© recon.cx 2005-2014
  • home
  • conference
  • training
  • schedule
  • cfp
  • sponsors
  • travel
  • archives
  • contact

Recon 2014 Schedule

  • Schedule
  • Speakers
  • Events
  • iCalendar
  • -
  • xCal
  • -
  • XML
  • -
  • JSON


Going gets tough: a tale of encounters with novel evasive malware.

Event_large

Few years ago the aim of malware writers was to hide the malicious activity from the operating system itself, which often at the same time meant a successful evasion of any installed security solution. Sophisticated kernel-mode and boot-level rootkits – such as TDSS, Sinowal or ZeroAccess – were extensively used in the cyber criminal affiliate programs, protecting a wide range of mass-oriented malware, from spyware to banking Trojans. Hiding components were also implemented in the first disclosed nation-state sponsored campaigns: Stuxnet and Duqu.

The development of rootkits and anti-rootkit techniques went neck and neck up until a certain point, at which the growing demand for complexity in detection-avoiding mechanisms clearly surpassed the outcome. Significant improvement of the security level in modern Windows operating systems, together with increasing effectiveness of AV solutions, turned the kernel-space into a highly challenging ground for malware to play. This enforced the malware writers to look for better ways to bypass protections.

Although proof-of-concept ideas demonstrated the possibility of creating potentially undiscoverable virtualization rootkit, due to the overwhelming complexity they never got adopted in-the-wild. But what was the aim of such a complex solutions in the first place? To make malware completely invisible to anything and anybody? Wouldn't it be enough to simply disguise as a benign application in order to pass all security checks?

Existing proactive detection techniques, either manual or automated, rely on the ability to execute code in a sandbox, and that's where the new opportunities lie. By evasive behavior at emulation and analysis time, combined with anti-heuristic and anti-reversing techniques, malware can avoid detection and fool not only sandboxes, scanners and anti-virus applications, but the malware analysts and reverse engineers as well.

Looking at the threat landscape over last 3 years we can notice slow but clear decline in the wide-spread malware protected by rootkits. Similarly, most of the recently discovered APT campaigns do not use any kernel-level components at all. Going user-land in plain sight became a paradigm.

This presentation will analyze some interesting examples of user-mode anti-detection techniques widely used in recent malware, including:
• Sandbox/emulator bypass
• Evasion with the use of window messages
• Evasion with the use of SEH mechanism

Info

Day: 2014-06-27
Start time: 15:00
Duration: 00:30
Room: Grand Salon Opera
Track: Main

Links:

  • iCalendar
  • Slides(Powerpoint)
  • Recording (H.264)

Speakers

Person_small
Marta Janus