�ݺ�ߣshows by User: matrosov

�ݺ�ߣshows by User: matrosov / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: matrosov / Thu, 28 May 2015 07:12:52 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: matrosov Object Oriented Code RE with HexraysCodeXplorer /slideshow/nsec2015-pdf/48692503 nsec2015pdf-150528071252-lva1-app6891
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu. The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages. This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.]]>
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu. The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages. This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.]]> Thu, 28 May 2015 07:12:52 GMT /slideshow/nsec2015-pdf/48692503 matrosov@slideshare.net(matrosov) Object Oriented Code RE with HexraysCodeXplorer matrosov In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu. The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages. This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/nsec2015pdf-150528071252-lva1-app6891-thumbnail.jpg?width=120&height=120&fit=bounds" /> In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu. The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages. This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.

Object Oriented Code RE with HexraysCodeXplorer from Alex Matrosov

]]> 2878 4 https://cdn.slidesharecdn.com/ss_thumbnails/nsec2015pdf-150528071252-lva1-app6891-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 BERserk: New RSA Signature Forgery Attack /slideshow/be-rserk-eko10/42680680 berserkeko10-141213185717-conversion-gate02
]]>
]]> Sat, 13 Dec 2014 18:57:16 GMT /slideshow/be-rserk-eko10/42680680 matrosov@slideshare.net(matrosov) BERserk: New RSA Signature Forgery Attack matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/berserkeko10-141213185717-conversion-gate02-thumbnail.jpg?width=120&height=120&fit=bounds" />

BERserk: New RSA Signature Forgery Attack from Alex Matrosov

]]> 2630 4 https://cdn.slidesharecdn.com/ss_thumbnails/berserkeko10-141213185717-conversion-gate02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 BIOS and Secure Boot Attacks Uncovered /slideshow/bio-sand-securebootattacksuncoveredeko10/42680651 biosandsecurebootattacksuncoveredeko10-141213185452-conversion-gate01
]]>
]]> Sat, 13 Dec 2014 18:54:52 GMT /slideshow/bio-sand-securebootattacksuncoveredeko10/42680651 matrosov@slideshare.net(matrosov) BIOS and Secure Boot Attacks Uncovered matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/biosandsecurebootattacksuncoveredeko10-141213185452-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds" />

BIOS and Secure Boot Attacks Uncovered from Alex Matrosov

]]> 3533 5 https://cdn.slidesharecdn.com/ss_thumbnails/biosandsecurebootattacksuncoveredeko10-141213185452-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 HexRaysCodeXplorer: object oriented RE for fun and profit /slideshow/code-xplorer-h2hc/40798491 codexplorerh2hc-141027214829-conversion-gate01
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.]]>
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.]]> Mon, 27 Oct 2014 21:48:29 GMT /slideshow/code-xplorer-h2hc/40798491 matrosov@slideshare.net(matrosov) HexRaysCodeXplorer: object oriented RE for fun and profit matrosov HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/codexplorerh2hc-141027214829-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds" /> HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.

HexRaysCodeXplorer: object oriented RE for fun and profit from Alex Matrosov

]]> 2912 6 https://cdn.slidesharecdn.com/ss_thumbnails/codexplorerh2hc-141027214829-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Bootkits: past, present & future /slideshow/vb2014-slides/39671946 vb2014slides-140929154552-phpapp01
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)? The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system. Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.]]>
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)? The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system. Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.]]> Mon, 29 Sep 2014 15:45:52 GMT /slideshow/vb2014-slides/39671946 matrosov@slideshare.net(matrosov) Bootkits: past, present & future matrosov Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)? The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system. Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/vb2014slides-140929154552-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)? The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system. Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.

Bootkits: past, present & future from Alex Matrosov

]]> 2239 2 https://cdn.slidesharecdn.com/ss_thumbnails/vb2014slides-140929154552-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 HexRaysCodeXplorer: make object-oriented RE easier /slideshow/zn-2013-pdf/28087155 zn2013pdf-131110084018-phpapp01
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage]]>
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage]]> Sun, 10 Nov 2013 08:40:18 GMT /slideshow/zn-2013-pdf/28087155 matrosov@slideshare.net(matrosov) HexRaysCodeXplorer: make object-oriented RE easier matrosov HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/zn2013pdf-131110084018-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage

HexRaysCodeXplorer: make object-oriented RE easier from Alex Matrosov

]]> 2653 5 https://cdn.slidesharecdn.com/ss_thumbnails/zn2013pdf-131110084018-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Reconstructing Gapz: Position-Independent Code Analysis Problem /slideshow/recon-2013-pdf/23621466 recon2013pdf-130628103241-phpapp02
]]>
]]> Fri, 28 Jun 2013 10:32:41 GMT /slideshow/recon-2013-pdf/23621466 matrosov@slideshare.net(matrosov) Reconstructing Gapz: Position-Independent Code Analysis Problem matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/recon2013pdf-130628103241-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" />

Reconstructing Gapz: Position-Independent Code Analysis Problem from Alex Matrosov

