07:40 AM
Connect Directly

Rutkowska Launches Own Startup

Famed hacker's company to demo new Vista hacks, other stealth malware attacks at Black Hat USA

Exhibiting stealth that would do a hacker proud, renowned rootkit researcher Joanna Rutkowska has quietly started her own security consulting and research firm. (See Black Hat Woman.)

Rutkowska, who had been with Singapore-based research firm COSEINC, has launched Invisible Things Lab, a play on the name of her popular blog, Invisible Things. Although she's keeping mum on many details about her new Poland-based company for now, its public debut will be at Black Hat USA in July, where she and a fellow researcher will provide a training course on stealth malware -- including new ways to bypass the Windows Vista kernel.

"Delivering specialized training will for sure be part of our business strategy. But this will be only one area," she says. Alex Tereshkin, a rootkit researcher known as "90210," will join Invisible Things Lab on May 1, and will team up with Rutkowska on the Black Hat training sessions, she says.

The Black Hat sessions in Las Vegas will focus on stealth malware in Windows and Windows Vista x64, and Rutkowska will provide an encore to her groundbreaking Vista kernel hack -- this time with the latest Windows Vista x64 version. "We will present some new ways for getting into the kernel of the latest Vista x64 builds -- as Microsoft has fixed the 'pagefile attack' vector that I demonstrated at the Black Hat last year." (See Hacking the Vista Kernel.)

The new Vista attacks are simple, she says, and more practical for malware authors than the attack she demo'ed last year at Black Hat. And Rutkowska's point is chilling: "The whole point of this part of the training will be to convince people that effective kernel protection, in case of a general-purpose OS, like Windows, is simply impossible to implement today -- and probably will not be within next five- to 10 years."

Rutkowska says the overall goal is to educate vendors and researchers on how stealth malware such as rootkits operates and to show just what the related attack methods let the attacker do, and the challenges to fighting back. She expects security vendors (antivirus, personal firewall, and IDS, for instance), operating system vendors, and penetration testing firms and forensics investigators, to be the main audience. But the attack techniques aren't just a Microsoft problem -- they also could be used against other OSes, such as Linux or Unix BSD, she notes.

She says the training should help security vendors improve their personal firewalls, or rootkit detectors, for example. And the message is even more profound for OS vendors: "For the OS vendors, the training might serve as an eye-opener to the problems we have today and that they could only be properly addressed by redesigning the operating systems themselves."

The researchers also will show new network driver interface specification (NDIS)-hooking techniques, using Vista as an example. "This is all about implementing various kernel network backdoors and bypassing personal firewalls," Rutkowska says. "Of course, we will present all the tricky implementation details and allow participants to analyze everything under the kernel debugger."

Blue Pill, Rutkowska's virtualization-based malware project, will also be part of the two-day training session. "We will talk about the implementation details behind Blue Pill-like malware which have never been disclosed before," she says. Among other things, the researchers will show how to implement "nested" hypervisors, and demonstrate multiple Blue Pills nested inside one another. The goal is to help attendees understand how this works so they can build solutions to prevent such attacks.

Rutkowska also will cover a topic she revealed at Black Hat DC, how malware can bypass forensic analysis to remain undetected. "We will present the working code which cheats hardware-based memory access using a FireWire connection." That should provide a wakeup call to forensic investigators, she says. (See How to Cheat Hardware Memory Access.)

The training will be held in two-day sessions on July 28 and 29; and again on July 30 and 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Black Hat Inc. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Russia Hacked Clinton's Computers Five Hours After Trump's Call
    Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
    Tips for the Aftermath of a Cyberattack
    Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    5 Emerging Cyber Threats to Watch for in 2019
    Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-04-20
    An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
    PUBLISHED: 2019-04-20
    An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
    PUBLISHED: 2019-04-20
    An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
    PUBLISHED: 2019-04-20
    74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
    PUBLISHED: 2019-04-20
    Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.