Ring 0/-2 Rootkits: bypassing defenses

Presented at DEF CON 26 (2018), Aug. 9, 2018, noon (45 minutes)

Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats.

Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago.

In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system.

The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work .


Presenters:

  • Alexandre Borges - Malware and Security Researcher at Blackstorm Security
    Alexandre has been working as Malware and Security researcher at Blackstorm Security, where he is daily involved with malware analysis cases, forensic and fraud investigations, reverse engineering and exploit development projects. In the past, Alexandre worked as instructor at Sun Microsystems for ten years and Symantec for six years. Nowadays, he is reviewer of"The Journal of Digital Forensics, Security and Law", referee on "Digital Investigation-The International Journal of Digital Forensics & Incident Response" and member of the Digital Law and Compliance Committee at OAB/SP. Slides and articles written by Alexandre are available on: http://www.blackstormsecurity.com/bs/en/en_articles.html @ale_sp_brazil, http://www.linkedin.com/in/aleborges, http://www.blackstormsecurity.com

Links:

Similar Presentations: