Last year at Black Hat, we introduced the rootkit FU. FU took an unprecented approach to hiding not previously seen before in a Windows rootkit. Rather than patching code or modifying function pointers in well known operating system structures like the system call table, FU demonstrated that is was possible to control the execution path indirectly by modifying private kernel objects in memory. This technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in detecting this form of attack caused concern for anti-malware developers. This year, FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In this talk we will explore the idea of memory subversion. We demonstrate that is not only possible to hide a rootkit driver in memory, but that it is possible to do so with a minimal performance impact. The application (threat) of this attack extends beyond rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its application to worms and other forms of malware. Memory scanners beware the axiom, “vidre est credere.” Let us just say that it does not hold the same way that it used to.
Sherri Sparks and Jamie Butler “Shadow Walker: Raising The Bar For Rootkit Detection” Audio
BlackPage update Implications of the Lynn Cisco Research, and Moving Forward
Jeff Moss updates the BlackPage with his thoughts about ISS/Cisco vs. Mike Lynn/Black Hat. From the article “This update to the BlackPage will catch us up with what has happened in the ISS and Cisco vs. Mike Lynn and Black Hat case, and I hope to set the record straight. I have also asked for comment from other security experts, and that will be included as separate BlackPage entries.”
Michael Sutton and Adam Greene “The Art of File Format Fuzzing” Audio
In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet.
Kenneth Geers “Hacking in a Foreign Language: A Network Security Guide to Russia (and Beyond)” Audio
Has your network ever been hacked, and all you have to show for your investigative efforts is an IP address belonging to an ISP in Irkutsk? Are you tired of receiving e-mails from Citibank that resolve to Muscovite IP addresses? Would you like to hack the Kremlin? Or do you think that the Kremlin has probably owned you first? Maybe you just think that Anna Kournikova is hot. If the answer to any of the above questions is yes, then you need an introduction to the Gulag Archipelago of the Internet, the Cyberia of interconnected networks, Russia. . .
Jeremiah Grossman “Phishing with Super Bait” Audio
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. It’s imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn’t just another presentation about phishing scams or cross-site scripting. We’re all very familiar with each of those issues. Instead, we’ll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
[Announcement] Black Hat acquired by CMP
From the announcement “CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and will join CMP Media as Director of Black Hat. Combining CMP’s current portfolio of Computer Security Institute (CSI), Secure Enterprise magazine and the Security Pipeline website with Black Hat, will position CMP Media as the strongest platform in the computer security media market. . . This move will enable Black Hat to take advantage of growth opportunities we couldn’t pursue as a small company, such as international expansion, while enabling me to keep doing what I love the most — working with speakers and building the conference programs,” Jeff Moss added.
Saumil Shah and Dave Cole “Adware Spyware” Audio
The Business:Timeline – how did we get into this mess? The Technology: Technical overview of different types of programs (taxonomy). Looking ahead: Market polarization, bad get worse, good get better (more white, less grey). Exploiting Adware.
Jennifer Granick writes about disclosure post ciscogate is “Dark Cloud Hovers Over Black Hat” wired.com
From the article “Last week Black Hat, the Vegas security conference that was at the center of the Ciscogate controversy last summer, was purchased by CMP Media. The sale has the internet hens clucking about whether ownership by a larger, wealthier corporation will protect Black Hat from future legal challenges, or make it more susceptible to pressure from companies wanting to control vulnerability disclosures. The more worrisome question is why Black Hat and other purveyors of security information must worry so much about what they disclose. For better or worse, the settlement I negotiated with Cisco in its case against researcher Michael Lynn kept some important legal issues from reaching a courtroom, and these unsettled questions cast a long shadow over security research today.
Satoru Koyama “Botnet survey result: Our security depends on your security” Audio (Japanese)
Many of the various attacking mechanism such as spam email, DDoS that are attacking the internet as whole in recent years can be attributed to Botnets. However there is not much information on these Botnets yet. Telecom ISAC-Japan and JPCERT/CC conducted a detailed investigation regarding botnet activity. This session will cover what was found during the investigation and the current state of the massive amount of infected users and sub-species of botnets.
BlackPage update: Kevin Mandia
Kevin Mandia, a world recognized leader of incident response research, points out that a responder must have skills at least that of the attacker. One of the challenges to IR is discovering there is an incident to begin with. If we only look for known attacks, we will only find the moderately skilled attackers, leaving us exposed to the truly skilled adversaries.
