Here we go! Last half-day which started with “Browser Rootkits” presented by Julien Lenoir and Christophe Devaux (both from Sogeti). As already said yesterday, browsers are now fully part of the users desktop and installed by default. They presented their rootkits developed for Internet Explorer and Firefox! First idea: “browser are getting so complex that they can be considered as operating system” (there was already such kind of comparison made yesterday). Firefox rootkit (an extension) was first analyzed. The rootkit was based on a XUL file. First goal is to let the user install the fake extension (social engineering, P2P, email, …). Christophe showed how to install the extension in Firefox and hide it from the user. As other rootkits, communications with the control center(a webserver) was based on HTTP(S) (mainly allowed by firewalls). Using, XPCOM it was possible to let the browser access to restricted information and perform malicious actions. A demo was performed with two VM: a victim browser and another as control center. Impressive how easy it was to get user data via HTTP traffic between the victim and the control center, even a cmd.exe! Christophe’s conclusions were: There is no security at all for Firefox extensions and malicious extensions are very easy to write!
Back to Internet Explorer with Julien. He first reviewed the five well-known security zones available in IE. They are based on flags: ACTION_FLAGs and SECURITY_FLAGs. Security policies are based on those flags. The IE rootkit was not based on BHO. Why? There are signed, leave traces in the Registry and require high-privilege level. An injector was required to bypass those problems. To gain privileges, Julien used Security Manager cache poisoning. A hook in the Security Manager was needed to keep it corrupted. The malicious website was not configured in an existing zone but a new one was created (of course, invisible to the end-user). The pages loaded from the malicious site were executed in an invisible tab. The rootkit used JavaScript and AJAX and was able to create / read / write / delete files, registry or create processes. Julien ended with a demo. The injector was a binary on the desktop but it can be send to the victim like any other malicious code (P2P, e-mail, IM, …). As for Firefox, once the rootkit was installed in IE, the attacker has a full control of the victim environment. It looked so easy!
Next, Halvar Flake and Sebastian Porst (from Zynamics) presented various ways of automatically classifying malware. Why? In the past there was motivations not only for economical reasons (ex: notoriety). Today, malwares were written not for fun but for profit! What about AV? They use signatures (as seen yesterday) but, AV can be bypassed by malware authors. They just change one single-byte in the signature (off-line polymorphism). Malware classification was developed to fight those problems. Behavioral classification is based on a “sequence of events” (file creations, network accesses, …). A second approach is based on n-Grams or n-Perms (vector based classification). The third approach explained was Basic Block Distance. Finally the Structural classification was reviewed. The goal was not to see a program like a suite of bytes but instead to analyze it and check the way actions are performed. Zynamics has a product called BinDiff which performs programs analysis based on the classification reviewed during the presentation. The method presented here is breakable! But the main goal was to force the malware authors to take time (read “money”) and “brains” to find ways to obfuscate the solution and not simply recompile their code.
Finally, F.W.J Geelkerken (aka “Frank”) discussed about TOR servers and DRD. First, Frank spoke about the “Data Retention Directive” (DRD) project. He pointed out some problems in the definiton of DRD: what’s data? What’s “publicy available” (important for lawyers). But DRD is good in some cases (to detect on-line criminal activity, easier investigation and easier prosecution) but, on the other side, easier monitoring of users activity or privacy violation. Some TOR background was presented: mix-network with reordering, padding, delaying. Frank explained how TOR works in practice (multiple encryption, chain of servers (nodes), alternate chains). TOR is a good tool for daily privacy (home users), companies or governments to protect their data or escape from countries where Internet is censored (China or Byellorussia) but… it’s also used by bad guys (computer crime or suspicious activity). TOR cannot be controlled! Then, Frank tried to explain how to regulate TOR via modalities: social norms, market, architecture or law. Good presentation with a mix of technical and legal information.
That’s all folks! It’s now time for a drink and a closure speech by Jeannot Krecké, minister of the economy and foreign trade.