It's hard to know with certainty exactly what's lurking inside any random computer, a fact that malware authors are well aware of. The four Black Hat Asia Briefings we're highlighting today explore the world of fast-adapting rootkits, strikingly coordinated virus attacks, and post-incident forensics.
The anonymous author(s) of the PlugX remote administration tool (RAT) continue to refine their notorious malware in an attempt to keep ahead of the talented security researchers nipping at their heels. Researchers have figured out how to decrypt and parse key components of the package, including its config files, and use that data to identify attacker groups. I Know You Want Me - Unplugging PlugX will bring you up to date on the state of PlugX research and defense, and run the latest variant through the security paces.
Around 2 p.m. on March 20, 2013, computers at South Korean financial institutions and TV networks were simultaneously wiped and rebooted by a sleeper virus that would later be referred to as "Wiper." At Z:\Make Troy\, Not War: Case Study of the Wiper APT in Korea, and Beyond Kyle Yang will finally reveal the mechanism by which all these computers were infected: Attackers compromised a patch-coordinating security management server, which they used to distribute malicious updates to the various systems. For his final trick, Yang will break out the forensics and share a few hypotheses regarding the original source of this effective malware.
Macs are commonly seen as a virus-free haven from malware-riddled PCs, but the explosive popularity of OS X has put it squarely in the crosshairs of malware authors. Come to You Can't See Me: A Mac OS X Rootkit Uses the Tricks You Haven't Known Yet to learn about the current state of the art in OS X rootkits, which can evade existing detection and memory forensics tools. Beyond hiding stuff, other topics include tricks to gain permissions, how to get into the kernel without root, and anti-tracing techniques.
Many organizations are happy to implement a robust security suite and "check the box" -- mission supposedly complete. But if a serious incident did go down, how well would these security tools support the ensuing investigation? Beyond "Check The Box": Powering Intrusion Investigations will outline a standard investigative process and explore a series of scenarios in which investigators need to rapidly obtain environmental information.
Regular registration pricing ends on March 21st at 23:59 ET. Please visit Black Hat Asia 2014's registration page to purchase your Briefings pass.