RUBcast-Portal

Zur Wiedergabe der Präsentation auf das folgende Bild klicken:

About the spea­ker
Aleksan­dr Matrosov - ESET

Aleksan­dr Matro­sov is cur­rent­ly wor­king at ESET as Se­ni­or Mal­wa­re Re­se­ar­cher since joi­ning the com­pa­ny in Oc­to­ber 2009 as a virus re­se­ar­cher, and wor­king re­mo­te­ly from Rus­sia. He has wor­ked as a se­cu­ri­ty re­se­ar­cher since 2003 for major Rus­si­an com­pa­nies. He is also a Lec­tu­rer at Cryp­to­lo­gy and Dis­cre­te Ma­the­ma­tics de­part­ment of Na­tio­nal Re­se­arch Nu­cle­ar Uni­ver­si­ty in Moscow, and co-aut­hor of the re­se­arch pa­pers “Stux­net Under the Microsco­pe” and “The Evo­lu­ti­on of TDL: Con­que­ring x64” and is fre­quent­ly in­vi­ted to speak at Eu­ro­pe and Rus­si­an se­cu­ri­ty con­fe­ren­ces. No­wa­days he spe­cia­li­zes in the com­ple­te ana­ly­sis of dif­fi­cult ma­li­cious thre­ats and re­se­arch into cy­ber­cri­me ac­tivi­ty.

About the spea­ker
Eu­ge­ne Ro­dio­nov - ESET

Eu­ge­ne Ro­dio­nov gra­dua­ted with ho­nors from the In­for­ma­ti­on Se­cu­ri­ty fa­cul­ty of the Moscow En­gi­neer-Phy­sics In­sti­tu­te (State Uni­ver­si­ty) in 2009. He has been wor­king in the past five years for se­ver­al com­pa­nies, per­for­ming soft­ware de­ve­lop­ment, IT se­cu­ri­ty audit and mal­wa­re ana­ly­sis. He cur­rent­ly works at ESET, one of the lea­ding com­pa­nies in an­ti­mal­wa­re in­dus­try, where he per­forms ana­ly­sis of com­plex thre­ats. His in­te­rests in­clu­de ker­nel-mo­de pro­gramming, an­ti-root­kit tech­no­lo­gies, re­ver­se en­gi­nee­ring and cryp­to­lo­gy. He is co-aut­hor of the re­se­arch pa­pers “Stux­net Under the Microsco­pe” and “The Evo­lu­ti­on of TDL: Con­que­ring x64?”. Eu­ge­ne Ro­dio­nov also holds the po­si­ti­on of Lec­tu­rer at the Na­tio­nal Nu­cle­ar Re­se­arch Uni­ver­si­ty MEPhI in Rus­sia.

Ab­stract of the talk of Aleksan­dr Matro­sov and Eu­ge­ne Ro­dio­nov - ESET

The pre­sen­ta­ti­on fo­cu­ses on se­cu­ri­ty is­su­es on the x64 ar­chi­tec­tu­re, spe­ci­fi­cal­ly on the ker­nel-mo­de code si­gning po­li­cy and the tech­ni­ques used by mo­dern mal­wa­re to by­pass it. In our pre­sen­ta­ti­on, we will ana­ly­ze the tech­ni­ques of pe­ne­tra­ting the ker­nel-mo­de ad­dress space used by mo­dern root­kits in-the-wild:

• Win64/Ol­ma­rik (TDL4)
• Win64/Ro­v­nix
• Win64/TrojanDownloader.?Necurs (root­kit drop­per)
• NSIS/TrojanClicker.?Agent.?BJ (root­kit drop­per)

Spe­cial at­ten­ti­on will be de­vo­ted to the boot­kit Win64/Ol­ma­rik(TDL4) - the most pro­mi­nent ex­amp­le of a mo­dern ker­nel-mo­de root­kit tar­ge­ting 64-bit ver­si­ons of Micro­soft Win­dows. We will de­tail the no­ta­ble fea­tures of TDL4 with re­spect to its pre­de­ces­sor (TDL3/TDL3+): the evo­lu­ti­on of user-mo­de and ker­nel-mo­de com­po­n­ents of the root­kit, the tech­ni­ques it uses to by­pass HIPS, the hi­d­den file sys­tem, and its boot­kit func­tio­na­li­ty. Fi­nal­ly, we will de­scri­be the pos­si­ble ap­proa­ches of re­mo­ving the root­kit from an in­fec­ted sys­tem and we will pre­sent our free fo­ren­sic tool for dum­ping TDL's hi­d­den file sys­tem.