AVAR 2014
Anti-Ransomware ACL based VSS snapshot to secure Data
by Aishwary Bhashkar, Rahul Naik & Vikas Kumar Tiwari (Quick Heal Technologies)

Ransomwares, infectors are targeting data stored on hard disk. They encrypt the data or change the size of the files to zero byte and ask for money to restore your data. Since most of times we forgot to take backups of important data, we end up paying huge ransom to malware authors in order to recover our data. Payment generally lies to more than $400, which indeed is very costly.

This paper presents a unique solution i.e., taking VSS snapshot of hard disk Volume and then applying ACLs on those VSS snapshot, so that these snapshots can’t be deleted by malware (even having admin privilege).

VSS Technique:

We may take the VSS snapshot (http://msdn.microsoft.com/enus/library/windows/desktop/bb968832(v=vs.85).aspx) of the volume –

The good points of using VSS:

1. Completes backup within seconds.

2. Backup is just a snapshot so no space is required. However, a system level space is allocated by default for snapshots which just keeps the incremental changes at block level.

3. Space and number of snapshots are configurable.

4. It will restore all the file formats so complete restore of all files.

5. In this way we can keep versioning of the files in the volumes.

But, problem with VSS snapshot technique is: any admin level privilege may able to delete VSS snapshots. So even Malware may be able to delete VSS snapshots.

We propose the following solution:

We can enhance VSS snapshots with ACLs, so that even admin cannot delete it. It will require AntiVirus user account privilege to delete the VSS snapshots. So, even if Ransomwares and infectors delete VSS snapshot, still snapshots taken from AntiVirus software cannot be deleted by these malware and we can recover the data easily.

Proof of concept:

We will also demonstrate a “Proof of concept” on how VSS is helpful in case of Ransomwares.

Attacking TDS and web-shells management panels. Cases of study
by Evgeny Sidorov & Andrew Kovalev (Yandex LLC)

There are a lot of people among cybercryminals which hack web sites and upload web-shells. These web shells allow attackers to get an access to hacked web sites whenever they want it. These shells are later often either used for performing different harmful activities (black SEO, spam, stealing traffic) or sold on the black market. To automize the management and sale process attackers develop different web-shells management panels which usually represent web applications hosted on "abuse-resistant" servers.

Traffic distribution systems (TDS) are the well-known tools used for traffic management. They are frequently deliberately used by cybercriminals to automize and control the traffic sale process. TDS and web shells management panels are usually used simultaneously and getting access to them is an important counter intelligence task. The data received from such systems can be used either in investigations or for evaluation of the antivirus robots quality.

In our presentation we will speak about approaches to analysis of TDSs and web-shells management panels and will give examples of some practical cases of study.

Automated VirusLab using filters for semiautomatic file clustering and generating detections
by Alena Varkockova & Michal Augustyn (AVAST Software)

At present, most AV companies are struggling with how to manage hundreds of thousands of new files every day. Going through them by hand is absolutely unrealistic. We at AVAST were struggling too which is why we came up with a solution.

Approximately two years ago we built a simple mechanism we called ”Filters & Queues”; the main idea is very similar to email filters. It takes a subset of important file metadata (digital signatures, scan results, results of our internal analyzers, etc.) and every time this metadata changes, it runs the metadata through a set of filters. We created our own query language for this metadata which allows analysts to create a set of rules describing samples they are looking for. With the help of this query language, they can easily filter out new files they are interested in, e.g. mobile malware samples, new java threats, samples with suspicious characteristics etc.

Throughout the last few years the system has evolved from a file clustering mechanism to a strong tool we can reliably use for automatic detection generation which does not need human interaction and is capable of disabling itself in the event of false positives. As we see approximately 500,000 new files every day with almost 20 different types of metadata on each file, the number of filterengine executions is in the millions. The goal is to run this almost in realtime, i.e. every time a new change in metadata is introduced, we see all the consequences. Can we already create a detection? Is this file suitable for our cleanset?

“Filters & Queues” are part of a bigger internal system written in ASP.NET/C#, running on a farm of application servers and backed by a cluster of PostgreSQL databases. This tool, called Scavenger, manages over 200 million files and provides data for all our virus database updates. It also has a userinterface for analysts which is used by them everyday. But unlike them, Scavenger never sleeps and is able to produce new detections 24/7.

