10:00 AM
to 11:00 AM
Peter Kleissner: Stoned Bootkit
79 Attendees
Location
Augustus Ballroom 1-2
Type Rootkits
Peter Kleissner
Stoned bootkit is a brand new Windows bootkit. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. You can use it to create your own boot software (diagnostic tools, boot manager, etc.). It gives the user back the control to the system and has exciting features like integrated FAT and NTFS drivers, automated Windows pwning, plugins and boot applications, and much much more. It finally goes back to the roots - so in this way,
Your PC is now Stoned! ..again
Your PC is now Stoned! ..again
11:15 AM
to 12:30 PM
Dino Dai Zovi: Advanced Mac OS X Rootkits
63 Attendees
Location
Augustus Ballroom 1-2
Type Rootkits
Dino Dai Zovi
The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.
1:45 PM
to 3:00 PM
Erez Metula: Managed Code Rootkits
84 Attendees
Location
Augustus Ballroom 1-2
Type Rootkits
Erez Metula
This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.
This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.
This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.
3:15 PM
to 4:30 PM
Jeff Williams: There's a Fox in the Henhouse
79 Attendees
Location
Augustus Ballroom 1-2
Type Rootkits
Jeff Williams
How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
4:45 PM
to 6:00 PM
Alexander Tereshkin & Rafal Wojtczuk: Introducing Ring -3 Rootkits
104 Attendees
Location
Augustus Ballroom 1-2
Type Rootkits
Alexander Tereshkin, Rafal Wojtczuk
Rootkit Evolution over the past decade: Ring 3 == usermode rootkits
Ring 0 == kernelmode rootkits
Ring -1 == hypervisor rootkits (BluePill)
Ring -2 == SMM rootkits
Now, we're going to introduce Ring -3 Rootkits.
Ring 0 == kernelmode rootkits
Ring -1 == hypervisor rootkits (BluePill)
Ring -2 == SMM rootkits
Now, we're going to introduce Ring -3 Rootkits.
