I gave a lightning talk today at MongoDC on the topic of Malware, Mongo and MapReduce. I didn’t have too much time to get my points across, but it did appear some people saw the value in what I had to say. I will be giving a more detailed and extended talk in August at NoSQLCON Now! 2011, so stay tuned for that. I also got word back from the Brucrew that I would be able to teach a workshop at Brucon in Belgium this year.
Here is the current description for the Brucon workshop and the slidedesk from Mongo:
At this point we all know the PDF specification is bad and if you have been following the analysis posted by others then you too can likely dig around inside a PDF. Open source and commercial products have been great in helping us review malicious documents, but they focus on documents independently. In other words, these tools do not account for similarities and shared techniques between other malicious documents. PDF X-RAY, an online analysis and detection engine aims to solve this by using statistical analysis and some clever tricks to identify related malware.
Users interested in moving past simple PDF examination and on to collective PDF analysis should take this class. The training will begin with a brief overview of the PDF specification, how attackers have abused it and breaking down of a PDF using PDF X-RAY. Users will then get hands-on training setting up their own malicious PDF repository using open source tools that help power PDF X-RAY including MongoDB and MalPdfObj. By the end of the training users will be well versed in converting, storing and analyzing PDF documents collectively and independently. Users will walk away having written map reduce jobs to collect PDF statistics, advanced queries to identify interesting details and a small subset of samples to begin working with on their own time.