During the presentation we will provide you with details of the evolution of this system, show how it helps our virus analysts every day and justify how design decisions have been made. We will also discuss a few obstacles, scalability and performance problems we run into because of the need to do this for tens of thousands files at once with demand growing every day.

Defend Against Auto Attacks by Designing CAN Bus Firewall for Connected Smart Cars
by Wei Yan (VisualThreat Inc.)

“I can see you've got your motor running. But don't you feel I am just behind the wheels and control your car without your awareness?”

This scene sounds scary. More and more people are talking about car hacking, e.g. Blackhat/DEFCON 2013 and Syscan 2014. CAN (Controller Area Network) is the most used protocol in the auto industry. It is based on broadcast bus, which means all message packets are sent to all ECUs. Long time ago, CAN-based automotive system is isolated and safe. Nowadays, advanced diagnostics enables cars to generate lots of profile data of engines and drivers, and submit them to the connected vehicle cloud. Meanwhile, with the fast evolvement of mobile technology, the number of mobile devices grows exponentially. When mobile connects both car and the vehicle cloud via mobile apps, the car becomes the new threat target.

In this paper, we will show how to build the CAN Bus Firewall (CBF) to detect malicious injected commands and protect connected smart cars. In our knowledge, it is first time in the anti-malware industry to introduce auto anti-hacking solution. We will first go through how to reverse engineer a car by sharing our hands-on experiences with ECU, OBD2, CANBUS, how to get data from a car and send commands through OBD-2 ports to control cars, and how data transmitted on CAN bus among ECUs are monitored. We will also build up the car-hacking attack scenario database, and explain how to defend against each type of attack, including the attack scenes mentioned by other car-hacking researchers. Our firewall will filter messages and make sure that no hostile messages are going through and attacking the vehicle. Also it will block frames from unknown or untrusted sources, and set rate limitation to defend DoS attacks.

The last but not the least, we also share our new research findings on security vulnerabilities of current commercial vehicle-related mobile products. Lots of vendors are offering vehicle diagnostic services and mobile apps, and they are actually selling good. Unfortunately, the security vulnerabilities existing inside these products will put users at high risks of personal privacy leakage and even human life!

Note: our status:

1. We have successfully done with car reverse engineering and control experiments.

2. We are done with CBF firewall prototype.

Differentiator with other car hacking research works at Blackhat and Syscan:

v We are going to focus on anto-hack detection and prevention, instead of only hacking.

v Our solution is able to evade their attack scenarios.

v Our presentation also cover security issues of commercial auto-related mobile products, which are real threats in the real world.

We will focus on more practices rather than theory. Here is one example to defend against one auto attack approach mentioned by Defcon 2013. Our firewall device applies white-list rules from ECU CAN ID (just like IP addresses on Internet). The firewall will monitor transmitted messages, and determine whether or not to block them by rule matching.

ID 21 is for data stream message, and ID 13 is for error code

IDH: 07, IDL: E0, Len: 08, Data: 05 31 01 40 44 FF 00 00

The Can ID is 0x07E0, which is for PCM (Power-train control module). It is for diagnosis, and it is fine for our diagnostic rule. However, 0x31 in red color is for auto controlling, StartRoutineByXXX, according to ISO14230-3. Therefore, this message cannot get through.


1. The security of embedded systems from car manufacturers;
2. Teach you how to reverse engineer a car with hands-on experiences: ECU, OBD2, CANBUS, etc.

3. Build auto reverse engineering testing environment step by step;
4. Demo: how to communicate with and control your car;
5. Present current attack scenarios against cars and the corresponding protection approaches; How to detect them by using our firewall;
6. Our new research findings on security vulnerabilities of current commercial vehicle-related mobile products;
7. Demo

8. Q&A

Dragonfly threat actor: TTP
by Marcin Siedlarz (Symantec Corporation

The talk summarizes Symantec's Attack Investigation Team research into Dragonfly threat actor. The main focus will be on tools and tactics that the group used to pose a serious threat to energy related companies and their industrial control systems. The Dragonfly group's main victims are energy industry related companies, as well as education/science and health organizations. The attack vectors used primarily by Dragonfly group are the watering holes together with two versions of exploit kit.

