Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Stuxnet Redux: Malware Attribution & Lessons Learned

malware, Stuxnet
Tom Parker
Black Hat DC 2011
Indexed on
Mar 27, 2013
File name
File size
35.6 KB

+ EMAIL + RSS + TWITTER + FACEBOOK + LINKED.IN // briefers Itzhak Avraham Ryan Barnett Dionysus Blazakis Tom Brennan Andrew Case Sean Coyne Adrian Crenshaw Neil Daswani Bruno Goncalves de Oliveira Mariano Nunez Di Croce Michael Eddington Marc Eisenbarth Chris Gates Giovanni Gola Cassio Goldschmidt Joe Grand Chris Hadnagy Rob Havelt Vincenzo Iozzo Franklin D. Kramer Jon Larimer Tarjei Mandt Eric Michaud Laurent Oudot Tom Parker David Perez Jose Pico Alexander Polyakov Thomas Roth Jordan Santarsieri Jamie Schwettmann Val Smith Angelos Stavrou Matthieu Suiche Bryan Sullivan Zhaohui Wang Matthew Weeks Ralf-Philipp Weinmann Dino Dai Zovi Black Hat DC 2011 //Briefings Hyatt Regency Crystal City training: jan.16 - 17 | briefings: jan.18 - 19 ( MEDIA LEGEND ) [White Paper] white paper document [Presentation] presentation [WWW-Archives] source material Keynote Speaker // Franklin D. Kramer Day 1 Keynote - Cyber Conflicts: Challenging the Future ABSTRACT TBA //BIO: Franklin D. Kramer Itzhak Avraham Popping Shell on A(ndroid)RM Devices The attendees will gain knowledge on how to exploit ARM buffer overflows, use Ret2ZP attack and will demo a vulnerable application that is in current Android and can be used for remote attacks(!). Also, We'll cover the problems with native/mixed code debugging, issues with current implementations of Androids and how ARM exploits can be used if better security prevention techniques is being implied (like XN bit - same as NX bit on X86). [White Paper] [Presentation] //BIO: Itzhak Avraham Ryan Barnett XSS Street-Fight: The Only Rule Is There Are No Rules Defending web applications from Cross-Site Scripting (XSS) attacks is extremely challenging, especially when the application's code can not be updated to fix the issue. This presentation will provide a walk-through of various XSS attack/defense/evasion lessons learned by Trustwave's SpiderLabs Research Team while working with commercial WAF customers, as well as, by receiving thousands of attacks against our public ModSecurity demonstration page. We will highlight cutting-edge XSS protection methods that are external to the web application's code such as Defensive Javascript Content Injection. [White Paper] [Presentation] //BIO: Ryan Barnett Dionysus Blazakis The Apple Sandbox Despite the never ending proclamations of the end of memory corruption vulnerabilities, modern software still falls to exploits that target these bugs. Current operating systems incorporate a battery of exploit mitigations making life significantly more complex for attackers. Additionally, developers are becoming increasingly aware of the security implications of previously idiomatic code. Leading software publishers are teaching defensive coding techniques and have adopted an offensive mindset for product testing. Unfortunately, a single vulnerability can still provide the attacker the leverage needed to gain entry. Security researchers have disclosed multiple ways to render the mitigations ineffective (under the right circumstances) -- imagine what techniques are not public. One bug can still "ruin your day". In this presentation, I describe the architecture and implementation of the Apple XNU Sandbox framework (previously codenamed "Seatbelt"). This framework is used to contain App Store applications on iOS and some server applications on OS X. I will give you a complete tour of the Sandbox internals, most of which are in closed source modules (kernel extensions and dynamic libraries). This information is useful for auditors or exploit developers attempting to escape the sandbox and for developers or defenders attempting to secure their applications. I will also release an automated profile decompiler to extract a human readable policy definition from a compiled profile inside the kernel (iOS kernelcache or OS X). By the end of the presentation, you will have a working understanding of the entire access control system from policy definition to sandbox initialization to the kernel's policy enforcement. [White Paper] [Presentation] [Source] //BIO: Dionysus Blazakis Tom Brennan, Ryan Barnett Checkmate with Denial of Service Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users and is not new. In recent history April 2009, government and financial sites in the U.S. and South Korea were attacked by DDOS and were brought offline for days. This incident followed the Georgian DDOS attacks in 2008 and Estonian DDOS attacks in 2007. Common attack methods include systems infected with malware that are controlled and all connect to the target host at the same time using Layer 4 (Transport) which are already addressed by anti-DDOS solutions when employed. In 2009 a lethal form of Layer 7 (Application) attack techniques were being examined by Wong Onn Chee of OWASP Foundation Singapore and in 2010 together with Tom Brennan of OWASP Foundation presented the findings publicly for the first time with code samples. Tom Brennan will walk through the history and details of how this lethal HTTP POST DOS technique works, interesting findings in the protocol and the challenges in defending critical infrastructure against targeted attacks and demonstrate and release his open-source tool that can be used to test your own production systems -- or render others useless with the touch of a button from a single laptop. [Presentation] //BIO: Tom Brennan //BIO: Ryan Barnett Andrew Case De-Anonymizing Live CDs through Physical Memory Analysis Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, we