Friday, April 20, 2007

Understanding Stealth Malware

Ever wondered whether Blue Pill really works or was just a PR stunt? Ever wanted to see how practical are various timing attacks against it? (And can even those “unpractical” be cheated?) Or how many Blue Pills inside each other can you run and still be able to play your favorite 3D game smoothly? Or how deep Alex can hook into Windows NDIS to bypass your personal firewall? Do you want to see Patch Guard from a “bird’s eye view” perspective? Or do you simply want to find out how well the latest Vista x64 kernel is protected? Ever wondered how rootkits like Deepdoor and Firewalk really worked? You can’t sleep, because you’re thinking constantly about how Blue Pill-like malware can be prevented? Does Northbridge hacking sound sexy to you? :)

At the very end of July, during the Black Hat Briefings in Las Vegas, Alex Tereshkin and I will be running a training “Understanding Stealth Malware”, where you should be able to find answers to the above questions plus many more.

The training will feature many previously unpublished techniques, implementation details, and of course lots of brand new code, developed especially for the training. The code will include sample rootkits similar to Deepdoor, Firewalk, Blue Pill and Delusion (but redesigned and rewritten from scratch) as well as some more exotic things, like e.g. anti-hardware-forensic attacks.

As the training will be focused on Windows platform and Vista x64 specifically, we will also present some new kernel attacks against latest Vista x64 builds. These attacks, of course, work on the fly and do not require system reboot and are not afraid of the TPM/Bitlocker protection. (Although they could also be used to bypass Vista DRM protection, this subject will not be discussed during the training).

Attendees will mostly work with kernel debuggers in order to analyze and understand various techniques used in system compromises. The main goal of the training is to help students understand contemporary malware techniques, enable them to see the “bigger picture” over technical details and show possible approaches to compromise detection.

Thus the course is primarily targeted for developers of security products, forensic investigators, pen-testers and OS developers. It’s recommended that attendees have a basic knowledge of OS design and implementation (specifically Windows), C programming, at least basic experience with debugging and ability to understand fragments of assembler code (IA32 architecture).

For ethical reasons we want to limit the availability of this course to only "legitimate" companies, thus we require that you specify your official business email address and company's website when registering for the course.

Pre-configured workstations will be provided, so there is no need to prepare for the course in any specific way. You can find more information and register for the training on the blackhat website. Please note that there will be only 2 public classes of this training this year – both during the Black Hat Briefings (28/29 and 30/31 of July). More classes will be available only in the form of on-site trainings for corporate customers.

Please also note that the number of seats is hard-limited by the number of available workstations, so we encourage registering early.

As for the other news – I have just quit COSEINC last week and I’m in the process of establishing a new security consulting and research company. For now I can only betray the name: Invisible Things Lab - expect more details to be posted here in the coming weeks :)


Anonymous said...

Keep up the good work, and best of luck in your new venture!

Anonymous said...

Nice that you set up your own company. Can we know in which country ?

Thanks a lot for the quality of your posts.

Joanna Rutkowska said...

Thanks! The company is registered in Poland, of course :)

denis bider said...

Poland? That sounds like a bad choice. The taxation seems awful (mostly like anywhere in Europe).

I would certainly recommend an offshore company for the business you're in, unless you're of the "generous" persuasion. (I.e., don't mind being financially raped.)

I have a question about the workshop. Will you be there during both workshops (weekend and weekday), or will you be delivering one workshop and Alexander Tereshkin the other?

If not both of you will be present both times, then which one of you will be delivering which workshop?

Joanna Rutkowska said...

We will be teaching together both of the classes.

Anonymous said...

Best wishes for your new venture. Sorry, but I won't be able to attend blackhat. It sounds like some very interesting stuff. Just have to wait until I see it in the wild.



Joanna Rutkowska said...

Nah, you won't see it in the wild, 'cause that's really stealthy stuff ;)

Anonymous said...

new company, new adventure:) nice:) best wisches!


offshore company isn't good solution when you operate on polish or even EU market

Anonymous said...

Why not? Alot of companies doing like that?

Kartik said...

I will try and get a seat in your training this year. I am sure you will amaze us with more stealthy stuff.

BTW, Middle-East has no taxation and have Freezone concept too. Gave dubai a thought?

0xff said...

hi joanna, I am regular reader of your posts.

When'll you come again to Malaysia?

Anonymous said...


Good Luck with the New Company. We would all be in the dark without you...

Anonymous said...

"BTW, Middle-East has no taxation and have Freezone concept too. Gave dubai a thought?"

I don't know about Joanna, but we did. My wife steadfastly (and rightly) refuses to go anywhere where women are treated as second-class citizens, where men prescribe what clothing they have to wear, and where kissing in a taxi is punished with a $3,000 fine, or worse.

I like the liberated economy of places in the Middle East, but we can't consider anything more than just visiting there until the people's minds are liberated as well.

Anonymous said...

I've spent quite a long time in Middle East. Belive me (or not), I would NOT recommend to stay in such area for longer than 2 weeks journey.

Anonymous said...

Keep up the work, and Best of Luck.

I had just one question, for those you cannot attend your course, will you provide any material for them ????

cHaTtErBoX said...

Hey. Great u started your own firm. any plans to India.

Forensic Mortgage Loan Audit said...

while my post does not conform to your blog, i just had to mention that whatever has been exploited is causing so much harm. Specifically to our website that EXPOSES mortgage fraud in our area (Antelope Valley, Ca. 93552) The public is all our concern because homes are being swiped of their feet by these predators. Nevertheless our methods are hated by the perpetrators and for some reason since we started late August of 2006 I've had nothing but sleepless nights to keep the website up. For a technically unsophisticated person like me to do so while learning what it is that constantly limit the authorities from viewing pages in our site to redirected URL's, DDOS attacks, etc..there has not been a brighter day. Still symptoms persists regaardless of ALL the methods used for detecting, removing and securing our site and databases. It is hard enough to face an industry that now cost our economy 500+billion in debt from fraud but to face something you cant see and only realize when the damage has already been done is the worst.
for public safety and awareness our two sites:
robert tapia
consumer advocate

Anonymous said...

Just wanted to say good luck; not that you need it. Put the A/V companies in their place.