In addition they've been also pretty successful with targeted attacks using malicious PDF attachments, and trojanizing legitimate software bundles of ICS companies. Symantec have the evidence that the aim is to gain access to SCADA networks of the customers of ICS software comapnies.

We'd like to present full picture of the group that we have, watering holes carefully chosen to target specific industry, targeted attacks that precede energy industry conference in the geographic area of interest of Dragonfly group, trojanized ICS software, and high-level overview of two trojans used by the group. The presentation will cover undocumented elsewhere information about the Dragonfly group's tools and tactics.

Effectively Testing APT Defences
by Simon Edwards (Dennis Technology Labs)
by Richard Ford (Florida Institute op Technology)
by Gabor Szappanos (Sophos)

Anyone watching the cybersecurity marketplace will have noticed a rapid rise in products that claim to provide protection from “Advanced Persistent Threats” (APTs). As targeted attack get more attention, and protection products pay more attention to the implementation of new defensive technologies, the need arises for the testing of the products specific to this new kind of threat. However, compared to general product testing, APT presents additional challenges for the testers. In this presentation, we ask if APT protection can be tested, and if so, can it be done practically.

Under the umbrella of the Anti-Malware Testing Standards Organization (AMTSO), we have started working out the best practices for this important field. However, several of the characteristics of APTs make application of AMTSO’s best practice testing guidelines difficult.

A fundamental premise of AMTSO’s philosophy is that good tests try to reproduce an attack in a real-life setting, with the aim of recording the protective measures employed by the security software to stop the attack at the earliest stage. The ultimate goal is to assess how well the solution protected the victim system from attack. However, as an APT represents not a single point in time, but a coordinated and often spread over a long time, any test should reflect this. However, this poses significant issues with respect to sample selection and verification.

Even if defendable samples could be obtained, measuring on-demand detection rates of the installed APT backdoors is a trivial but bad choice for this kind of test, missing both the time history of the attack and the depth of the defence. In this presentation, we explore more fully why this is a bad test, and provide some guidelines on how APT test might be performed properly.

As an outline, this presentation will explain the general timeline of an APT attack, identifies the different stages of the attack and the malware defence components that are effective in blocking the attack at the particular stage, and proposes workable testing strategies that can be employed at each step to measure the efficacy of APT defences.

Evolution of the android malware which targeted mobile financial services
by Sijoon Park & Seungwon Lee (Ahnlab)

Mobile financial services such as online banking via smartphone are becoming more mainstream in many countries. As they are getting more popular, the number of malicious codes that exploit the security loopholes of smartphones OS has been on the rise. The first of such occurrences was reported back in October 2012 where it targeted Android OS and illegally charged its users approximately $280 per month in Korea. The codes have recently evolved to collect sensitive personal data such as number of security card and certificate data used for mobile banking services.

To infect Android running smartphones, whose security loopholes are less known than PCs, they have come up with various new methods that include SMS, instant messenger, bot implant, collection of personal data from various sources, utilizing existing Windows viruses via cross-platform tools, and etc. Some of the methods were never seen before in the PC environments, and their various ways to disguise as legit apps make it harder to detect and clean.

I'll examine the following topics with the real-life examples in the paper:

  • Evolution of the malicious codes on smartphones
  • Main functions of the malicious codes and how they are used to illegally collect money from smartphone users
  • Ways to prevent such financial damages and what the Korean government, financial institutions, service providers, and online security firms are doing.


Exploitation of CVE-2014-1761 in targeted attack campaigns
by Sébastien Duquette (ESET

The use of zero-day exploits is strongly characteristic of APT campaigns; we saw this scenario repeating over and over again in the last 5 years. As a result, examining data related to zero-day or recently patched vulnerabilities offers an opportunity to identify those campaigns.

In March 2014, Microsoft announced that a vulnerability in Microsoft Word later identified as CVE-2014-1761 was being exploited in the wild. We collected and analyzed exploit files and their associated payload during the time window when it was still unpatched and the details of the vulnerability were not yet publicly available. This revealed the presence of APT campaigns which have been under the spotlight in the last years: MiniDuke and Ixeshe.

In this paper, we will first look at the various exploit documents for CVE-2014-1761. The authors will focus on the implementation details including ROP code, tricks to bypass security software as well as highlight some interesting similarities and differences in the exploits structure. Then we will look at the recent targets of these campaigns based on telemetry data and sinkholing efforts, respectively European government and civil society organizations in the case of MiniDuke and Taiwanese government and universities for Ixeshe. Finally we will examine the evolution of the malware components since their last recorded activity, focusing on their respective methods to evade detection and C&C communication mechanisms as well as provide indicators of compromise (IOC) to help with the identification and remediation of those threats.

Hardware Security
by Igor Muttik (McAfee - part of Intel Security)

To block malicious attacks effectively, security products need to employ all means available to them. The help may come from deep hardware capabilities of the platforms and we'll describe such technologies that are available but, unfortunately, not used very often for security.

We will list and discuss the capabilities which started appearing in popular platforms over the recent years. These features may provide urgently needed fresh blood for security solutions and boost our chances in the fight against malware:

  • exceptions associated with memory paging (like Trusted Memory Services Layer technology - to fight rootkits),
  • transactional support (TSX instructions in modern CPUs),
  • isolated trusted execution environments (like Manageability Engine, Android TrustZone, Intel SGX - to isolate sensitive data and code),
  • sealed environments to hide secrets (like TPM, TPM2.0, EPID - to keep encryption/decryption keys for files and storage),
  • hardware support for stack control (to avoid buffer overflows) and execution flow control (tracing, breakpoints, branch tracing),
  • protected audio-video paths (to avoid software tampering with the delivery of data to/from user),
  • new CPU architectures, etc.

Apart from giving an overview we shall also dig more deeply into several of these hardware technologies and give a demonstration.

How I forced an Android Vulnerability into bypassing MDM restirctions + DIY - Android Malware analysis
by Zubair Ashraf (IBM X-Force Advanced Research)

So you have got an Android malware, but you don't know how to analyze it, a=other than submitting it to automatic analysis portal. We can help you change this state, come to the session and we will walk you through how to analyze an Android Malware, using freely available static and dynamic tools, discover anti VM / anti emulator / anti RE techniques, bypass them using scripts, recompiling Android source, running your image in an emulator, we will also walk you through finding a simple code vulnerability, and how we came up with an idea to exploit it to bypass MDM restriction, what do we mean by that ... so your employer wants you to install an MDM, and let it control your password, length, device lockout time, etc, you may find it quite annoying but you still want to access corporate resources on your Android device, we will show you how we used a simple bud and did various manipulation and arm twisting to use it to trick MDM into believing that we were meeting all the safe practices while we did not even have password on device.



  • - step by step walk through of analyzing OBAD

    - discovering anti VM / anti RE obstacles, bypassing them

    - discovering a vulnerability and smart use / twisting of it to cheat MDM solutions, vulnerability is only patched in kitkat and earlier versions are still vulnerable, we have worked with MDM solution providers to make sure they will not be affected by issuing a patch (if they care), before we present this

Keywords: Android, Malware, DIY, MDM, Android vulnerability search and exploitation

What do you hope attendees will gain from the presentation?


  • - ability to manually analyze mobile malware on Android

    - understanding of various tools out there

    - importance of having protection features like code signing / obfuscation / etc to strengthen MDM

IEEE Anti-Malware Support Service (AMSS)
by Mark Kennedy (Symantec Corporation)

AMSS is a set of shared support services, created through the collaborative efforts of many of the major players in the computer security industry. It enables the individual security companies and the industry as a whole to respond more effectively and efficiently to the rapidly mutating universe of contemporary malware threats. AMSS currently consists of two main services: the Clean file Metadata eXchange (CMX), and the Taggant System.

about the ieee industry connections security group

ICSG is a global group of computer security entities that have come together to pool experience and resources in combating the systematic and rapid rise in computer security threats.

In the past few years, attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. ICSG was established, under the umbrella of the IEEE-SA Industry Connections program, out of the desire by many in the security industry to more efficiently address these growing threats in a coordinated fashion.

Current ICSG subgroups

ICSG Malware Working Group
Solving some of the malware related issues the industry faces today.

ICSG Malware Metadata Exchange Format (MMDEF) Working Group
Expanding the information that is captured and shared about malware.

