Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/26/2007
07:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Rutkowska Launches Own Startup

Famed hacker's company to demo new Vista hacks, other stealth malware attacks at Black Hat USA

Exhibiting stealth that would do a hacker proud, renowned rootkit researcher Joanna Rutkowska has quietly started her own security consulting and research firm. (See Black Hat Woman.)

Rutkowska, who had been with Singapore-based research firm COSEINC, has launched Invisible Things Lab, a play on the name of her popular blog, Invisible Things. Although she's keeping mum on many details about her new Poland-based company for now, its public debut will be at Black Hat USA in July, where she and a fellow researcher will provide a training course on stealth malware -- including new ways to bypass the Windows Vista kernel.

"Delivering specialized training will for sure be part of our business strategy. But this will be only one area," she says. Alex Tereshkin, a rootkit researcher known as "90210," will join Invisible Things Lab on May 1, and will team up with Rutkowska on the Black Hat training sessions, she says.

The Black Hat sessions in Las Vegas will focus on stealth malware in Windows and Windows Vista x64, and Rutkowska will provide an encore to her groundbreaking Vista kernel hack -- this time with the latest Windows Vista x64 version. "We will present some new ways for getting into the kernel of the latest Vista x64 builds -- as Microsoft has fixed the 'pagefile attack' vector that I demonstrated at the Black Hat last year." (See Hacking the Vista Kernel.)

The new Vista attacks are simple, she says, and more practical for malware authors than the attack she demo'ed last year at Black Hat. And Rutkowska's point is chilling: "The whole point of this part of the training will be to convince people that effective kernel protection, in case of a general-purpose OS, like Windows, is simply impossible to implement today -- and probably will not be within next five- to 10 years."

Rutkowska says the overall goal is to educate vendors and researchers on how stealth malware such as rootkits operates and to show just what the related attack methods let the attacker do, and the challenges to fighting back. She expects security vendors (antivirus, personal firewall, and IDS, for instance), operating system vendors, and penetration testing firms and forensics investigators, to be the main audience. But the attack techniques aren't just a Microsoft problem -- they also could be used against other OSes, such as Linux or Unix BSD, she notes.

She says the training should help security vendors improve their personal firewalls, or rootkit detectors, for example. And the message is even more profound for OS vendors: "For the OS vendors, the training might serve as an eye-opener to the problems we have today and that they could only be properly addressed by redesigning the operating systems themselves."

The researchers also will show new network driver interface specification (NDIS)-hooking techniques, using Vista as an example. "This is all about implementing various kernel network backdoors and bypassing personal firewalls," Rutkowska says. "Of course, we will present all the tricky implementation details and allow participants to analyze everything under the kernel debugger."

Blue Pill, Rutkowska's virtualization-based malware project, will also be part of the two-day training session. "We will talk about the implementation details behind Blue Pill-like malware which have never been disclosed before," she says. Among other things, the researchers will show how to implement "nested" hypervisors, and demonstrate multiple Blue Pills nested inside one another. The goal is to help attendees understand how this works so they can build solutions to prevent such attacks.

Rutkowska also will cover a topic she revealed at Black Hat DC, how malware can bypass forensic analysis to remain undetected. "We will present the working code which cheats hardware-based memory access using a FireWire connection." That should provide a wakeup call to forensic investigators, she says. (See How to Cheat Hardware Memory Access.)

The training will be held in two-day sessions on July 28 and 29; and again on July 30 and 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/10/2020
    Researcher Finds New Office Macro Attacks for MacOS
    Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15596
    PUBLISHED: 2020-08-12
    The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
    CVE-2020-15868
    PUBLISHED: 2020-08-12
    Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
    CVE-2020-17362
    PUBLISHED: 2020-08-12
    search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
    CVE-2020-17449
    PUBLISHED: 2020-08-12
    PHP-Fusion 9.03 allows XSS via the error_log file.
    CVE-2020-17450
    PUBLISHED: 2020-08-12
    PHP-Fusion 9.03 allows XSS on the preview page.