| 0800 - 0840 |
Opening and Welcome Address
|
|
| 0840 - 0845 |
Welcome Speech
|
Thomas Lim
Organiser, SyScan, CEO, COSEINC
|
| 0845 - 0930 |
Keynote Speech
|
Marc Maiffret
Chief Hacking Officer, eEye
|
| 0930 - 1030 |
9am, you receive a call from a client, "we were hacked, I found evilhacker.exe running on the mail
server, it's a damn backdoor. Want to come down, take a look at the exe and see if you can find
anything more out?" You rush to the client and take a copy of the exe from the server for analysis.
You load IDA and open evilhacker.exe to disassemble. Hmm, you discover something strange. The executable
has no string table, a very small IAT (Import Allocation Table) and once dissembled the 120k executable
is only 2,000 lines of code. Evilhacker.exe is packed with a PE-Packer. Its contents have been wrapped
inside another executable, hiding the Trojan application from view.
Now without the ability of being able to analyze the binary, what do we do?
This talk is aimed at the millions of security professionals and system administrators who
face this situation. Trojans, rootkits and backdoors are often found on compromised machines.
Hackers also commonly compile custom backdoors and applications to use on their victim hosts.
These custom applications can contain sensitive information about the attacker himself, even
his own IP address. Disassembly of the Trojan binary would reveal this information easily, but
when the executable is PE packed, what path do you next take. To make matters worse, Trojan and
Rootkit authors recommend their malicious applications be PE-Packed. PE-Packing not only protects
the executable from analysis, but it can be used to evade signature based Anti Virus applications.
PE packing is considered a fine black-art, and few understand even the most basic of unpacking
principles. Audience members need only basic knowledge to unpack many protectors and the goal of
this presentation would be to show just how simple and straight forward it can be.
This is a new presentation, and has not been presented before.
|
Paul Craig
|
| 1030 - 1100 |
Coffee Break |
|
| 1100 - 1230 |
Botnets pose one of the most severe threats in the Internet today. With the help of honeypots
and specialized tools like nepenthes (http://nepenthes.mwcollect.org) it is possible to learn
more about them. In addition, these systems can also be used to mitigate this threat.
This talk focuses on a special kind of threat: the individuals and organizations who run botnets.
A "botnet" is a network of compromised machines that can be remotely controlled by an attacker.
Due to their immense size (tens of thousands of systems can be linked together), they pose a severe
threat to the community. With the help of honeynets and some other tools we can observe the people
who run botnets - a task that is difficult using other techniques. In this talk we take a closer
look at botnets, common attack techniques, and the individuals involved.
We start with an introduction to botnets and how they work, with examples of their uses. We then
briefly analyze the three most common bot variants used. Next we discuss a technique to automatically
collect bots with the help of the tool nepenthes. We present the architecture and give technical
details of the implementation. After some more words on the effectiveness of this approach we present
an automated way to analyze the collected binaries.
All these steps can be automated to a high degree, allowing us to build a system that autonomously
collects information about existing botnets. This information can then be aggregated and correlated
to learn even more. As a result, we obtain information that can be used to mitigate the threat, e.g.,
as a warning-system within networks or as an information resource for CERTs. We conclude the talk with
an overview of lessons learned and point out further research topics in the area of botnet tracking.
|
Thorsten Holz
|
| 1230 - 1330 |
Lunch Break |
|
| 1330 - 1430 |
Most virus have a hard coded way of interacting with networks and do not have the
ability to find and exploit new ways of attacking the hosts and speaking between each
other, thus forming a formidable network of learning and mutation.
Most virus have a hard coded way of interacting with networks and vulnerabilities and do
not have the ability to find and exploit configuration weaknesses and vulnerabilities,
they also do not speak against each other or mutate based on each other. This new kind
of virus is able to discern configuration weaknesses, find bugs and exploit them and talk
to each other thus a bug found by one virus gives the opportunity to all other mutations to
execute and exploit the bug giving a more active way of infiltrating networks. This way a
virus can become more than a nuisance to enter the realm of being something between a weapon
and a plague.
|
Enrique Sanchez
|
| 1430 - 1530 |
|
Andrew Griffth
|
| 1530 - 1630 |
The presentation outlines classes of bugs present in SIP based VoIP installations.Each class is
depicted by a sample attack exploiting one SIP-feature at a time.Attacks include an amplification
attack, end user device exploitation as well as the always practical Caller-ID spoofing.
|
Hendrik Scholz
|
| 1630 - 1700 |
Coffee and Beer Break |
|
| 1700 - 1800 |
From Automobiles and cell phones, to routers and your kitchen microwave - Embedded systems
are everywhere. And wherever there is code, there are flaws.
In this presentation I will be discussing ARM based on-chip architectures. The same techniques I
will be demonstrating are also applicable to other architectures. I will cover the JTAG and UART
interfaces, and how these interfaces can be used in conjunction with an In-Circuit Emulator for
real-time on-chip debugging. You will learn about the components that make up an embedded system,
how to disable certain implemented features that thwart hacking attempts, and how to interface with
the system to debug the ROM code.
We will use everything from Logic Analyzers to External flash programmers to analyze, and of course,
exploit, all manner of embedded systems.
I will cover a few popular embedded devices, including a Nortel ip-phone, a cellphone or two, and
a popular home router. Finally I will demonstrate exploitation and hopefully open some eyes to the
threat insecure embedded devices pose.
No toasters are safe.
|
Barnaby Jack
|
| 1800 - 1900 |
This talk seeks to remedy the remarkable lack of information about reverse engineering large
commercial software for the purposes of security research. Most of the available presentations
and training courses focus on disassembling malware and obfuscated code. Reversing commercial
software presents a very different set of challenges.
Based on my experience with reversing most Microsoft patches from the last year, I will describe
how to set up a scalable reverse engineering environment and how to recognize common features of
Microsoft code. I will present a number of techniques for improving the accuracy of the disassembly
output, including an open-source plugin for IDA Pro that significantly improves the loading of
Microsoft debugging symbols.
|
Alexander Sotirov
|
| |
End of Day 1 |
|