ICSG Privilege Management Protocols (PMP) Working Group
Developing protocols for efficient authentication and secure determination of "who can do what".

by Dmitry Gryaznov (Independent Researcher)

It is a well-known fact that these days most of malware is spread via the World Wide Web. Exploits, drive-by's, social engineering, scaring tactics etc. etc. - most of them eventually lead, possibly through a number of intermediate sites with redirects, to a malicious download from this or that Web site and to the user's computer infection and compromise. Most of such Web sites, both intermediate and final sources of malware downloads, do not belong to the "bad guys". Most of them belong to legitimate entities and were put up for legitimate purposes but got hacked, infected compromised and as a result started serving malware, unknowingly to the sites' administrators.

Most effective for the computer criminals, and most disturbing to us, are compromised sites that are by default trusted by people who visit them regularly. For example, popular news sites, information sites, sites belonging to companies who sell goods and provide services, etc. etc. And arguably the most trusted sites are government sites, at least for the people of the corresponding nations. One would also expect the government sites to be well protected against being compromised.

As part of my work in the computer security, I find, collect, verify, analyse, classify and catalogue Web links leading to and serving malicious code. And in the course of my work, I do encount government sites of different nations serving malware - way too many to feel comfortable. I gathered some data and statistics about government sites hosting links to malicious content all over the world and would like to share my findings with the AVAR 2014 Conference audience.

Inside Android banking botnets
by Roman Unuchek (Kaspersky Lab)

In the last year or so we’ve seen an incredible increase in the number of Android banking Trojans. They are multiplying rapidly, and last year saw a 14-fold rise in their numbers.

The first banking Trojans were ZitMo, SpitMo and CitMo – the mobile elements of the famous windows Trojans Zeus, SpyEye and Carberp. But these were soon followed by very different banker Trojans. Some of them still work in tandem with a Windows ‘partner’, but others are fully independent. They can steal credentials for online banking, mTans, credit card info and lots of other data. Some of them can steal money using text messages sent by banks; others harvest data from files on the device or call records.

My research focuses on the main Android banking Trojans and shows how they steal your money.

Most current banking Trojans are bots. They need instructions from a C&C before they can do their work.

I have monitored real communications with command servers for the most significant Android banking Trojans.

I will explain how monitoring systems can be built. I used two different methods – patched Trojans running on a real phone, or a communication protocol emulator running on a PC.

Then I will show the commands I received and explain how it can affect real users.

Finally, I will show how money can be transferred via mobile payment systems and give an idea of how much money is being stolen in this way.

Lemming Aid and Kool Aid: Helping the Community to help itself through Education
by David Harley & Sebastián Bortnik (ESET)

There’s been no shortage of attempts to raise awareness of security issues in the community at large: probably everyone at a conference like AVAR has been involved in some form of security education at some time or other. But the quality and effectiveness of those attempts have been patchy at best. Are those who say that ‘if education was going to work, it would have worked by now’ in the right? Or is the problem with the piecemeal way that we do it?

This paper will look at a range of attempts to heighten awareness through a variety of channels initiated both from within and outside the security industry: blogging and social media, discussion forums, academic and governmental initiatives, community training schemes like the European Computer Driving Licence, inter-organizational community projects like AVIEN and AMTSO, Cyber Street and Cyber to the Citizen, and informational literature such as pamphlets, books and eBooks. We examine the advantages and pitfalls of education and training and the ethical complexities that arise when the security industry acknowledges its own responsibilities in terms of not only protecting but also informing the community, not only by self-promotion, but by finding ways to fit into a wider framework of community education and awareness.

How can we strike a balance when it comes to teaching of computer hygiene in an increasingly complex threatscape to audiences with very mixed experience and technical knowledge? Can user-friendly approaches to security be integrated into a formal, even national defensive framework?

The presentation will be divided into five main sections:


  • 1. A brief history of security education

    2. Channels of information (and misinformation)

    3. Ethics, marketing, and information

    4. Educational case studies

    5. Educational and informational coalitions

Microsoft Anti-Virus Extortion Expedience or the Extinction of the AV Industry- The Jury Has Reached A Verdict
by Randy Abrams (NSS Labs

According to the 2014 Secunia Vulnerability Review of the 13,073 vulnerabilities discovered in 2013. These vulnerabilities affected 2,289 products from 539 vendors. Of the 13,073 vulnerabilities discovered, 2,183 were rated as highly critical or extremely critical . Vulnerabilities from 2012 and earlier are still actively and successfully being exploited.

