Black Hat Asia
March 24-27, 2015
Marina Bay Sands, Singapore
9/2/2014
01:00 PM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Europe 2014: Focus On Malware

It wouldn't be a Black Hat event without a serious focus on malware, and we have some exciting malware and anti-malware programming to share with you this year. Without further ado, here are a few of the most intriguing malware-related Briefings that will be at Black Hat Europe 2014.

Mac OS X 10.10 (Yosemite) is soon to be released, but researchers have already had their way with it. Come to Exploring Yosemite: Abusing Mac OS X 10.10 for a full teardown of what's new from both defensive and offensive perspectives. What's better now, and what still needs work? Once you're briefed, presenters Sung-ting Tsai and Ming-chieh Pan will get into the really fun stuff, including details on Yosemite-compatible malware and rootkits they've developed. They'll demonstrate several new offensive techniques, including loading unsigned kernel modules and ways to avoid detection. They'll wrap by releasing System Virginity Verifier (SVV-X), a tool that scans for rootkits and abnormalities.

Speaking of stealth, what if attackers could hide malicious payloads in Android APK packages? And what if they were AES-encrypted, thus resisting reverse engineering? And, oh, let's say the encryption output was manipulated such that it appears to be a completely normal image file. Welcome to Hide Android Applications in Images, which will make up in wow factor what its title lacks in originality. Presenters Axelle Apvrille and Ange Albtertini note that their working proof-of-concept attack isn't so much about the nitty-gritty of crypto, but the subtle points of file formats... That's where the fun awaits.

Let's move from creating malware to capturing and analyzing it. Successful dynamic analysis can be difficult because sophisticated malware like Citadel and ZeuS/GameOver are equipped with anti-analysis techniques and do not engage in mischief on anything but an infected host. But what if you could "freeze dry" such malware for analysis elsewhere? Freeze Drying for Capturing Environment-Sensitive Malware Alive will debut Sweetspot, a malware capture system that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. The tables are turned.

Along similar lines, FakeNet is a free and easy-to-use Windows network simulation tool that can trick malware into thinking it's online, allowing researchers to efficiently capture network signatures. Counterfeiting the Pipes With FakeNet 2.0 will teach you practical skills, like using FakeNet to mimic common protocols, configuring it to successfully confound malware, and how to zero in on processes generating malicious network activity. A hands-on component will let you try your hand at analyzing some poor, confused malware specimens.

Head on over to Black Hat Europe 2014's registration page to register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.