present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. We also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous. [White Paper] [Presentation] //BIO: Andrew Case Sean Coyne The Getaway: Methods and Defenses for Data Exfiltration There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Cyber criminals, insider threats, advanced persistent threats; every attacker has ways to get into your network and find what they want. While there are several tools, methods and strategies to combat intruders, once they’ve made off with your data there is no getting it back, the game is over. MANDIANT’s consultants regularly respond to incidents where data, intellectual property even money is being stolen from victim organizations. During this presentation we will take a look at some of the advanced methods of stealing data that we have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products and how attackers use a victim’s own infrastructure and architecture against them. We will discuss why these tricks work and what, if anything, can be done to stop them. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for the game’s not over. [White Paper] [Presentation] //BIO: Sean Coyne Adrian Crenshaw Identifying the true IP/Network identity of I2P service hosts This paper will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the Internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the Internet host providing the service, the anonymity set of the person or group that administrates the service can be greatly reduced. The core aim of this paper will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators and developers may make that could expose a service provider’s identity or reduce the anonymity set they are part of. We will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network. [White Paper] [Presentation] //BIO: Adrian Crenshaw Neil Daswani Malware Distribution via Widgetization of the Web The Web 2.0 transformation has in part involved many sites using third-party widgets. We present the "widgetized web graph" showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets. [White Paper] //BIO: Neil Daswani Mariano Nunez Di Croce Your crown jewels online: Attacks to SAP Web Applications "SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization's SAP platform in order to perform espionage, sabotage and fraud attacks. SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals. Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed. [White Paper] [Presentation] //BIO: Mariano Nunez Di Croce Mariano Nunez Di Croce, Jordan Santarsieri WORKSHOP - Cyber-attacks to SAP platforms: The Insider Threat How would a malicious insider exploit vulnerabilities in your SAP environment to get hold of your most sensitive business data? Which are the chances of him being successful? What can you do to stop him? If you are looking for answers to these questions, you should consider attending this workshop. By joining us in this session, you will: Learn how to detect some of the existing threats *yourself* using Bizploit, the first opensource ERP Penetration Testing framework. Watch several *live* demos to understand how successful exploitations can result in espionage, sabotage and fraud attacks to your organization. Find out how you can *protect yourself from the detected risks*, improving the security of your platform. Discover the *latest outcome* from the Onapsis Research Labs, focused on the hot "ERP security" topic. You do not require any previous SAP knowledge to attend this event. Take-aways: Copy of Bizploit, presentation slides and new knowledge! //BIO: Mariano Nunez Di Croce //BIO: Jordan Santarsieri Michael Eddington WORKSHOP - Peach Fuzzing Join us for look at fuzzing with Peach and the Peach extension HotFuzz. Peach is the most widely used fuzzer across a wide range of security professionals including: security researchers, consultants, and corporate security teams. This workshop will provide a solid look at Peach, how it works and a jump-start on its usage. Additionally, we will demonstrate the usage of HotFuzz an extension of Peach that is able to “automatically” fuzz known network protocols by acting as a “fuzzing proxy.” Attendees with laptops and correct software can follow along with the demonstrations to get a more “hands on” feel to how Peach and HotFuzz work. //BIO: Michael Eddington Marc Eisenbarth Active Exploitation Detection Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project. [White Paper] [Presentation] //BIO: Marc Eisenbarth Chris Gates Attacking Oracle Web Applications With Metasploit In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets beat up on...errr security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code lets see what we can do with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. We’ll also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules. [White Paper] [Presentation] //BIO: Chris Gates Cassio Goldschmidt Responsibility for the Harm and Risk of Software Security Flaws Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) became a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood. State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come. Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated. Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India. Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC). The proposed presentation is based on the research done by Cassio Goldschmidt, Sr. Manager at Symantec Corporation; Melissa J. Dark, Professor & Assistant Dean Department of Computer and Information Technology Purdue University and Hina Chaudhry, PhD. Candidate at Purdue University and is reflection of the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions and the results on the state of software security. The full text is available as a chapter of Information Assurance & Security Ethics (ISBN: 978-1-61692-245-0, hardcover. ISBN: 978-1-61692-246-7, ebook). [White Paper] [Presentation] //BIO: Cassio Goldschmidt Joe Grand WORKSHOP - Hardware Reverse Engineering: Access, Analyze, and Defeat Electronics are embedded into nearly everything we use. Hardware products are being relied on for security-related applications and are inherently trusted, though many are completely susceptible to compromise. In this workshop, Joe will discuss the hardware hacking and reverse engineering processes, and then provide an open lab environment for you to probe, analyze, and hack. Joe will bring a variety of products to tinker with, though attendees are heavily encouraged to bring their own pieces of hardware to explore. Basic tools and electronics test/measurement equipment will be provided. You'll leave the workshop with new skills, ideas for further attacks, and maybe even some defeated hardware. [Presentation] //BIO: Joe Grand Chris Hadnagy WORKSHOP: How to Hack Large Companies and Make Millions Offensive Security wants to take you on a non-stop thrill ride through an actual hack. From Information Gathering, Social Engineering and Client Side Exploitation we will show you complete and total domination of the target. This session will showcase the skills that are taught in Offensive Security’s world-renowned Pentesting With BackTrack course as well as our Penetration Testing services. Our goal is raise awareness of the real world threats that exist in corporate business today. [Presentation] //BIO: Chris Hadnagy Rob Havelt, Bruno Goncalves de Oliveira Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC. Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. We will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations. [White Paper] //BIO: Rob Havelt //BIO: Bruno Goncalves de Oliveira Vincenzo Iozzo, Giovanni Gola Stale pointers are the new black Memory corruption bugs such as dangling pointers, double frees and uninitialized memory are some of the open issues in application security. Finding dangling pointers and similar vulnerabilities in large code bases it's arguably more difficult than overflows because of the complexity and heterogeneity of applications memory management. Fuzzing has been proved to be an effective method for finding such bugs in browsers and other similar COTS applications, nonetheless it's not uncommon to see bugs found by fuzzers burned after a short period of time because of multiple rediscovery of the same vulnerabilities. In this talk the challenges of finding such bugs with static analysis and the results we got will be discussed, specifically we will explore the algorithms and techniques borrowed from program analysis and graph theory that can be employed to achieve our goal. We will also discuss what improvements can be made in order to increase precision and reduce the number of false positives. [Presentation] //BIO: Vincenzo Iozzo //BIO: Giovanni Gola Jon Larimer Beyond AutoRun: Exploiting software vulnerabilities with removable storage Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, I’ll examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, we’ll look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, I’ll provide a demonstration showing how I can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC. [White Paper] [Presentation] //BIO: Jon Larimer Tarjei Mandt Kernel Pool Exploitation on Windows 7 In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic "write 4" techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, we show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, we show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, we conclusively propose ways to further harden and enhance the security of the kernel pool. [White Paper] [Presentation] //BIO: Tarjei Mandt Laurent Oudot Inglourious Hackerds: Targeting Web Clients This talk will propose to look at technical security issues related to multiple Internet Web Clients. While such tools are used to crawl the Net and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols (HTTP, etc), and by doing some kind of fuzzing operations, we will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations. The offensive concepts explained during this talk, will show many different tricks, like how evil attackers can become anonymous and create cover channels based on web clients, or like how to own or crash most famous current web clients and devices. [White Paper] [Presentation] //BIO: Laurent Oudot Tom Parker Stuxnet Redux: Malware Attribution & Lessons Learned Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe. Of perhaps most note - stuxnet has dominated much of the information security media since it's public acknowledgment in June 2010. Multiple schools of thought have emerged, casting speculation over the identities of those responsible for the authorship and operalization of what some suggest is the most advanced piece of malware observed in the public domain. Nation state? Organized crime? Disgruntled vendor employee? This talk will take a close look at what we really know about this mysterious culmination of bits, closely analyzing some of the popular hypothesis, and identify others which have perhaps not drawn as much momentum. As a basis for our analysis, we will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term. Finally, we will review what lessons we can learn from stuxnet - to further attribution related research efforts, and ways in which we might adjust our security posture when it comes to protecting our nations most critical assets.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !