In Las Vegas, the first day of the Black Hat briefings is nearly complete. Black Hat is one of the biggest security conferences and always attracts skilled researchers to present their work.
Having worked quite a bit with our BlackLight rootkit scanning technology I ended up sitting a lot in the Rootkit track sessions. Day 1 included some interesting presentations:
Stoned Bootkit, Peter Kleissner
Peter presented an open development framework for creating rootkits that activate early on in the boot process using the Master Boot Record. Most of the technology is something we've seen in previous research, but the scary part lies in the extensibility of the Stoned Bootkit.
Peter briefly touched on some sample extensions. One example was the CO2 rootkit plugin that used ACPI to slow the CPU down to save the environment! Now this is all very nice, but I expect that the most enthusiastic users for the Stoned Bootkit framework will be in the malware author community. And please take my word on this: they're not in it to save the rainforests.
Introducing Ring -3 Rootkits, Alexander Tereshkin and Rafal Wojtczuk
Rootkits keep developing. In the past years, they've gone from usermode (Ring 3) to the kernel (Ring 0), from kernel to the hypervisor (Ring -1) and all the way to System Management Mode (Ring -2).
Alexander and Rafal explored the possibility of running malicious code in the Intel AMT execution environment. AMT is meant for remote management, but unfortunately what is remote management for the good guys is a rootkitted backdoor for the attackers. I'm betting this is not the end of the rootkit countdown, though. Anyone care to guess where the Ring -4 rootkits will run? I'm sure we'll see soon.
Of course not everything has been about rootkits. The first day included not one but two interesting talks on X.509, which is one of the building blocks of SSL/TLS.
Among other things, Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site. Nice work from both researchers!
Signing off from Las Vegas,
Antti
PS. If you are attending, don't miss Mikko's talk on the Conficker worm on Thursday afternoon!
On 30/07/09 At 02:52 AM
prada sneakers
In the Internet ,it have more and more cheap Hot Shoes to buy . Because all of our life is a customer, the customer's characteristics is like inexpensive Prada Sneakers. Waking to work with Gucci shoes|NBA Shoes can keep healthy, prevent spinal problems.Jordan Collezione |adidas sneakers|are based on people’s travel characteristics of design and manufacture. So you must be careful to select air force 1 shoes|air jordan 7 retro|Air Jordan Kids|Jordan Dub Zero|new balance shoes. Good luck!
good for sharing
Nike Air Max Shoes, not only is the sneakers of consolidating high-tech sporting but also emphasizing the fashionable outer designs, is working consquently together with fashion icons worldwide.We offer great products from nike air max 90, nike air max 95, nike air max 360, nike air max 2009 and many more, they are on hot sale.Our purpose is to offer a low cost alternative to high designer shoes prices. We listen to our customers, adding the latest men's and women's trendy styles.
Find nike air max running shoes and buy nike air max online, Kicksinfo,Inc. is your best choice. We can provide Fashion design High quality nike air zoom shoes for you. All products on our site are already marked down 30-60% off retail price.
Post new comment