I got there to the conference hall a little bit earlier on Day 2 to make sure I had time enough to finish my morning coffee before things started. Turns out the program started 20 minutes earlier on Day 2, and I just barely managed to grab a coffee and find a seat in the room before the keynote started:
Marion Marschalek presented “Star Wars” instead of the official title “TS NOFORN.” Her keynote consisted of an in-depth discussion of several infosec topics, including information warfare, malware, and cyber adversaries. First, she discussed a piece of malware named Callientefever, which was compiled in 2010 and whose HTTP accept language is always FR. The malware uses Dynamic API loading by name hash and seems to have been written to ”flood all the things.” At some point, Marschalek encountered a sinkhole domain operated by Kaspersky with a firstname.lastname@example.org contact e-mail address, so she contacted them about it. I’m not exactly sure what followed, but I got the distinct feeling that they didn’t agree on how to proceed. I believe this piece of malware became “#Suspect 1.” Then similar samples were identified by her and her peers who had huge databases of malware samples. “#Suspect 4” stood out in particular. It was larger than the other samples but used same basic functionalities and LUA script to do AV product enumeration – select * from antivirus product Firewall product enumeration – select all from firewall product Sandbox check – KLavme, my app, test app,afyjevmv. It also checked that Perfmon was running to ensure that the malware itself did not use too much cpu power. When decrypted, the malware revealed three domain names: Le-progres.net and 2 others, all three seemingly fake. For instance, one of them, Ghatreh.org, is a magazine based in Iran.
Marion has since done a write-up on this malware family, which she has named “Bunny”: http://0x1338.blogspot.co.at/2014/11/hunting-bunnies.html.
Featured Download: Social media access at work. Do your employees know the rules?
A take away from this keynote is the fact that malware samples and IOCs don’t make it to the people who need them because many vendors within this industry are creating venues of information to build their market. Marion did some free marketing for solutions that currently don’t have access to marketing but are nonetheless worthy, which include whisper systems, fire chat, open garden, sub graph OS, bettercrypto.org, RCE tool library, and viper.
After Marion’s keynote, Claudio Guarnieri presented his “viper project.” Malware, exploits, and analysis scripts, Guarnieri explained, are all over the place when you’re a malware analyst or reverse engineer. It becomes an unmanageable mess. First, he tried VxCage as his first attempt at a structured file system, but it failed. Now he’s trying again with “Viper.” It is a framework to store, organize and analyze malware. You can create new modules, with 30 already available. The Framework is modular, Open Source, and can help interested parties with the library functions required by RE’s/Forensics analysts.
Next, Shahar Tal presented “I hunt TR-069 admins.” The talk focused on SOAP RPC, a piece of SOHO hardware – a CPE (Customer placed equipment) that talks to an ACS (access control server). The CPE initiates the connection always, which is a widely used de facto device management standard. With this type of set-up, one hopes that the ACS is a “good guy” because the CPE can be a zero touch configuration device where the help desk/call center can fix issues remotely. One server at the ISP controls the entire fleet of CPE routers; if someone hacks the ACS, they gain access to passwords and usernames for everything. You can then get SSIDs, change the WAN surface, and upload new firmware. Boom. TR-069 is vulnerable when unprotected, and ACS is a great attack vector.
Following Tal’s talk, Fyodor Yarochkin, Vitaly Chertvertakov, Vladimir Kropotov delivered their talk “Detecting bleeding edge malware.” The presentation consisted of malware collected this year from within Ukraine. The main take aways for me were that attackers change the domain name every the minutes. As a result of this, security professionals must watch the mime types on their network streams. They’ve also published Cif v1 on github/collectiveintel, which can help in validating anyone’s findings.
Next up was Aleksandr Timorin, whose presentation was “SCADA deep inside: protocols and security mechanisms.”Methods whitelisting and TLS (the latter of which is in theory supported but not so in reality) are two well known security measures for SCADA implementations. Many attacks exist against SCADA. Passwords are easily extracted and badly protected/encrypted. SCADA <> PLC authentication is easily broken and passwords cracked, with the example of JTR. We were then shown a demo of IP spoofing and accessing the PLC. The presentation drew on a number of security tools, including wireshark, ncat, socat, scapy, Zulu.
Philippe Teuwen then presented “Belgian elections bug” as a lightning talk. Pardon me Philippe, my attention strayed to Twitter for a quick catch up. Since we’ve never met, I’m sure you won’t mind.
There was also a Lightning talk on “Luxembourg use or not use of APIs” by Thierry Degeling, who succeeded in creating better APIs for some large (For Luxembourg) public services — better in fact than the APIs offered by the companies themselves. He argued that this simply needs to be improved, which is obviously correct. I think he has since had to take at least some of these APIs down because the companies were objecting to them a bit.
A quick comment on the fast responder application presented by @sebdraven. It is designed to detect and understand large scale compromise, and it looks like great for Windows environments: https://github.com/SekoiaLab/FastResponder.
Ludovic and Axelle Apvrille next presented together on “Sherlockdroid.” It’s an inspector for Android marketplaces. The app makes it feasible for malware researchers to analyze only probable malware samples using low false positive/negative values. This allows researchers to focus only on unknown malware.
Xeno Kovah, who presented on Day 1, then presented again. This time “a dark fairy tale of smite’em versus Copernicus.”
Copernicus 2 is a new tool that can help prevent against the SMM mitm’ing presented in his first presentation. The calls to read the bios/SMM can now be blocked using Intel trusted execution (TXT) that creates a nugget of trust via asymmetrical cryptography. This allows code to run, which in turn enables SENTER to run. The newly running code measures stuff and allows stuff to run, it tears down the system, and builds up a new one. Then it measures the new launch environment and tells you if trusted code in fact ran. If trusted code did not run, your BIOS/SMM has probably been compromised.
At that point, Kovah shifted the focus of his talk to Charizard, a new an attack revealed at Syscan that subverts the Copernicus 2 defense.
There is also a brand new attack called Sandman about which Kovah also spoke. This is an attack that executes the MLE with an attacker inside which enables the attacker to suppress SMI’s, win then by mitm’ing the SMM-read, and then writing to the flash chip.
Intel isn’t shipping SMT’s atm, which makes all BIOS potentially vulnerable to Sandman.
Following Kovah’s talk, Anamika Singh (#Because #Joel) presented on WiHawk – a router vulnerability scanner tool that is now included as a module in the Ironwasp web vulnerability scanner. It includes some demos and stuff for router back doors, authentication bypass, and password recovery. Singh emphasized that it’s now time to include routers/WIFI/APIs in your security posture if it wasn’t already part of it. I came away with a new appreciation for the topic.
One of the last talks I attended was presented by Enno Rey on the evasion of high-end IDPS devices in IPv6.
IPv6 is a mess, and fragmentation rules leave a hole. Visit www.langsec.com – this wasn’t taken into account when writing the IPv6. They managed to evade all four tested IDPS devices easily, and Cisco bungled disclosure pretty badly it sounded like. One of the researchers behind this just handed in his thesis on this issue, which obviously is a big thing. Congratulations to them! Also, ERNW seems to be one of the IPv6 research-hotspots on the planet, and I can only recommend following their research actively.
Day 2 was followed by a speakers dinner, but as I was not a speaker and the wifey wanted to go to yoga, I left early.
Claus Cramon Houmann | IT Security Consultant | @ClausHoumann
To find out more about our panel members visit the biographies page.