Presentation Synopsis

Unpacking Malware, Trojans and Worms – Paul Craig
9am, you receive a call from a client, “we were hacked, I found evilhacker.exe running on the mail server, it’s a damn backdoor. Want to come down, take a look at the exe and see if you can find anything more out?” You rush to the client and take a copy of the exe from the server for analysis. You load IDA and open evilhacker.exe to disassemble. Hmm, you discover something strange. The executable has no string table, a very small IAT (Import Allocation Table) and once dissembled the 120k executable is only 2,000 lines of code. Evilhacker.exe is packed with a PE-Packer. Its contents have been wrapped inside another executable, hiding the Trojan application from view.

Now without the ability of being able to analyze the binary, what do we do?

This talk is aimed at the millions of security professionals and system administrators who face this situation. Trojans, rootkits and backdoors are often found on compromised machines. Hackers also commonly compile custom backdoors and applications to use on their victim hosts. These custom applications can contain sensitive information about the attacker himself, even his own IP address. Disassembly of the Trojan binary would reveal this information easily, but when the executable is PE packed, what path do you next take. To make matters worse, Trojan and Rootkit authors recommend their malicious applications be PE-Packed. PE-Packing not only protects the executable from analysis, but it can be used to evade signature based Anti Virus applications. PE packing is considered a fine black-art, and few understand even the most basic of unpacking principles. Audience members need only basic knowledge to unpack many protectors and the goal of this presentation would be to show just how simple and straight forward it can be.

This is a new presentation, and has not been presented before.

Writing behind a buffer – Angelo Rosiello
In this presentation we are going to describe a kind of vulnerability that is known in the literature but also poor documented.

In fact, the problem that is going to be analyzed can be reduced to a memory adjacent overwriting attack but usually it is obtained exploiting the last null byte of a buffer, hence we are going to show that the same result is still possible writing behind a buffer, under certain conditions.

I-worm.Fuzzer: A New Propagation Type of Virus – Enrique Sanchez
Most virus have a hard coded way of interacting with networks and do not have
the ability to find and exploit new ways of attacking the hosts and speaking
between each other, thus forming a formidable network of learning and
mutation.

Most virus have a hard coded way of interacting with networks and
vulnerabilities and do not have the ability to find and exploit configuration
weaknesses and vulnerabilities, they also do not speak against each other or
mutate based on each other. This new kind of virus is able to discern configuration weaknesses, find bugs and exploit them and talk to each other thus a bug found by one virus gives the opportunity to all other mutations to execute and exploit the bug giving a more active way of infiltrating networks. This way a virus can become more than a nuisance to enter the realm of being something between a weapon and a plague.

VoIP Security Issues: Problems on the users’ side and what are the providers doing wrong? – Henry Scolz
The presentation outlines classes of bugs present in SIP based VoIP installations.Each class is depicted by a sample attack exploiting one SIP-feature at a time.Attacks include an amplification attack, end user device exploitation as well as the always practical Caller-ID spoofing.

Binary Analysis, Finding Secret in ISAPIs – Nish Bhalla
Developers programming in C/C++ hide secrets in code. Assumptions are made that no one can read the content of a binary. This talk will give a brief introduction on how to start performing binary analysis, how to circumvent some basic debugger checks and how to find secrets hidden in code. The example code that is demonstrated is an ISAPI which will be decompiled and demonstrated to help find the secret as well as look to writing an exploit. The talk will be mostly demonstration based and would require some basic understanding of programming concepts.

Yet Another Web Application Testing Toolkit – Fyodor Yarochkin and Meder Kydyraliev
Fyodor and Meder will present the results of their research in the area of automated web application security testing. YAWAT was created due to the fact that the existing automated web application security testing approaches are extremely limited, and practically unable to identify application security problems beyond typical coding errors
(i.e. SQL injection, XSS and CRLF injection bugs).

The purpose of the YAWATT is to provide security analysts with flexible modular framework based on meta-language that is used to describe web application testing scenarios and aims to assist in discovery of both coding errors and application "logic" vulnerabilities. Due to modular design the application testers are provided with granular control over whole testing process, and ability to modify execution scenario, submit additional application data and/or re-execute testing process using new "knowledge" obtained during previous execution.

Skeleton in Microsoft closet – Andre Protas
For years vendors have been criticized over the practice of silently fixing security flaws and not releasing bulletins to notify their customers. While it is easy to find many researchers and experts criticizing alike, it is typically hard to find actual proof that this practice remains ongoing. Regardless of personal opinions over the rational vendors use to justify silently fixing bugs, the reality is that many defensive technologies rely on specific signatures to detect potential attacks and identify specific vulnerabilities as they were reported in vendor advisories.

