Black Hat 2012: Hackers to explore malware analysis, next-gen attacks

Cybercriminals are building malware with stodgy defensive capabilities and evasion techniques, making detection and analysis increasingly difficult for security researchers. At the same time, new attack vectors are threatening the security of embedded systems and the underlying hardware that powers laptops, smartphones and other devices.

While we usually say malware can do this or that to avoid detection, it's interesting to see up to what point large scale malware developers are going to avoid being analyzed.

Stefano Zanero,
security researcher, assistant professor, Politecnico di Milano University

Researchers will share insights into next-generation malware and hacker techniques at the 2012 Black Hat Briefings in Las Vegas next week. Three talks in particular will highlight the increasing challenges being faced by security engineers to dissect malware and the broadening attack routes that cybercriminals could take to evade detection.

Malware writers are beginning to get down into the underlying hardware of most systems to avoid detection by security software, said Stefano Zanero, an Italian researcher and assistant professor at Politecnico di Milano University. During a webcast previewing Black Hat, Zanero, who is overseeing the malware track, explained why some of the research into emerging threats could be troubling to the information security community.

"While we usually say malware can do this or that to avoid detection, it's interesting to see up to what point large-scale malware developers are going to avoid being analyzed," Zanero said.

Rodrigo Branco, director of vulnerability and malware research at Redwood City, Calif.-based Qualys Inc., will talk about the techniques malware authors are currently employing to avoid detection. Blanco is cataloging the evasion techniques, running various tools through a database of millions of malware samples to track the effectiveness of emerging techniques.  Meanwhile, Chengyu Song, a PhD student at Georgia Institute of Technology, will discuss current malware analysis environments and the cybercriminal techniques that could permanently disadvantage automated malware analysis. Song plans to use the Flashback botnet as an example of a technique its author used to prevent automated analysis.

A sophisticated attacker could also choose to bypass the operating system altogether and still conduct attacks. Jonathan Brossard, founder and CEO of Germany-based Toucan System, will demonstrate a BIOS-level attack, backdooring various Intel-based motherboards. The attack, which could be done sometime during the manufacturing and shipment of a PC or device, can permanently subvert the security of the computer, even after re imaging the system’s hard drive.

"Very few of us are wondering about the safety of the process of which our PC is being delivered to us and in which our PC has been manufactured," Zanero said. "The fact that you can construct a BIOS component … completely transparent to how we usually check our system for malware … and do this without touching the PC, is quite scary."

Breaking embedded systems

Chris Rohlf, founder and president of New York-based Leaf Security Research, is overseeing the Breaking Things conference track and said this year's speakers will be presenting on a chaotic mixture of topics. "I think the talks that we have this year are really going to not only resonate with a lot of people, but they're also going to be very entertaining."

The talks cover ways to break hardware, software and current defenses, said Rohlf, who is giving a session this year on bypassing (not breaking) Google's Native Client sandbox.  With cybercriminal sophistication moving down into the underlying hardware layer of devices, no doubt embedded systems are under increased scrutiny, Rohlf said.

In a session titled "PINPADPWN," researchers “Nils” and Rafael Vega of U.K.-based MWR InfoSecurity, will expose payment terminal weaknesses. Nils and Vega plan to expose memory corruption vulnerabilities, demonstrating a way to target flaws in the payment applications that run on device firmware. Successfully exploiting the flaws enables an attacker to gain control of the terminal.

Other track sessions will focus on breaking software. Google researcher Fermin Serna will talk about weaknesses in Address Space Layout Randomization (ASLR) that could result in information leakage. James Forshaw, a principal consultant at U.K.-based Context Information Security, will demonstrate a way to break partial trust sandboxes in .NET applications.