Presented at
DEF CON 13 (2005),
July 31, 2005, 3 p.m.
(50 minutes).
Last year at Black Hat, we introduced the rootkit FU. FU took an unprecented approach to hiding not previously seen before in a Windows rootkit. Rather than patching code or modifying function pointers in well known operating system structures like the system call table, FU demonstrated that is was possible to control the execution path indirectly by modifying private kernel objects in memory. This technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in detecting this form of attack caused concern for anti-malware developers. This year, FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In this talk we will explore the idea of memory subversion. We demonstrate that is not only possible to hide a rootkit driver in memory, but that it is possible to do so with a minimal performance impact. The application (threat) of this attack extends beyond rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its application to worms and other forms of malware. Memory scanners beware the axiom, ‘vidre est credere' . Let us just say that it does not hold the same way that it used to.
Presenters:
-
Sherri Sparks
Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Computer Engineering and subsequently switched to Computer Science after developing an interest in reverse code engineering and computer security. She also holds a graduate certificate in Computer Forensics. Currently, her research interests include offensive / defensive malicious code technologies and related issues in digital forensic applications.
-
Jamie Butler
- Director of Engineering, HB Gary
Jamie Butler is the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the upcoming book "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com.
Links:
Similar Presentations: