Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Rutkowska Launches Own Startup

Famed hacker's company to demo new Vista hacks, other stealth malware attacks at Black Hat USA

Exhibiting stealth that would do a hacker proud, renowned rootkit researcher Joanna Rutkowska has quietly started her own security consulting and research firm. (See Black Hat Woman.)

Rutkowska, who had been with Singapore-based research firm COSEINC, has launched Invisible Things Lab, a play on the name of her popular blog, Invisible Things. Although she's keeping mum on many details about her new Poland-based company for now, its public debut will be at Black Hat USA in July, where she and a fellow researcher will provide a training course on stealth malware -- including new ways to bypass the Windows Vista kernel.

"Delivering specialized training will for sure be part of our business strategy. But this will be only one area," she says. Alex Tereshkin, a rootkit researcher known as "90210," will join Invisible Things Lab on May 1, and will team up with Rutkowska on the Black Hat training sessions, she says.

The Black Hat sessions in Las Vegas will focus on stealth malware in Windows and Windows Vista x64, and Rutkowska will provide an encore to her groundbreaking Vista kernel hack -- this time with the latest Windows Vista x64 version. "We will present some new ways for getting into the kernel of the latest Vista x64 builds -- as Microsoft has fixed the 'pagefile attack' vector that I demonstrated at the Black Hat last year." (See Hacking the Vista Kernel.)

The new Vista attacks are simple, she says, and more practical for malware authors than the attack she demo'ed last year at Black Hat. And Rutkowska's point is chilling: "The whole point of this part of the training will be to convince people that effective kernel protection, in case of a general-purpose OS, like Windows, is simply impossible to implement today -- and probably will not be within next five- to 10 years."

Rutkowska says the overall goal is to educate vendors and researchers on how stealth malware such as rootkits operates and to show just what the related attack methods let the attacker do, and the challenges to fighting back. She expects security vendors (antivirus, personal firewall, and IDS, for instance), operating system vendors, and penetration testing firms and forensics investigators, to be the main audience. But the attack techniques aren't just a Microsoft problem -- they also could be used against other OSes, such as Linux or Unix BSD, she notes.

She says the training should help security vendors improve their personal firewalls, or rootkit detectors, for example. And the message is even more profound for OS vendors: "For the OS vendors, the training might serve as an eye-opener to the problems we have today and that they could only be properly addressed by redesigning the operating systems themselves."

The researchers also will show new network driver interface specification (NDIS)-hooking techniques, using Vista as an example. "This is all about implementing various kernel network backdoors and bypassing personal firewalls," Rutkowska says. "Of course, we will present all the tricky implementation details and allow participants to analyze everything under the kernel debugger."

Blue Pill, Rutkowska's virtualization-based malware project, will also be part of the two-day training session. "We will talk about the implementation details behind Blue Pill-like malware which have never been disclosed before," she says. Among other things, the researchers will show how to implement "nested" hypervisors, and demonstrate multiple Blue Pills nested inside one another. The goal is to help attendees understand how this works so they can build solutions to prevent such attacks.

Rutkowska also will cover a topic she revealed at Black Hat DC, how malware can bypass forensic analysis to remain undetected. "We will present the working code which cheats hardware-based memory access using a FireWire connection." That should provide a wakeup call to forensic investigators, she says. (See How to Cheat Hardware Memory Access.)

The training will be held in two-day sessions on July 28 and 29; and again on July 30 and 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-06
    Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system.
    PUBLISHED: 2019-12-06
    Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
    PUBLISHED: 2019-12-06
    Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97....
    PUBLISHED: 2019-12-06
    There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are n...
    PUBLISHED: 2019-12-06
    An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.