The problem enterprises have in dealing with the glut of exploits is not unlike the problem anti-malware vendors have in dealing with the malware glut. There are far too many malicious programs being created on a daily basis for vendors to be able to protect against all of them. Threats are prioritized and mitigated based upon information researchers have concerning a variety of attributes. There are far too many old and new vulnerabilities and exploits to remediate simultaneously.

Enterprise security professionals depend on a variety of technologies to protect their assets. Endpoint protection (EPP) products, intrusion protections systems (IPS) and next generation firewalls are deployed to make defenses less porous, but they alone do not help to most effectively prioritize the allocation of resources. The correlation of data surrounding vulnerabilities, exploits, defense postures, and the individual enterprises effective attack surface is required to IT departments to most rapidly and effectively deploy resources to mitigate threats that bypass all levels of defense.

Mobile Underground Activities in China
by Lion Gu (Trend Micro)

The mobile Web is significantly changing the world. More and more people are replacing their PCs with various mobile devices for both work and entertainment. This change in consumer behavior is affecting the cybercriminal underground economy, causing a so-called “mobile underground” to emerge. This presentation provides a brief overview of some basic underground activities in the mobile space in China. It describes some of the available mobile underground products and services with their respective prices, including Premium Service Numbers, SMS Forwarders, SMS Spamming Services and Devices, iMessage Spamming Services and Software, Phone-Number-Scanning Services, and App-Rank-Boosting Services.

Modifications of signed executables two years later
by Igor Glucksmann & Alena Varkockova (AVAST Software)

In 2012 we found, reported and published a problem with Authenticode signatures on PE executable files. This problem allowed an attacker to modify the content and behavior of many signed files without invalidating their digital signature; the issue got labeled as MS12-024. The fix that Microsoft released for that vulnerability was only partial, blacklisting specific content known or likely to be exploitable. However, it was obvious that new vulnerable file formats may appear at any time; the vulnerability is a design problem and cannot be fully fixed.

Almost two years later, Microsoft released a stronger patch – known as MS13-098. It does not look for a specific content inside the digital signature, it tries to prevent any appending in a generic way. Since some companies actually perform post-signing modifications of their executables – especially installers – without any malicious intent, the patch will definitely cause some compatibility issues. That is probably the reason why the real effect of the patch has been postponed six months after its release, and later delayed even further (as of now, to August 12, 2014).

In this talk we would like to show the progress of this issue over the past two years. We will explain what the new patch does from the technical point of view and how it affects the vulnerability, compared to the previous one. We will present statistical data (extracted from our sample collection) related to post-signing modifications of executable files to see what signatures get invalidated. If the patch is already active at the time the talk is given, we will try to show how the affected parties responded to the change. We will discuss the implications of the change for antivirus software (such as the Taggant project).

Native Binary – the “Black Magic” of Android World
by Liang Zhang & Rowland Yu (Sophos)

The malicious utilization of native codes such as C and C++ against Android can be dated as far back as 2010. The native codes were implemented in Android root attacks such as RageAgainstTheCage and GingerMaster in 2010 and 2011 respectively. Malicious applications exploited these native binaries to gain root access on the infected devices and ensure the infection always present. Analysis of the native binaries was an easy task at that time as the source code could be accessed online.

Along with the improvement of Android NDK, nowadays native binary in malicious applications has sophisticated functionalities and become much more complicated. The first Android bootkit, OldBoot, discovered at the beginning of this year, includes two native binaries with capability of executing commands with root permission, sending SMS, and providing C&C services. Android packers and obfuscation tools such as Bangcle and ApkProtect take advantage of binaries to decrypt and load payload in runtime. Also, SophosLabs has recorded and detected more and more Android malware embedded with multi-function native binaries.

However, there are no adequate documents, tools and systems for malware researchers to analyze the functionalities and behaviors of Android native binary. As a result, this paper will demonstrate a detailed analysis of native binary in the samples above and will further cover the following topics:


  •     What does native binary look like in ARM assembly language?

