In Las Vegas, the first day of the Black Hat briefings is nearly complete. Black Hat is one of the biggest security conferences and always attracts skilled researchers to present their work.
Having worked quite a bit with our BlackLight rootkit scanning technology I ended up sitting a lot in the Rootkit track sessions. Day 1 included some interesting presentations:
Stoned Bootkit, Peter Kleissner
Peter presented an open development framework for creating rootkits that activate early on in the boot process using the Master Boot Record. Most of the technology is something we've seen in previous research, but the scary part lies in the extensibility of the Stoned Bootkit.
Peter briefly touched on some sample extensions. One example was the CO2 rootkit plugin that used ACPI to slow the CPU down to save the environment! Now this is all very nice, but I expect that the most enthusiastic users for the Stoned Bootkit framework will be in the malware author community. And please take my word on this: they're not in it to save the rain forests.
Introducing Ring -3 Rootkits, Alexander Tereshkin and Rafal Wojtczuk
Rootkits keep developing. In the past years, they've gone from usermode (Ring 3) to the kernel (Ring 0), from kernel to the hypervisor (Ring -1) and all the way to System Management Mode (Ring -2).
Alexander and Rafal explored the possibility of running malicious code in the Intel AMT execution environment. AMT is meant for remote management, but unfortunately what is remote management for the good guys is a rootkitted backdoor for the attackers. I'm betting this is not the end of the rootkit countdown, though. Anyone care to guess where the Ring -4 rootkits will run? I'm sure we'll see soon.
Of course not everything has been about rootkits. The first day included not one but two interesting talks on X.509, which is one of the building blocks of SSL/TLS.
Among other things, Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site. Nice work from both researchers!
Signing off from Las Vegas, Antti
P.S. If you are attending, don't miss Mikko's talk on the Conficker worm on Thursday afternoon!