RSS feed logo header graphic

Black Hat Europe 2008 Briefings and Training

Moevenpick Hotel Amsterdam City Centre, the Netherlands • 25-26 March

Understanding Stealth Malware

Joanna Rutkowska and Alexander Tereshkin



Overview:
The course will provide attendees with an in-depth understanding of how advanced stealth malware works, how it interacts with the operating system, underlying hardware and network. Attendees will have a chance to run, analyze and experiment with several previously unpublished samples of proof-of-concept rootkits, similar to Deepdoor, FireWalk, Blue Pill and others. The malware samples will be created from scratch (and in a slightly different way) exclusively for the use during the training, as the original implementations can not be used due to NDA restrictions.

Simpler stealth malware will also be briefly covered as well as approaches to its detection, so that participants get a clear understanding what advantages the more sophisticated malware offers to attackers.

This course is focused on Windows systems (and Vista x64 specifically), although some of the concepts presented, like e.g. Blue Pill-like malware or methods for cheating hardware based memory acquisition, are OS-independent.

There will be a significant amount of previously unpublished techniques, code, and ideas presented during this training, including new ways to subvert Vista x64 kernel on the fly.

Key topics

  • Overview of Traditional Rootkit Technology (TRT)
  • Stealth by Design malware (SbD)
  • “Data hooking only” malware (Type II infections)
  • Advanced NDIS traffic filtering and PFWs bypassing
  • Vista x64 kernel protection: challenges and solutions
  • Virtualization: (anti)malware beyond the OS
  • Malware beyond the CPU

Who Should Attend?
The main goal is to help students understand contemporary malware techniques, enable them to see the “bigger picture” over technical details and show possible approaches to compromise detection. Thus the course is primarily targeted for developers of security products, forensic investigators, pen-testers and OS developers.

Prerequisites
Basic knowledge of OS design and implementation (specifically Windows), C programming, at least basic experience with debugging and ability to understand fragments of assembler code (IA32 architecture).

Due to the course content, the trainer reserves the right to train only employees of government, law enforcement and reputable companies. Please register for the course with an email address that you can send and receive from, which is hosted in your organization's domain. Black Hat reserves the right to verify your ability to respond to email at the address and cancel the order if the verification fails (no response within 7 days). If you register with an email address not hosted in your organization, we may ask you to provide an email address within the organization that we can use for verification.

What to bring:
Each attendee should bring at least one laptop with a 64-bit AMD or Intel processor and a DVD drive (VMWare images are to be handed out on DVDs).

In order to be able to experiment with virtualization based malware (Blue Pill), the process should support hardware virtualization technology: either AMD-V or Intel VT-x.

Examples of processors that meet this criteria:

  • AMD Turion 64 X2
  • AMD Athlon 64 X2
  • Intel Core 2 Solo
  • Intel Core 2 Duo (except T5500 and T5550 models)
  • Intel Core 2 Extreme
To allow for convenient work with VMWare guests, 2GB of memory is recommended.

The laptop should have a 64-bit Windows OS installed: XP or Vista.

Additionally, the following software should be installed:
  1. Windows Driver Kit (WDK) 6000 or newer (available via MSDN subscription) to allow for building Windows kernel drivers.
  2. VMWare Workstation 6 or VMWare Player 2 (the latter is free)
  3. Optionally: IDA Pro 5.x disassembler (for exercises that involve finding bugs in drivers)
Please note that the exercises that involve virtualization based malware can not be done inside VMWare (or any other currently available VMM) and will have to be run on a native machine. This means that there is a risk of crashing the machine or, in the most pessimistic albeit unlikely scenario, even making it unbootable. It's thus advised to make a backup copy of all the important data in advance or, better yet, not to use a "production" laptop for these type of experiments.


Addendum - 01 March 2008:

To assure the practical part devoted to virtualization can be done smoothly, we have prepared a special program to test whether a given machine indeed supports hardware virtualization technology.

The CHKSVMX program can be downloaded from the following URL:

http://invisiblethingslab.com/pub/chksvmx.exe

The test program doesn’t introduce any persistent changes to an OS and doesn't require any installation procedure. It checks for virtualization support not only by reading the CPUID information but also by trying to actually enable virtualization mode and then disable it again. Although most of the laptops available these days support hardware virtualization, in many cases this feature is disabled or locked down in the BIOS. If the virtualization is reported as "locked", please try to enable it – here are some typical places where you can find this switch in various BIOSes:

  • IBM/Lenovo: Config/CPU/Intel Virtualization Technology
  • Intel (and many others): Security/VT Technology
  • Mac Book/Mac Book Pro: enabled by default :)

Please note that in most cases you will have to fully power down your system for the BIOS changes to take effect (reboot is not enough)!

Additionally CHKSVMX checks whether a 64-bit edition of Windows is running, as such OS is required for the training.

DISCLAIMER: The test program is digitally signed with Invisible Things Lab’s certificate and ITL assures that the program does not perform any malicious actions. ITL is, however, not responsible for any accidental damage or system instability issues the test program might cause, although effort has been made into making the program reliable.


Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Trainer:

Joanna Rutkowska

is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world.

Check out Joanna's blog on her training.

Alexander Tereshkin

aka 90210, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology and kernel exploitation. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. During the last year, when working for COSEINC Advanced Malware Labs, he has done significant work in the field of virtualization based malware and kernel protection bypassing.






Early:
Ends January 1

Regular:
Ends February 25

Late/Onsite:
Begins March 14

1900 EUR

2000 EUR

2100 EUR

1997-2008 Black Hat ™