  •     Android NDK reverse engineering on these native malware samples in static analysis

  • Debugging Android native malware samples in dynamic analysis by using IDA pro and GDB

  • Discuss the basic idea and implementation of packing Android native binary

Operation Oil Tanker

by Luis Corrons (Panda Security

In the latest years we have seen how Advanced Persistent Threats (APTs) work, targeting high profile victims from strategic sectors. Some of them are clearly state sponsored attacks, with a lot of funding behind, which explains the "Advanced" in the APT acronym. However this is not always the case, and in this talk I will show you the new APT evolution, known as RPT.

RPT is a new approach to this kind of attacks, apparently capable of circumvent most of the defenses we have in place, while it keeps its ability to be persistent and a real threat. I will illustrate this RPT with a real case discovered in 2014, which is still under investigation by LEA. This attack is targeting different organizations from different countries around the world, mainly from Asia and Europe, and all of them work in the same field. We will analyze the attack, the targets, and the final goal of this RPT. And of course, what is hidden behind the mysterious ‘R’.

POS Malware: Are we really defenseless?
by Ciprian Oprisa & George Cabau (Bitdefender)

The recent attack on the Target POS systems that result in more than 100 million credit and debit card numbers being stolen was just the crest of a new wave of POS malware. Such attacks taught us that these systems lack a lot in the security area and the bad guys know that. An in-depth analysis on several POS malware families revealed that they are not sophisticated at all. Most of the malware employ a simple technique called memory scrapping: they read other processes memory and scan for card data. The collected card numbers are then sent to the Command and Control server, sometimes without any encryption. What is even more interesting is that most of these malware authors don't even bother to use code obfuscation. The malicious code is there to be seen, unfortunately nobody is looking at it. Do the anti-virus products fail to detect them or do the malware authors know that there is no anti-virus software on the POS machines?

We will also propose a solution against POS memory scrappers. We have created a tool that protects the memory of a given process from being read. Instead of blocking the access, our driver intercepts the call to ReadProcessMemory and overrides the given buffer with data read from the file on the disk. This way, any sensitive data will be hidden from the intruder, while maintaining the illusion that the process is monitored so the attacker won't be alarmed and won't take further actions. The tool was tested against the analyzed malware and managed to protect the confidential data.

Besides developing the protection tool, our paper will try to bring awareness to the POS users about the existing dangers and about the necessity of security solutions.

Shell Team Six: Zero Day After-Party
by Lokesh Kumar & Gregory Panakkal (K7 Computing

The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.

Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.

Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defence radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.

Stealing the internet, one router at a time
by Peter Kosinar (ESET)

The number of devices connected to the internet is increasing every day – and even if we ignore the computers and ubiquitous mobile phones, there are more than enough others; ranging from routers and IP cameras all the way to Smart TVs and other home appliances. The level of security of such devices is abysmal – not only are they very often misconfigured, but many of them also expose trivially exploitable vulnerabilities which the PC world has encountered and fixed years ago. It should be no surprise that these devices are thus exploited, used and abused regularly by both human attackers and automated agents – network worms. Due to the wide variety of devices available, even the simple task of capturing a sample of active malicious code in this environment can be challenge of its own and so can be the subsequent analysis – the tools (but also the experience) required for reverse-engineering software written for embedded platforms are far behind their counterparts from x86 world.

Our paper begins with a brief introduction to the threats observed on internet-enabled embedded devices and mentions some notable cases of automated malicious software exploiting known but unpatched vulnerabilities or other weaknesses in these devices. Following the introduction, we look at two recent cases in more detail.

First case is worm targeting Linksys routers which we identified at the end of 2013 and which subsequently became known as “The Moon”. We examine difficulties related to correct identification of the 0-day vulnerability used by the worm, explain the methods used to capture a living sample and tools and processes used for subsequent analysis, along with our findings regarding the purpose and behavior of this worm. This part is concluded by ethical considerations related to appropriate disclosure process in cases similar to this one in relation to the specific ecosystem embedded devices and their (lack of) updates.

The other presented case is a new router-spanning botnet which, to the best of our knowledge, has not been publicly exposed yet. It was discovered in early 2014 and, as of May 2014, its size oscillates between 50 and 100 thousands of compromised devices around the world; large fraction of which are in the APAC region. In this case, our exposition focuses mostly on identification and mapping of the network of compromised devices and also includes results of our observation of the orders received by nodes in the botnet from its operator. Just like before, we also discuss the related ethical issues.

