Black Hat USA
August 2-7, 2014
Mandalay Bay, Las Vegas, NV
Black Hat Europe
October 14-17, 2014
Amsterdam Rai, The Netherlands
9/2/2014
01:00 PM
Black Hat Staff
Black Hat Staff
Event Updates
Connect Directly
RSS
E-Mail
50%
50%

Black Hat Europe 2014: Focus On Malware

It wouldn't be a Black Hat event without a serious focus on malware, and we have some exciting malware and anti-malware programming to share with you this year. Without further ado, here are a few of the most intriguing malware-related Briefings that will be at Black Hat Europe 2014.

Mac OS X 10.10 (Yosemite) is soon to be released, but researchers have already had their way with it. Come to Exploring Yosemite: Abusing Mac OS X 10.10 for a full teardown of what's new from both defensive and offensive perspectives. What's better now, and what still needs work? Once you're briefed, presenters Sung-ting Tsai and Ming-chieh Pan will get into the really fun stuff, including details on Yosemite-compatible malware and rootkits they've developed. They'll demonstrate several new offensive techniques, including loading unsigned kernel modules and ways to avoid detection. They'll wrap by releasing System Virginity Verifier (SVV-X), a tool that scans for rootkits and abnormalities.

Speaking of stealth, what if attackers could hide malicious payloads in Android APK packages? And what if they were AES-encrypted, thus resisting reverse engineering? And, oh, let's say the encryption output was manipulated such that it appears to be a completely normal image file. Welcome to Hide Android Applications in Images, which will make up in wow factor what its title lacks in originality. Presenters Axelle Apvrille and Ange Albtertini note that their working proof-of-concept attack isn't so much about the nitty-gritty of crypto, but the subtle points of file formats... That's where the fun awaits.

Let's move from creating malware to capturing and analyzing it. Successful dynamic analysis can be difficult because sophisticated malware like Citadel and ZeuS/GameOver are equipped with anti-analysis techniques and do not engage in mischief on anything but an infected host. But what if you could "freeze dry" such malware for analysis elsewhere? Freeze Drying for Capturing Environment-Sensitive Malware Alive will debut Sweetspot, a malware capture system that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. The tables are turned.

Along similar lines, FakeNet is a free and easy-to-use Windows network simulation tool that can trick malware into thinking it's online, allowing researchers to efficiently capture network signatures. Counterfeiting the Pipes With FakeNet 2.0 will teach you practical skills, like using FakeNet to mimic common protocols, configuring it to successfully confound malware, and how to zero in on processes generating malicious network activity. A hands-on component will let you try your hand at analyzing some poor, confused malware specimens.

Head on over to Black Hat Europe 2014's registration page to register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio