Black Hat Asia
March 28-31, 2017
Singapore
Black Hat USA
July 22-27, 2017
Las Vegas, NV, USA
Black Hat Europe
December 4-7, 2017
London UK
2/26/2015
11:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Asia 2015: Target: Malware

Hostile software is ever evolving, and Black Hat-associated research is one of the key loci of information on monitoring, defending against, and nullifying it. With that in mind, today we'll preview a quartet of interesting malware-related Briefings from Black Hat Asia 2015.

Malware commonly turns to API-wrapping techniques to obfuscate API calls, which makes it difficult to reverse-engineer the code. The old way of dealing with this, binary pattern matching, is easily defeated by simply changing the obfuscation pattern. What's needed is a more robust deobfuscation scheme ... how about one based on memory access analysis? API Deobfuscator: Identifying Runtime-Obfuscated API Calls via Memory Access Analysis will detail just such a scheme, which can generate maps between obfuscated API calls and their true invocations. And so the arms race continues.

Continuing on this sneaky malware kick, some of the more advanced malware, such as Citadel and Zeus/GameOver, can detect when they're being run in security researchers' sandboxes and halt all execution--stifling attempts to study them. As always, two can play that game. SLIME: Automated Anti-Sandboxing Disarmament System will show you how to defeat these countermeasures, automatically disarming them so analysis can proceed. Be sure to stick around for data on this technique's effectiveness on real-world, large-scale malware samples.

The Security Content Automation Protocol (SCAP) comprises a number of open standards meant to enumerate system vulnerabilities and malware characteristics via components like Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), and Malware Attribute Enumeration and Characterization (MAEC), which all capture high-fidelity data in XML. Unfortunately, their XML schemes lack mutual compatibility, making deeper cross-analysis difficult. Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence proposes a low-impact way to modify these schema which will result in more powerful analyses that can resolve vulnerabilities before they're exploited.

Lastly, Android's become another hot frontier in the fight against malware, and static and dynamic analysis tools such as IDA, Smali, and mobile sandboxes have been created in response to Android malware's increasingly complex defensive measures. But even these can be worked around. DABiD: The Powerful Interactive Android Debugger for Android Malware Analysis will introduce DABiD (Dynamic Android Binary Debugger), an interactive Android debugger. DABiD can catch malwares' dynamic code modifications, monitor dynamically loaded classes, control execution flow, or disable certain instructions, making it easier to analyze and squash. All that, and it doesn't even need root.

Black Hat Asia 2015 takes place March 24 to 27 at the Marina Bay Sands in Singapore. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.