]]> 4637 6 https://cdn.slidesharecdn.com/ss_thumbnails/recon2013pdf-130628103241-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Advanced Evasion Techniques by Win32/Gapz /slideshow/advanced-evasion-techniques-by-win32gapz/21526473 caro2013-130520090245-phpapp01
]]>
]]> Mon, 20 May 2013 09:02:45 GMT /slideshow/advanced-evasion-techniques-by-win32gapz/21526473 matrosov@slideshare.net(matrosov) Advanced Evasion Techniques by Win32/Gapz matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/caro2013-130520090245-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" />

Advanced Evasion Techniques by Win32/Gapz from Alex Matrosov

]]> 4443 3 https://cdn.slidesharecdn.com/ss_thumbnails/caro2013-130520090245-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Festi botnet analysis and investigation /slideshow/festi-botnet-analysis-and-investigation/15672650 avar2012pdf-121217100454-phpapp02
The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems. The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: - Updating configuration data from the C&C (command and control server); - Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers. ]]>
The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems. The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: - Updating configuration data from the C&C (command and control server); - Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers. ]]> Mon, 17 Dec 2012 10:04:54 GMT /slideshow/festi-botnet-analysis-and-investigation/15672650 matrosov@slideshare.net(matrosov) Festi botnet analysis and investigation matrosov The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems. The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: - Updating configuration data from the C&C (command and control server); - Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/avar2012pdf-121217100454-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems. The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: - Updating configuration data from the C&C (command and control server); - Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.

Festi botnet analysis and investigation from Alex Matrosov

]]> 1514 5 https://cdn.slidesharecdn.com/ss_thumbnails/avar2012pdf-121217100454-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Win32/Flamer: Reverse Engineering and Framework Reconstruction /slideshow/zn2012-pdf/15295363 zn2012pdf-121122040315-phpapp01
In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.]]>
In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.]]> Thu, 22 Nov 2012 04:03:12 GMT /slideshow/zn2012-pdf/15295363 matrosov@slideshare.net(matrosov) Win32/Flamer: Reverse Engineering and Framework Reconstruction matrosov In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/zn2012pdf-121122040315-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.

Win32/Flamer: Reverse Engineering and Framework Reconstruction from Alex Matrosov

]]> 2440 10 https://cdn.slidesharecdn.com/ss_thumbnails/zn2012pdf-121122040315-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Smartcard vulnerabilities in modern banking malware /slideshow/smartcard-vulnerabilities-in-modern-banking-malware/13191761 smartcardvulnerabilitiesinmodernbankingmalware-120604071151-phpapp02
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.]]>
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.]]> Mon, 04 Jun 2012 07:11:48 GMT /slideshow/smartcard-vulnerabilities-in-modern-banking-malware/13191761 matrosov@slideshare.net(matrosov) Smartcard vulnerabilities in modern banking malware matrosov The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/smartcardvulnerabilitiesinmodernbankingmalware-120604071151-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.

Smartcard vulnerabilities in modern banking malware from Alex Matrosov

]]> 1710 7 https://cdn.slidesharecdn.com/ss_thumbnails/smartcardvulnerabilitiesinmodernbankingmalware-120604071151-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon /slideshow/carberp-evolution-and-blackhole-public/13058774 carberpevolutionandblackholepublic-120524065435-phpapp02
In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.]]>
In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.]]> Thu, 24 May 2012 06:54:34 GMT /slideshow/carberp-evolution-and-blackhole-public/13058774 matrosov@slideshare.net(matrosov) Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon matrosov In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/carberpevolutionandblackholepublic-120524065435-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon from Alex Matrosov

]]> 2075 8 https://cdn.slidesharecdn.com/ss_thumbnails/carberpevolutionandblackholepublic-120524065435-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Modern malware techniques for attacking RBS systems in Russia /slideshow/modern-malware-techniques-for-attacking-rbs-systems-in-russia-10367611/10367611 zeronightscarberp-111128090509-phpapp01
]]>
]]> Mon, 28 Nov 2011 09:05:06 GMT /slideshow/modern-malware-techniques-for-attacking-rbs-systems-in-russia-10367611/10367611 matrosov@slideshare.net(matrosov) Modern malware techniques for attacking RBS systems in Russia matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/zeronightscarberp-111128090509-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" />

Modern malware techniques for attacking RBS systems in Russia from Alex Matrosov

]]> 2901 7 https://cdn.slidesharecdn.com/ss_thumbnails/zeronightscarberp-111128090509-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Win32/Duqu: involution of Stuxnet /matrosov/win32duqu-involution-of-stuxnet zeronightsduqu-111128085505-phpapp02
]]>
]]> Mon, 28 Nov 2011 08:55:03 GMT /matrosov/win32duqu-involution-of-stuxnet matrosov@slideshare.net(matrosov) Win32/Duqu: involution of Stuxnet matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/zeronightsduqu-111128085505-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" />

