informa
News

Rutkowska Launches Own Startup

Famed hacker's company to demo new Vista hacks, other stealth malware attacks at Black Hat USA

Exhibiting stealth that would do a hacker proud, renowned rootkit researcher Joanna Rutkowska has quietly started her own security consulting and research firm. (See Black Hat Woman.)

Rutkowska, who had been with Singapore-based research firm COSEINC, has launched Invisible Things Lab, a play on the name of her popular blog, Invisible Things. Although she's keeping mum on many details about her new Poland-based company for now, its public debut will be at Black Hat USA in July, where she and a fellow researcher will provide a training course on stealth malware -- including new ways to bypass the Windows Vista kernel.

"Delivering specialized training will for sure be part of our business strategy. But this will be only one area," she says. Alex Tereshkin, a rootkit researcher known as "90210," will join Invisible Things Lab on May 1, and will team up with Rutkowska on the Black Hat training sessions, she says.

The Black Hat sessions in Las Vegas will focus on stealth malware in Windows and Windows Vista x64, and Rutkowska will provide an encore to her groundbreaking Vista kernel hack -- this time with the latest Windows Vista x64 version. "We will present some new ways for getting into the kernel of the latest Vista x64 builds -- as Microsoft has fixed the 'pagefile attack' vector that I demonstrated at the Black Hat last year." (See Hacking the Vista Kernel.)

The new Vista attacks are simple, she says, and more practical for malware authors than the attack she demo'ed last year at Black Hat. And Rutkowska's point is chilling: "The whole point of this part of the training will be to convince people that effective kernel protection, in case of a general-purpose OS, like Windows, is simply impossible to implement today -- and probably will not be within next five- to 10 years."

Rutkowska says the overall goal is to educate vendors and researchers on how stealth malware such as rootkits operates and to show just what the related attack methods let the attacker do, and the challenges to fighting back. She expects security vendors (antivirus, personal firewall, and IDS, for instance), operating system vendors, and penetration testing firms and forensics investigators, to be the main audience. But the attack techniques aren't just a Microsoft problem -- they also could be used against other OSes, such as Linux or Unix BSD, she notes.

She says the training should help security vendors improve their personal firewalls, or rootkit detectors, for example. And the message is even more profound for OS vendors: "For the OS vendors, the training might serve as an eye-opener to the problems we have today and that they could only be properly addressed by redesigning the operating systems themselves."

The researchers also will show new network driver interface specification (NDIS)-hooking techniques, using Vista as an example. "This is all about implementing various kernel network backdoors and bypassing personal firewalls," Rutkowska says. "Of course, we will present all the tricky implementation details and allow participants to analyze everything under the kernel debugger."

Blue Pill, Rutkowska's virtualization-based malware project, will also be part of the two-day training session. "We will talk about the implementation details behind Blue Pill-like malware which have never been disclosed before," she says. Among other things, the researchers will show how to implement "nested" hypervisors, and demonstrate multiple Blue Pills nested inside one another. The goal is to help attendees understand how this works so they can build solutions to prevent such attacks.

Rutkowska also will cover a topic she revealed at Black Hat DC, how malware can bypass forensic analysis to remain undetected. "We will present the working code which cheats hardware-based memory access using a FireWire connection." That should provide a wakeup call to forensic investigators, she says. (See How to Cheat Hardware Memory Access.)

The training will be held in two-day sessions on July 28 and 29; and again on July 30 and 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Black Hat Inc.
  • Recommended Reading: