Welcoming of the Guests
Matt Suiche, (Founder at Comae & OPCDE)
WinDbg: time to put the @ back in the bag
WinDbg is a necessary tool for anyone doing Windows development, debugging, troubleshooting, and research. Using it has traditionally been a painful experience, especially when having to debug apps written in C++ or looking at kernel code without private symbols. But it doesn’t have to be that way! Your debugging experience could be a lot better with the new debugger data model, which opens up a whole new world of possibilities. In this talk you will learn the basics of the data model and a few simple, practical ways in which it can make your life easier — saving you lots of time, work, and frustration.
Yarden Shafir, CrowdStrike
Yarden Shafir started dancing at the age of 7, and later joined a rhythmic gymnastics team and competed during her teenage years. After her military service, she practiced pole dancing and fell in love with acrobatics. Today she performs aerial arts for the circus, trains whenever possible, and teaches lyra and silks in Israel, while also having a rich background of Windows Internals research originally at Sentinel One, followed by her current role as a Software Engineer at CrowdStrike working on various EDR capabilities and EPP features.
The Penquin is in da house
We'll describe a recently discovered variant of “Penquin“, a stealth backdoor for Linux attributed to the Turla group and dubbed “Penquin_x64”. We'll detail the capabilities of this stealth backdoor, comparing it to the older known versions and providing hints on the possible build dates of these samples. “Penquin_x64” tries to hide itself from the eyes of the system administrators mimicking the “cron” binary, a widespred utility of Linux servers and clients used to manage scheduled tasks.In this talk we shed light on the malware capabilities and on the communication protocol, a component where the threat actor put in place a considerable amount of effort to avoid the improper activation of the backdoor. Also, during the demo session we'll show how to detect a running instance of Penquin_x64 crafting a proper packet that triggers a reverse-connection to a designated host.
Dr. Silvio La Porta, Leonardo
Dr. Antonio Villani, Leonardo
Dr. Silvio La Porta is a Senior Cyber Security Architect in Leonardo's Cyber Security Division. He works in the Cyber Security Research Centre (CSRC) designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy. He is theco-author of the training ‘Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing’
Dr. Antonio Villani is a security expert working for the Cyber Security Research Centre (CSRC) in the Leonardo's Cyber Security Division with the role of Senior Cyber Security Architect. As a researcher he published in top tier conferences and journals and he partecipated to european research projects in the field of cyber resilience and data security. During the final steps of its PhD he worked in the field of malware research and digital forensic starting his path toward the blackmagic of reverse-engineering. In his neverending quest in discovering how deep the rabbit hole goes, he spent the past years analyzing high level implants for top tier customers and providing detailed implementation information to support cyber-defense and cyber threat intelligence teams. He is the co-author of the training ‘Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing’.
Surveillance, Security and old-school hackers in the Covid era
Government demands for increased surveillance to track Covid exposure have dramatically accelerated clashes between the authorities and tech companies, notably Apple and Google, which are resisting sharing personal information. At the same time, the boom in remote work and conferencing software from the likes of Zoom have intensified concerns over hacking and end-to-end encryption. One thing tying both debates together is the role played by prominent hackers who learned from leaders of the Cult of the Dead Cow, the most influential U.S. hacking group and one chronicled in a just-updated book by Reuters investigative journalist Joseph Menn.
Joseph Menn, Reuters
Matt Suiche, (Founder at Comae & OPCDE)
Joseph Menn is the author of the bestseller ”Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World,” which is out in an updated paperback June 2, 2020. It among other things revealed that presidential candidate Beto O'Rourke belonged to the oldest surviving and most influential group of U.S. hackers. The New York Times Book Review called it ”a hugely important piece of the puzzle for anyone who wants to understand the forces sha ping the internet age.” It was named one of the 10 best nonfiction works of the year by Hudson Booksellers. Menn is an investigative reporter specializing in technology issues for Reuters, having previously worked at the Financial Times and the Los Angeles Times. Menn also wrote the 2010 bestseller ”Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” a real-life thriller that brought the modern face of cybercrime to a mainstream audience. Fatal System Error revealed collaboration between major governments and organized crime, and was placed on the official reading list of the US Strategic Command, while the New Yorker magazine compared it to the novels of Stieg Larsson. Menn speaks regularly at security conferences including Def Con, Black Hat and RSA.
Decoding and interpreting Intel PT traces for vulnerability analysis
Intel PT is a very powerful technology that can be used for various purposes. The capability to record the full execution of a program can be very powerful in many situations like performance tuning or root cause analysis of various issues. Applying it to security research is a natural idea and there are many researches going on already. But, when I started looking into applying this technology to the real-world problems, there were many road blocks. The first challenge was taking the processor trace itself. There are few different approaches that exists right now on Windows platform, for example. They have pros and cons. Recent Windows 10 releases support in-box PT dump capability and Alex Ionescu made a very convenient tool to dump it. Intel also released a tool to dump it through USB debugging on any Windows platforms. The real challenge begins when you try to decode the trace. There is Intel libipt library but it is bare minimal tool that can help you. Just think it as a dumpbin in Intel PT world when you wished for IDA or Ghidra. IPTAnalyzer is a tool built upon Intel's libipt library. It can use process dump image to match instructions with control flow information from the trace log. It supports parallel processing to expedite processing time. It can save a lot of time in analyzing and understanding raw Intel PT trace. With the help of IPTAnalyzer I focused on vulnerability analysis and triaging. I could reconstruct full program flow of an example exploit code and could build a semi-automation script to identify potentially malicious code. Through this talk, I want to share the approach in applying Intel PT to the real-world problems - like program behavior analysis, root cause analysis and malware analysis or even root kit detection or analysis.
Jeong Wook 'Matt' Oh, DarunGrim
Matt Oh is a security researcher and founder of DarunGrim company. After working at Microsoft security teams for 10 years, now he is endeavoring to start his own company focusing on malware and exploit automatic detection technology. When time permits, he gives security trainings.
Closing Remarks
Matt Suiche, (Founder at Comae & OPCDE)
