ZeroNights 2012: did you want hardcore?

    image

    ZeroNights 2012, like last year, is held with the support and participation of Yandex. We are very glad to again cooperate with such a famous company. The other day, Yandex launched a program to reward researchers for vulnerabilities found in web services and mobile applications called “ Bug Hunting ”. We are proud to note that this is the first software developer in the post-Soviet space who took such a responsible attitude to the safety of their products. The first results of the program will be announced at ZeroNights 2012, which, as before, will concentrate in itself all the most interesting and relevant of the world of information security in Russia.

    We are also pleased to announce that the Bear Hostels hostel networkprovides conference attendees with a 10 percent discount. We are waiting for you to visit, no matter what city you live in!

    Another good news: due to the fact that we were able to somewhat optimize the budget of the conference, the cost of tickets for individuals is now 7,000 rubles. RISSPA and DEFCON Group members are eligible for a 10 percent discount.

    We also removed the limit on the number of registrations at the student rate. Recall that from October 1, the cost of participation for students and graduate students is 1900 rubles. The student package includes attending the conference, including all workshops, participating in contests with prizes, as well as coffee breaks.

    New reports


    Reverse Analysis and Reconstruction of Object-Oriented Win32 / Flamer Architecture

    In the main program, the great and terrible (:)) Alexander Matrosov together with Evgeny Rodionov (Russia) will talk about the insides of Flamer without unnecessary chatter.

    In this report, you will not find mention of the exposure of government structures involved in the development of Win32 / Flamer, as well as various conspiracy theories on cyber weapons. The report will examine approaches to the reverse analysis of malware that has an object-oriented architecture, using one of the most complex threats in the history of the anti-virus industry as an example. Using Win32 / Flamer as an example, we will present a technique developed by the authors in the process of analyzing such complex threats as Stuxnet, Duqu and Festi. During the presentation, problems that had to be encountered during the analysis of these threats and ways to solve them using Hex-Rays tools will be presented. The authors of the report will also present the results of their research,

    Applied anti-forensics: rootkits, kernel vulnerabilities and all-all-all

    Dmitry Oleksyuk aka Cr4sh (Russia) will break your idea of ​​advanced rootkit techniques and will also enlighten the audience on the use of rootkits in targeted attacks.

    Currently, the most widely known rootkits that are used in malicious programs of mass distribution. However, they are also used in targeted attacks, which is why rootkit technologies can be divided into two large groups. The main difference between the rootkits used in targeted attacks and their more massive counterparts is that they should not only prevent the fact of compromising the system from being detected in its daily operation (remain invisible to the user and antivirus programs), but also possess qualities that are maximally it would be difficult to detect a rootkit when it is targeted by highly qualified forensic experts.

    This report will examine in detail the following issues:
    • The main approaches to detect malicious code in the study of a compromised system.
    • Practical aspects of implementing rootkits for use in targeted attacks.
    • Demonstration of conceptual rootkits using interesting techniques to hide and execute code in ring0.
    • Detection methods of the concepts considered during the report.

    PS The information that will be presented to the public is not yet another useless research of the form “a new way to intercept some garbage in the kernel of the OS”. The main goal of the speaker is to demonstrate examples and results of an integrated approach to the development of sophisticated malicious code.

    Mac OS X Malware Overview

    For some time now, Apple has ceased to boast of the absence of viruses in its products, and with the help of Ivan Sorokin (Russia), you can learn more about this.

    To date, according to Dr.Web classification, there are about 20 varieties of malware for the Mac OS X operating system. The report presents a comparative analysis of the main representatives. At the same time, various aspects are considered as comparison criteria, from the purpose of the malicious program to the distinguishing features of each family of threats.

    How to steal from a thief: breaking IonCube VM and reversing exploit builds

    Speaker: Mohamed Saher (USA).

    A set of exploits is a set of malicious programs that are typically used to perform automated driveby attacks to further spread viruses. Such a kit can be bought on the black market (mainly from Russian cybercriminals) at a price of several hundred to a couple of thousand dollars or even more. Recently, it has also become common practice to rent exploit packs located on a specific server. Thus, a competitive market was formed with many players, including many different authors. A few years ago MPack appeared - one of the first such tools. Soon he was followed by ICE-Pack, Fire-Pack and many others. Well-known modern exploit packs include Eleonore, YES Exploit Pack, and Crimepack.

    To protect their exploit kits, cybercriminals use solutions to translate source code into bytecode (virtualized and obfuscated). Then it is encoded and passed to the loader, which distributes it through a PHP page. Sold exploit kits are also protected by a strict licensing policy that prohibits copying and distribution.

    In my talk, I’ll talk about how ionCube’s copy protection system is used to protect exploit kits. I will also show how to crack this protection and restore the source code of the exploit, as well as how to find out which IP addresses are associated with a specific license for a set of exploits.