Final part of the paper belongs to discussion of challenges and suggestions for improving the global state of network security with respect to embedded devices.

NOTE: The abstract above describes contents of the proposed paper; the “live” presentation at the conference would be focused mostly on the “The Moon” worm and the as-of-yet-unnamed botnet; with emphasis placed on the second one.


The Internet of Things – Or – Security: The Forgotten Feature
by Andreas Marx (AV-TEST)


Criminals are exploring the next possibilities to spread their malware on and to broaden their criminal business model. This is where The Internet of Things comes into play. Criminals are aware of the potential of these devices. Anything that adds comfort and is easy to use will be loved by the user, forgetting about security concerns. Smart Home kits have the potential to be one of the ice breakers and may bring the Internet of Things, and the associated security problems, into millions of households.

AV-TEST examined several different Smart Home Kits to show their problems and vulnerabilities. We will explain where these kits fail to implement security and what that means for the home user and which criminal business models may follow out of that. In addition we will propose options to increase the security of these devices and discuss opportunities for vendors of AV soft- and hardware to lend a hand to the user.

The tale of HesperBOT
by Peter Kruse & Yurii Khvyl (CSIS

This presentation will uncover a year of intense investigation involving law enforcement in several countries.

We shall provide insight into the malicious binary components of HesperBOT (win32 and mobile malware), distribution methods, infections and prevalence and infrastructure/C&C panel.

We will also try to identify the bad actors behind HesperBOT and tie the infrastructure to several high profile criminal outfits.

The Tizen Attack Surface
by Irfan Asrar (McAfee)

Tizen is an open source operating system designed for multiple computing platforms such as smartphones, wearable devices, In-vehicle infotainment (IVI), smart TV etc. Tizen provides applications developers with an extensive web/native API set that includes access to hardware, settings, and user data. Access to privacy/security relevant parts of the API is controlled with an install-time application permission system as well a post install user defined privacy filter. However, giving users the ability to install third-party applications as well as side load apps poses serious security concerns.

Tizen comes at a time when the threat against mobile computing grows in tandem with the popularity of mobile devices. Compared to Android, iOS and Blackberry, Tizen offers multiple options within the framework structure to combat the rise in malware targeting mobile devices. This talk will examine the depth of these innate options and their ability to counteract malware and privacy threats. This talk will also review the inner working of the operating system, the application framework as well as techniques to reverse engineer applications written for the Tizen platform.

Finally we will also talk about the security review/mechanisms used by Tizen App store to screen apps to detect malware/malicious apps.

ZebrAttack: Data Breach via Android OS and App Vulnerabilities
by Scott Wu & Song Li (McAfee - part of Intel Security)

Scanning QR code image is a popular way to enter information into smart phones, thanks for open source scanning libraries such as ZXing ("Zebra Crossing"). For example, QR code helps smartphone users when they download apps from Google Play or access a web site. It has also become a key component of O2O (online to offline) commerce framework. However, if an app does not handle QR code scanning properly, user information may leak.

In this paper, we demonstrate how Android apps, e.g. apps developed by well-known retailers Walgreen and Costco, breach sensitive user data when scanning a series of carefully designed QR images. We discuss attacks which utilize loopholes in the apps in conjunction with Android vulnerability CVE-2014-1939. We also cover the exploitation of these vulnerable apps along with social engineering techniques for the attackers to harvest password or credit card information from your phone.

Zeus Monitoring and Configuration Files Decryption
by Lord Alfred Remorin (Trend Micro)

In this paper, we introduce a system that automatically decrypts configuration files of well-known Zeus variants. We identify the family of a malware by sandboxing it and using modified open-source scripts to scan memory dumps we determine the variant of the Zeus malwares. We apply our Zeus plugin to open-source sandbox system (Cuckoo Sandbox) to execute the malware and gather information needed to decrypt static and dynamic configuration files of Zeus malwares. This paper describes the differences between Zeus variants as well as the algorithms to decrypt Zeus configuration files. We believe that the results from our system can be used to assist security researchers in gathering information on botnet administrators as well as monitoring the targeted financial institutions.