Win32/Duqu: involution of Stuxnet from Alex Matrosov

]]> 1939 4 https://cdn.slidesharecdn.com/ss_thumbnails/zeronightsduqu-111128085505-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy /slideshow/modern-bootkit-trends-bypassing-kernelmode-signing-policy/9656088 vbslides-111012050941-phpapp01
]]>
]]> Wed, 12 Oct 2011 05:09:39 GMT /slideshow/modern-bootkit-trends-bypassing-kernelmode-signing-policy/9656088 matrosov@slideshare.net(matrosov) Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/vbslides-111012050941-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" />

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy from Alex Matrosov

]]> 2716 4 https://cdn.slidesharecdn.com/ss_thumbnails/vbslides-111012050941-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Defeating x64: Modern Trends of Kernel-Mode Rootkits /slideshow/defeating-x64-modern-trends-of-kernelmode-rootkits/9416193 ekoparty2011final-110925150533-phpapp02
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.]]>
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.]]> Sun, 25 Sep 2011 15:05:29 GMT /slideshow/defeating-x64-modern-trends-of-kernelmode-rootkits/9416193 matrosov@slideshare.net(matrosov) Defeating x64: Modern Trends of Kernel-Mode Rootkits matrosov Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/ekoparty2011final-110925150533-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.

Defeating x64: Modern Trends of Kernel-Mode Rootkits from Alex Matrosov

]]> 4319 8 https://cdn.slidesharecdn.com/ss_thumbnails/ekoparty2011final-110925150533-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Defeating x64: The Evolution of the TDL Rootkit /slideshow/defeating-x64-the-evolution-of-the-tdl-rootkit/8097167 tdl4confidence2011-110525091006-phpapp01
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.]]>
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.]]> Wed, 25 May 2011 09:10:06 GMT /slideshow/defeating-x64-the-evolution-of-the-tdl-rootkit/8097167 matrosov@slideshare.net(matrosov) Defeating x64: The Evolution of the TDL Rootkit matrosov n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/tdl4confidence2011-110525091006-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.

Defeating x64: The Evolution of the TDL Rootkit from Alex Matrosov

]]> 2098 7 https://cdn.slidesharecdn.com/ss_thumbnails/tdl4confidence2011-110525091006-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 /slideshow/tdl4/8030485 phd-110519132932-phpapp01
]]>
]]> Thu, 19 May 2011 13:29:27 GMT /slideshow/tdl4/8030485 matrosov@slideshare.net(matrosov) Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/phd-110519132932-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" />

Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 from Alex Matrosov

]]> 1070 1 https://cdn.slidesharecdn.com/ss_thumbnails/phd-110519132932-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Cybercrime in Russia: Trends and Issues /slideshow/cybercrime-in-russia-trends-and-issues/7983317 caro2011public-110516114517-phpapp01
This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes. The presentation will cover the following topics: 1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation. 2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes. 3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages. 4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others. 5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project.]]>
This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes. The presentation will cover the following topics: 1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation. 2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes. 3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages. 4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others. 5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project.]]> Mon, 16 May 2011 11:45:13 GMT /slideshow/cybercrime-in-russia-trends-and-issues/7983317 matrosov@slideshare.net(matrosov) Cybercrime in Russia: Trends and Issues matrosov This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes. The presentation will cover the following topics: 1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation. 2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes. 3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages. 4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others. 5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/caro2011public-110516114517-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes. The presentation will cover the following topics: 1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation. 2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes. 3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages. 4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others. 5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project.

Cybercrime in Russia: Trends and Issues from Alex Matrosov

]]> 2986 5 https://cdn.slidesharecdn.com/ss_thumbnails/caro2011public-110516114517-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Stuxnet msu /slideshow/stuxnet-msu/5528094 stuxnetmsu-101022045245-phpapp02
]]>
]]> Fri, 22 Oct 2010 04:52:41 GMT /slideshow/stuxnet-msu/5528094 matrosov@slideshare.net(matrosov) Stuxnet msu matrosov <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/stuxnetmsu-101022045245-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" />

Stuxnet msu from Alex Matrosov

]]> 483 1 https://cdn.slidesharecdn.com/ss_thumbnails/stuxnetmsu-101022045245-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://cdn.slidesharecdn.com/profile-photo-matrosov-48x48.jpg?cb=1522825151 Alex has more than a decade of experience focused on reverse engineering advanced malware, firmware security and modern exploitation techniques. Currently he holds the position of Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where leading BIOS security for Client Platforms. Prior to this role, he spent over six years at Intel Advanced Threat Research team and ESET where he was the Senior Security Researcher. He is a co-author of the numerous research papers include the book “Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats”. Alex is frequently invited to speak at practical security conferences, such as REcon, Ekoparty, H2HC, Zeron... twitter.com/matrosov https://cdn.slidesharecdn.com/ss_thumbnails/nsec2015pdf-150528071252-lva1-app6891-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/nsec2015-pdf/48692503 Object Oriented Code R... https://cdn.slidesharecdn.com/ss_thumbnails/berserkeko10-141213185717-conversion-gate02-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/be-rserk-eko10/42680680 BERserk: New RSA Signa... https://cdn.slidesharecdn.com/ss_thumbnails/biosandsecurebootattacksuncoveredeko10-141213185452-conversion-gate01-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/bio-sand-securebootattacksuncoveredeko10/42680651 BIOS and Secure Boot A...