Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 2-5, 2019
London UK
2/26/2015
11:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Asia 2015: Target: Malware

Hostile software is ever evolving, and Black Hat-associated research is one of the key loci of information on monitoring, defending against, and nullifying it. With that in mind, today we'll preview a quartet of interesting malware-related Briefings from Black Hat Asia 2015.

Malware commonly turns to API-wrapping techniques to obfuscate API calls, which makes it difficult to reverse-engineer the code. The old way of dealing with this, binary pattern matching, is easily defeated by simply changing the obfuscation pattern. What's needed is a more robust deobfuscation scheme ... how about one based on memory access analysis? API Deobfuscator: Identifying Runtime-Obfuscated API Calls via Memory Access Analysis will detail just such a scheme, which can generate maps between obfuscated API calls and their true invocations. And so the arms race continues.

Continuing on this sneaky malware kick, some of the more advanced malware, such as Citadel and Zeus/GameOver, can detect when they're being run in security researchers' sandboxes and halt all execution--stifling attempts to study them. As always, two can play that game. SLIME: Automated Anti-Sandboxing Disarmament System will show you how to defeat these countermeasures, automatically disarming them so analysis can proceed. Be sure to stick around for data on this technique's effectiveness on real-world, large-scale malware samples.

The Security Content Automation Protocol (SCAP) comprises a number of open standards meant to enumerate system vulnerabilities and malware characteristics via components like Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), and Malware Attribute Enumeration and Characterization (MAEC), which all capture high-fidelity data in XML. Unfortunately, their XML schemes lack mutual compatibility, making deeper cross-analysis difficult. Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence proposes a low-impact way to modify these schema which will result in more powerful analyses that can resolve vulnerabilities before they're exploited.

Lastly, Android's become another hot frontier in the fight against malware, and static and dynamic analysis tools such as IDA, Smali, and mobile sandboxes have been created in response to Android malware's increasingly complex defensive measures. But even these can be worked around. DABiD: The Powerful Interactive Android Debugger for Android Malware Analysis will introduce DABiD (Dynamic Android Binary Debugger), an interactive Android debugger. DABiD can catch malwares' dynamic code modifications, monitor dynamically loaded classes, control execution flow, or disable certain instructions, making it easier to analyze and squash. All that, and it doesn't even need root.

Black Hat Asia 2015 takes place March 24 to 27 at the Marina Bay Sands in Singapore. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.