The basic argument against silently fixing vulnerabilities lies in the above fact. If a security device is signature based, it cannot reliably detect something it does not know exists and most security vendors do not have the resources or time to manually verify that the software vendor has been upfront with all of the threats that were fixed in the patch.

This talk will outline the steps taken to identify potential vulnerabilities silently fixed in a major update release, namely Update Rollup 1 for Microsoft Windows 2000 SP4.In addition, specific vulnerabilities will be identified and a demonstration showing how various signature based technologies will not defend against these issues will be given.

Oracle Rootkits and Oracle Viruses – Alexander Kornbrust
The talk describes how to transfer the concept of (OS) rootkits and viruses to the database/Oracle world. This concept could also be realised in DB2 and SQL Server.

Alexander Kornbrust demonstrates how to hide users/processes/jobs in an Oracle database to avoid detection from (dba) tools and security audits. Alexander shows some proof of concept code for Oracle rootkits and he also explains how to identify rootkits/backdoors.

Then he generalizes this problem to repository based system and explains how to modify applications in future to avoid these kinds of problems.

Towards Automated Botnet Detection and Mitigation – Thorsten Holz
Botnets pose one of the most severe threats in the Internet today. With the help of honeypots and specialized tools like nepenthes (http://nepenthes.mwcollect.org) it is possible to learn more about them. In addition, these systems can also be used to mitigate this threat.

This talk focuses on a special kind of threat: the individuals and organizations who run botnets. A "botnet" is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets and some other tools we can observe the people who run botnets - a task that is difficult using other techniques. In this talk we take a closer look at botnets, common attack techniques, and the individuals involved.

We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to automatically collect bots with the help of the tool nepenthes. We present the architecture and give technical details of the implementation. After some more words on the effectiveness of this approach we present an automated way to analyze the collected binaries.

All these steps can be automated to a high degree, allowing us to build a system that autonomously collects information about existing botnets. This information can then be aggregated and correlated to learn even more. As a result, we obtain information that can be used to mitigate the threat, e.g., as a warning-system within networks or as an information resource for CERTs. We conclude the talk with an overview of lessons learned and point out further research topics in the area of botnet tracking.

Reverse Engineering Microsoft Binaries – Alexander Sotirov
This talk seeks to remedy the remarkable lack of information about reverse engineering large commercial software for the purposes of security research. Most of the available presentations and training courses focus on disassembling malware and obfuscated code. Reversing commercial software presents a very different set of challenges.

Based on my experience with reversing most Microsoft patches from the last year, I will describe how to set up a scalable reverse engineering environment and how to recognize common features of Microsoft code. I will present a number of techniques for improving the accuracy of the disassembly output, including an open-source plugin for IDA Pro that significantly improves the loading of Microsoft debugging symbols.

Are You Sure Phone Banking Is Safe? – Marek Bialoglowy
Use of a telephone in banking is considerably widespread. The most popular is certainly the interactive voice response (IVR) technology, which has been adopted by nearly all major banks. There is also a new successor of this technology that is a mobile banking. It is mainly based on SMS or STK (SimToolkit) and the popularity of it is rapidly
increasing largely thanks to the popularity of mobile phones. Certainly with benefits of new technology also come new threats which have to be addressed. Meanwhile, the old IVR based technology still lacks security, which questions the overall safety of using phone in banking services.

The presentation summarises results of comprehensive analysis into phone banking security and introduces never previously presented attack scenarios on phone banking systems, reveals the security weakness in phone banking systems of a major banks and explains some potential methods of minimising the risks.

Subverting Vista Kernel for Fun and Profit – Joanna Rutkowska
The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

Exploiting Embedded System – Barnaby Jack
From Automobiles and cell phones, to routers and your kitchen microwave
- Embedded systems are everywhere. And wherever there is code, there are flaws.

In this presentation I will be discussing ARM based on-chip architectures. The same techniques I will be demonstrating are also applicable to other architectures. I will cover the JTAG and UART interfaces, and how these interfaces can be used in conjunction with an In-Circuit Emulator for real-time on-chip debugging. You will learn about the components that make up an embedded system, how to disable certain implemented features that thwart hacking attempts, and how to interface with the system to debug the ROM code.

We will use everything from Logic Analyzers to External flash programmers to analyze, and of course, exploit, all manner of embedded systems.

I will cover a few popular embedded devices, including a Nortel ip-phone, a cellphone or two, and a popular home router. Finally I will demonstrate exploitation and hopefully open some eyes to the threat insecure embedded devices pose.

No toasters are safe.

Officially supported by

Silver Sponsor

Friends of SyScan