Praktikum zur Hackertechnik - 09.11.2011 - Aleksandr Matrosov and Eugene RodionovNov 10, 2011 von rubcast
Zur Wiedergabe der Präsentation auf das folgende Bild klicken:
About the speaker
Aleksandr Matrosov - ESET
Aleksandr Matrosov is currently working at ESET as Senior Malware Researcher since joining the company in October 2009 as a virus researcher, and working remotely from Russia. He has worked as a security researcher since 2003 for major Russian companies. He is also a Lecturer at Cryptology and Discrete Mathematics department of National Research Nuclear University in Moscow, and co-author of the research papers “Stuxnet Under the Microscope” and “The Evolution of TDL: Conquering x64” and is frequently invited to speak at Europe and Russian security conferences. Nowadays he specializes in the complete analysis of difficult malicious threats and research into cybercrime activity.
About the speaker
Eugene Rodionov - ESET
Eugene Rodionov graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009. He has been working in the past five years for several companies, performing software development, IT security audit and malware analysis. He currently works at ESET, one of the leading companies in antimalware industry, where he performs analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies, reverse engineering and cryptology. He is co-author of the research papers “Stuxnet Under the Microscope” and “The Evolution of TDL: Conquering x64?”. Eugene Rodionov also holds the position of Lecturer at the National Nuclear Research University MEPhI in Russia.
Abstract of the talk of Aleksandr Matrosov and Eugene Rodionov - ESET
The presentation focuses on security issues on the x64 architecture, specifically on the kernel-mode code signing policy and the techniques used by modern malware to bypass it. In our presentation, we will analyze the techniques of penetrating the kernel-mode address space used by modern rootkits in-the-wild:
- Win64/Olmarik (TDL4)
- Win64/TrojanDownloader.?Necurs (rootkit dropper)
- NSIS/TrojanClicker.?Agent.?BJ (rootkit dropper)
Special attention will be devoted to the bootkit Win64/Olmarik(TDL4) - the most prominent example of a modern kernel-mode rootkit targeting 64-bit versions of Microsoft Windows. We will detail the notable features of TDL4 with respect to its predecessor (TDL3/TDL3+): the evolution of user-mode and kernel-mode components of the rootkit, the techniques it uses to bypass HIPS, the hidden file system, and its bootkit functionality. Finally, we will describe the possible approaches of removing the rootkit from an infected system and we will present our free forensic tool for dumping TDL's hidden file system.
Gepostet in 2011/12 Wintersemester | RUBcast Public
Tags : Praktikum zur Hackertechnik