teach much. When I myself was working on my first binary I spent a day on a single jumptable. I don't think one can learn to reverse an entire binary within a weekend. But that was also not the goal, much rather I wanted every attendee to understand that binaries don't bite and debuggers ain't built in Hogwarts. The younger me has spent a lot of time hypnotizing tasks, reading books and papers and staring at tools for long, for an unsubstantial fear things would fall apart if I press the wrong button. So the primary news I meant the participants to take home was how to rock'n'roll by getting their hands dirty, whichever field they are working on.

And holy shit they did! We kept in touch after the workshop and I was watching with much amazement as splendid news kept coming in. Now half a year later one of the ladies has taken on her first reverse engineering position with Quarkslab in Paris. One did her first malware research talk at Botconf last year, presenting on botnet analysis, and is going for the next speaking engagement soon; one spoke at RootedCon this year about iOS malware attacking non-jailbroken devices. Two ladies decided to pick up RE as topic for their thesis, one focusing on analyzing threat actor TTPs, one on analyzing the NDIS stack relying on memory images. Finally, an eager participant collected her first CVEs this year by exploiting BMC Logic's BladeLogic Server Automation product, presenting the findings at Troopers conference. Needless to say, among the participants are seasoned engineers, who excel in cryptography, software development, incident response and security management every day. I can't stress enough how happy I am for all their achievements. Once again, just to be clear, I didn't teach them any of this; all I wanted them to do is rock harder :)

And then, one insomnia night early this year, I made the decision to do that again, there will be another BlackHoodie workshop. It will again be free, most likely be located in Germany, will be painful again, lots of fun and a wonderful community exchange. Besides exhausting the weekend was indeed a lot of fun. I'll surely never forget the face of the waiter at the greek restaurant where we had dinner, when he saw 15 women walking in, as I told him we're a hacking workshop :,D