Windows Mobile Rootkit – updated by Petr Matousek (COSEINC)

In this talk, the author presents various ways to subvert Windows Embedded CE 6 kernel to hide certain objects from the user. Architecture and inner mechanisms of the Windows Embedded CE 6 kernel and comparison with Windows CE 5 kernel are discussed first, with a focus on memory management, process management, syscall handling, and security. Next the author explains the methods he used for hiding processes, files, and registry keys - mainly direct kernel object manipulations, hooking of handle- and non-handle-based syscalls not only via apiset modifications but also using previously not documented ways. The author also discusses ways to detect rootkits installed on the device. A fully functional prototype rootkits, detection programs and various monitoring utilities are presented and examined.

top

Trusted Virtualization: The Next Big Thing? by Gaith Taha

With the increasing popularity of Trusted Platform Modules (TPMs) in present-day Personal Computers, new challenges impose themselves in front of the software security industry. The future forecast suggests that TPM functionalities will be coupled with virtualised environments in order to manage secure domains where kernel layers and applications can scale in a trusted fashion. “Trust” does not necessarily imply “security”, but it can suggest it. Content providers will be having considerably more control over their data on the users’ desktops, which might bring a lot of controversy about end users’ authority over their machines. Meanwhile, despite the fact that all main-stream hardware and OS vendors have developed their own Trusted Computing (TC) models; none of those models has prevailed as the standard.

This eminent paradigm shift would radically change the legacy methods in which security products have dealt with malicious activities. The introduction of those locked-down layers might mean that anti-malware scanners will have to deal differently with adversaries who can achieve higher privileges (e.g. Originally, PatchGuard did not completely prevent patching the kernel, but it blocked security applications from accessing the kernel for legitimate reasons. So, malware could use those vulnerabilities, but anti-malware scanners could not).

The purpose of this paper is to explain the implications of the next generation of hardware platforms on the software security industry. These changes will not only affect the PC architecture, but will extend to the mobile platforms. Will immune implementations of trusted computing models ever render anti-malware scanners useless? Or, in fact, TC is the next weapon in the anti-malware industry’s arsenal?

top

Generic Electric Grid Malware Design – Attacking SCADA System by Eyal Udassin

SCADA systems directly influence the lives and wellbeing of all civilians in almost any modernized country. The best site for an attacker to compromise in order to cause maximum damage is the control center. Much like Aikido, an attacker can use your strengths (centralized management of assets, multiple control applications) to his benefit.

A common argument of the engineering and operations personnel against the possibility of successfully launching an attack on the SCADA network of electric grid utilities is that the network is too complex for an outsider to operate. This assumption is based on the obscure communication protocols and addressing schemes in use in such networks, which do not allow easily identification of which device is using any given address, and how to properly control it.

In the whitepaper we will describe a tool that can put the abovementioned assumption to the test. This malware is designed to cause havoc in an electric T&D control center and the grid under its command without the need for any knowledge about the network, its nodes and EMS (Energy Management System) application. In addition, the malware is autonomous and does not rely on remote operation by the attacker after its installation.

top

Real World Kernel Pool Exploitation by Kostya Korchinsky

As user-level security gets more robust, hackers continue to find vulnerabilities in the kernel. Each of these vulnerabilities requires new techniques and because any mistake can cause a blue-screen, reliability is paramount. In this talk, Kostya Kortchinsky will detail the results of his work while exploiting the MS08-001 IGMP kernel overflow vulnerability.

top

Defeating ASLR and DEP protections on Windows Vista by Alexander Sotirov

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. I will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. I will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, I will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more.

top

Heaps about heaps by Brett Moore

This presentation will briefly explain old heap exploitation techniques, but focus on detailing various new methods that can be used when overwriting heap structures. Including;

1. Improved lookaside list manipulation
2. Is the write 4 really, really dead?
3. Tricks to flip the heap and stack
4. Factors in heap layout

It will be technical and an understanding of the heap is advised. It will include a step by step demonstration of working a published advisory through to a working exploit. Including;

1. Reproducing the vulnerability
2. Locating the cause of the vulnerability
3. Overwriting a function pointer
4. Turning off DEP and gaining execution flow
   

top

Buffered Code Execution by Matthew Conover

This presentation will cover a new prototype developed in Symantec Resarch Labs to run kernel-mode drivers from user-mode. This technology is primarily intended to sandbox a rootkit driver and monitors its activities. Utilizing this technique, the rootkit driver's activities can be controlled. Rather than utilizing emulation, the rootkit code is run directly on the native hardware but at ring 3. When the rootkit tries to utilize privileged instructions or read/write/execute kernel-mode memory, the faults are captured and proxied into the kernel, allowing the rootkit to function normally while at the same time preventing the rootkit from escaping the sandbox. The presentation will discuss the technology behind the prototype and demo the tool in action.

top

Killing the myth of Cisco IOS rootkit by Sebastian Muniz

Rootkits are very common in most popular Operating Systems like Windows, Linux, Unix and any variant of those but they are rarely seen in embedded OS's. This is due to the fact that most of the time embedded OS's are closed source, hence internals of the OS are unknown and reverse engineering process is harder than usual. In real life, it's very common that once an attacker takes control of a system he or she needs to maintain access to it so a rootkit is installed. The rootkit seizes control of the entire system running on that hardware by hiding files, processes, network connections, allowing unauthorized users to act as system administrators, etc.

This paper demonstrates that a rootkit with those characteristics can be easily created and deployed for a closed source OS like IOS and run unnoticed by system administrators by surviving to most, if not all, of the security measures given by experts on the field.
As a proof of this, different ways to infect a target IOS will be shown like runtime patching and image binary patching. To discuss the binary patching technique from a practical point of view, DIK (Da Ios rootKit) which is a set of python[1] scripts that provides a generic rootkit implementation for IOS will be introduced.

top

PhlashDance, fuzzing your way to expensive bricks by Rich Smith

This presentation intends to discuss a new class of attack termed Permanent Denial Of Service (PDOS) targeted against embedded devices. Specifically, a particular manifestation of PDOS will be discussed which targets the firmware update mechanisms of embedded devices, such abuses of flash update mechanisms to cause PDOS conditions have been named Phlash attacks (cuz every attack needs a ‘ph’ right!). Phlash attacks targeting both the flash update mechanisms of devices, and the structuring of the binary firmware’s themselves will be discussed in a generic way. The presentation will also discuss the development of a generic fuzzing framework called PhlashDance, which aims to assist in the automatic identification of PDOS vulnerabilities across an extensible range of embedded devices. Beyond the pure technicalities of how Phlash attacks may be mounted, the presentation will also discuss why such novel attack vectors will be of particular concern to technology vendors, and the difficulties being faced in responding to and mitigating such vulnerabilities.

top

Hacking RFiD devices – Singapore Passport? By Adam Laurie

RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....

This talk will look at the underlying technology, what it's being used for, how it works and why it's sometimes a BadIdea(tm) to rely on it for secure applications, and, more worryingly, how this off-the-shelf technology can be used against itself... Software and Hardware tools and techniques will be discussed and demonstrated, and a range of exploits examined in detail.

top