Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
2/26/2015
11:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Asia 2015: Target: Malware

Hostile software is ever evolving, and Black Hat-associated research is one of the key loci of information on monitoring, defending against, and nullifying it. With that in mind, today we'll preview a quartet of interesting malware-related Briefings from Black Hat Asia 2015.

Malware commonly turns to API-wrapping techniques to obfuscate API calls, which makes it difficult to reverse-engineer the code. The old way of dealing with this, binary pattern matching, is easily defeated by simply changing the obfuscation pattern. What's needed is a more robust deobfuscation scheme ... how about one based on memory access analysis? API Deobfuscator: Identifying Runtime-Obfuscated API Calls via Memory Access Analysis will detail just such a scheme, which can generate maps between obfuscated API calls and their true invocations. And so the arms race continues.

Continuing on this sneaky malware kick, some of the more advanced malware, such as Citadel and Zeus/GameOver, can detect when they're being run in security researchers' sandboxes and halt all execution--stifling attempts to study them. As always, two can play that game. SLIME: Automated Anti-Sandboxing Disarmament System will show you how to defeat these countermeasures, automatically disarming them so analysis can proceed. Be sure to stick around for data on this technique's effectiveness on real-world, large-scale malware samples.

The Security Content Automation Protocol (SCAP) comprises a number of open standards meant to enumerate system vulnerabilities and malware characteristics via components like Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), and Malware Attribute Enumeration and Characterization (MAEC), which all capture high-fidelity data in XML. Unfortunately, their XML schemes lack mutual compatibility, making deeper cross-analysis difficult. Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence proposes a low-impact way to modify these schema which will result in more powerful analyses that can resolve vulnerabilities before they're exploited.

Lastly, Android's become another hot frontier in the fight against malware, and static and dynamic analysis tools such as IDA, Smali, and mobile sandboxes have been created in response to Android malware's increasingly complex defensive measures. But even these can be worked around. DABiD: The Powerful Interactive Android Debugger for Android Malware Analysis will introduce DABiD (Dynamic Android Binary Debugger), an interactive Android debugger. DABiD can catch malwares' dynamic code modifications, monitor dynamically loaded classes, control execution flow, or disable certain instructions, making it easier to analyze and squash. All that, and it doesn't even need root.

Black Hat Asia 2015 takes place March 24 to 27 at the Marina Bay Sands in Singapore. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...