Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Rutkowska Launches Own Startup

Famed hacker's company to demo new Vista hacks, other stealth malware attacks at Black Hat USA

Exhibiting stealth that would do a hacker proud, renowned rootkit researcher Joanna Rutkowska has quietly started her own security consulting and research firm. (See Black Hat Woman.)

Rutkowska, who had been with Singapore-based research firm COSEINC, has launched Invisible Things Lab, a play on the name of her popular blog, Invisible Things. Although she's keeping mum on many details about her new Poland-based company for now, its public debut will be at Black Hat USA in July, where she and a fellow researcher will provide a training course on stealth malware -- including new ways to bypass the Windows Vista kernel.

"Delivering specialized training will for sure be part of our business strategy. But this will be only one area," she says. Alex Tereshkin, a rootkit researcher known as "90210," will join Invisible Things Lab on May 1, and will team up with Rutkowska on the Black Hat training sessions, she says.

The Black Hat sessions in Las Vegas will focus on stealth malware in Windows and Windows Vista x64, and Rutkowska will provide an encore to her groundbreaking Vista kernel hack -- this time with the latest Windows Vista x64 version. "We will present some new ways for getting into the kernel of the latest Vista x64 builds -- as Microsoft has fixed the 'pagefile attack' vector that I demonstrated at the Black Hat last year." (See Hacking the Vista Kernel.)

The new Vista attacks are simple, she says, and more practical for malware authors than the attack she demo'ed last year at Black Hat. And Rutkowska's point is chilling: "The whole point of this part of the training will be to convince people that effective kernel protection, in case of a general-purpose OS, like Windows, is simply impossible to implement today -- and probably will not be within next five- to 10 years."

Rutkowska says the overall goal is to educate vendors and researchers on how stealth malware such as rootkits operates and to show just what the related attack methods let the attacker do, and the challenges to fighting back. She expects security vendors (antivirus, personal firewall, and IDS, for instance), operating system vendors, and penetration testing firms and forensics investigators, to be the main audience. But the attack techniques aren't just a Microsoft problem -- they also could be used against other OSes, such as Linux or Unix BSD, she notes.

She says the training should help security vendors improve their personal firewalls, or rootkit detectors, for example. And the message is even more profound for OS vendors: "For the OS vendors, the training might serve as an eye-opener to the problems we have today and that they could only be properly addressed by redesigning the operating systems themselves."

The researchers also will show new network driver interface specification (NDIS)-hooking techniques, using Vista as an example. "This is all about implementing various kernel network backdoors and bypassing personal firewalls," Rutkowska says. "Of course, we will present all the tricky implementation details and allow participants to analyze everything under the kernel debugger."

Blue Pill, Rutkowska's virtualization-based malware project, will also be part of the two-day training session. "We will talk about the implementation details behind Blue Pill-like malware which have never been disclosed before," she says. Among other things, the researchers will show how to implement "nested" hypervisors, and demonstrate multiple Blue Pills nested inside one another. The goal is to help attendees understand how this works so they can build solutions to prevent such attacks.

Rutkowska also will cover a topic she revealed at Black Hat DC, how malware can bypass forensic analysis to remain undetected. "We will present the working code which cheats hardware-based memory access using a FireWire connection." That should provide a wakeup call to forensic investigators, she says. (See How to Cheat Hardware Memory Access.)

The training will be held in two-day sessions on July 28 and 29; and again on July 30 and 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Manchester United Suffers Cyberattack
    Dark Reading Staff 11/23/2020
    As 'Anywhere Work' Evolves, Security Will Be Key Challenge
    Robert Lemos, Contributing Writer,  11/23/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-11-26
    ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    PUBLISHED: 2020-11-26
    slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    PUBLISHED: 2020-11-26
    Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
    PUBLISHED: 2020-11-26
    An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
    PUBLISHED: 2020-11-26
    An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.