Bypassing code signing policy: welcome to the (Eko)party

ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits at the seventh Ekoparty security conference, which took place at its traditional location of Buenos Aires, Argentina between the 21st and 23rd of September.

The presentation described new trends in bootkit/rootkit development for x64 Microsoft Windows operating systems, and one of the main issues it addressed was the techniques used by the malware in the wild (Win64/Olmarik and Win64/Rovnix) to bypass kernel-mode code signing policy. (Code signing is the major obstacle in the way of rootkits targeting the 64-bit Windows platform.)

Interestingly, their talk has some overlap and intersection with a presentation by Nicolas Economou, from Core Security Technologies, on “Deep Boot”: in this presentation he proposed a new Proof-of-Concept bootkit technique making use of the processor’s debugging facilities. Essentially, what we’ve seen in Win64/Rovnix, and what the researchers from ESET discussed at the conference, was simplification and customization of the technique for the Microsoft Windows Platform.

It’s also worth mentioning the presentation on “BEAST: surprising crypto attack against HTTPS” by Thai Duong and Julliano Rizzo, which has recently attracted a lot of attention in the research community. They demonstrated in real time how they were able to decrypt authentication cookies in a PayPal HTTPS session. These were then used to get access to a PayPal user’s account.

The ESET presentation will be available shortly on the ESET white papers page at http://go.eset.com/us/documentation/white-papers.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

 

Author David Harley, ESET

  • Irklinov

    Thanks for IDA guys

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
29 Sep 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.