rootkit

BlackHat USA technical presentations available online - not just for hackers

The media archives have now been posted on the BlackHat website from the BlackHat technical conference held in July 2009. This is the place to go if you want to see some of the latest information security research and the threats that are REAL and may become real someday. I posted a previous blog entry on the presentation about the Bootkit - rootkit - malware bypasses disk encryption!

Some of the presentation titles:

I Just Found 10 Million SSN’s

Sniff Keystrokes With Lasers/Voltmeters
Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage

Anti-Forensics: The Rootkit Connection

Reversing and Exploiting an Apple® Firmware Update

The Language of Trust: Exploiting Trust Relationships in Active Content

Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way

The Conficker Mystery

These are just some of the titles available in the BlackHat 2009 Technical Conference media library. Check it out even if you are a web developer or an IT professional who manages desktops or networks or staff members who perform these tasks. You need to know what you are up against and possible methods to fight the threats.

Thanks for reading & lets continue to be good network citizens!

Bootkit - rootkit - malware bypasses disk encryption!

If you have not been nervous before about someone infecting computers without your knowledge then you should be much more nervous after reading this article.

In 1987 the Stoned boot sector virus came out and was one of the most prevalent viruses of the early personal computer era. As with most malware concepts, this old threat has been made new again.

An 18-year old security specialist gave a presentation on a bootkit/rootkit (STONED) at the annual Blackhat security conference. This bootkit is not your typical bootkit in that it can bypass disk encryption and load itself into memory before the disk encryption software is activated. The demonstration showed the bootkit loading before disk encryption is activated. Once the malware is loaded from the master boot record (MBR), it is then in memory and can download other malware such as trojans to capture banking credentials.

The bootkit software can be installed either by having physical access to the device or by a user with administrative credentials (this makes a good case for the “least user authority” (LUA) principle). Once the malware is installed and activated it is very difficult to detect. According to one article:

Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.

Our challenge as infosec professionals is laid out before us. How we deal with threats like these and protect our users and organizations becomes more difficult all of the time. We have to stay on top of our game because the rules and game conditions are always changing.

Thanks for reading & let’s continue to be good network citizens.