    Plan:
    • Understanding Copy Protection (Virtual Machine Architecture)
    • VM internals
    • VM options
    • What's in the VM under the hood (decoding and deobfuscation)
    • Hacking license encryption algorithm
    • Obtaining license information from the VM header
    • conclusions

    The most sophisticated copy protection systems are based on virtualization technologies, and there is little public information on the practical de-obfuscation of real protections, so we strongly recommend that you pay attention to this report.

    Security of modern payment technologies: EMV, NFC, etc.?

    Here you can hear the terrible truth about the security of modern payment technologies performed by Nikita Abdullin (Russia) - the person who studied the work of the entire chain “client - card - terminal - acquirer - MPS - issuer - money - issuer - acquirer - terminal - product / service / money is a client ”at all levels from iron to accounting.

    Have you ever thought about the reliability and security of high-tech payment instruments that live in your wallet and pockets? It's time to find out about this - the report discusses the security aspects of modern electronic payment technologies from the "real world": microprocessor bank cards of the EMV standard and payment solutions based on devices with NFC (Near Field Communication) support. The principles of operation of these technologies will be described, both previously known and new attack vectors and countermeasures, forecasts and analytics will be considered.

    Fast track


    Fast track allows young IS enthusiasts to present a study within 15 minutes.

    Kirill Samosadny (Russia) will talk about using the potential of Flash banner networks to implement massive CSRF attacks.
    Fedor Yarochkin (Taiwan), Vladimir Kropotov (Russia) and Vitaly Chetvertakov (Russia) will provide a brief overview of mass malware distribution campaigns in 2012. Emphasis will be placed on techniques to bypass automatic detection of the presence of dangerous content on compromised servers.

    Read more: 2012.zeronights.ru/fasttrack

    Workshops


    Random numbers. Take two

    Workshop from Russian experts - Arseny Reutov, Timur Yunusov and Dmitry Nagibin (Russia) - is dedicated to attacks on the random number generator in PHP.

    An analysis of the work of George Argyros and Aggelos Kiayias presented at BlackHat 2012 revealed that the pseudo-random number generators used in PHP are very “pseudo”. As a result, a set of tools was created to implement attacks on session generators and other security elements in PHP. Also, exploits were prepared for carrying out this type of attack on the latest versions of various popular web applications.

    The workshop will feature:
    • theoretical calculations on the mechanisms for creating sessions and initializing / using the pseudo-random number generator in various versions of PHP;
    • practical implementation of guessing attacks of random password reset tokens and random new passwords, and the PHPSESSID Seed Bruteforce utility, which attacks the random number generator;
    • vulnerabilities in the latest versions of web applications UMI.CMS, OpenCart, Data Life Engine;
    • recommendations for developers to avoid such problems.

    Advanced Exploit Development (x32). Browser edition

    You will find a fascinating practical excursion into the exploit world under Windows 7 with our guide - Alexey Sintsov (Moon). After spending only 5 hours of time, you will understand from "A" to "Z" in the development of combat exploits for Windows 7, in particular for the IE9 browser.

    The browser is a window into the world of the Internet, so it is not surprising that various unfavorable elements climb directly into our home through the window. This course is intended for those who are interested in understanding how these elements penetrate the house, exploiting vulnerabilities of the browser (or its plug-ins), such as buffer overflows or memory usage after freeing. In addition, it will be examined in detail how various defense mechanisms that must prevent penetration work and are tricked. We will study typical attacks on OS and software defense mechanisms, such as DEP / ASLR / SafeSEH / GS, consider HeapSpray technique and execute arbitrary code bypassing all protections! All attacks and exploits will be reproduced by the participants during the workshop, which will allow them to independently assess the threats and real possibilities of such attacks.

    The program includes:
    • Typical browser problems (using IE and its plugins as an example)
      • What is BoF, and how to take control?
        • Ret
        • Seh
        • vTable
      • How is exploiting plug-in vulnerabilities different from exploiting vulnerabilities in the browser itself?
    • Operational features (how it differs from server software, other browsers)
      • HeapSpray in IE9
      • defense bypass
      • Vanilla DEP (IE6-7)
      • bypass permanent DEP + ASLR (if there is a module without ASLR support)
      • ROP (StackPivot)
      • GS + DEP + ASLR
      • safeSeh + GS + DEP + ASLR
      • bypass ASLR (even if all modules support ASLR!)
    • What is UaF, and how to take control?
      • What is stopping UaF?
    • Differences from Firefox / Opera / Safari / Chrome
    At all key stages, calc.exe will be received, that is, participants will bypass the defensive methods themselves and collect exploits - for this, the necessary details and the essence of the attacks will be analyzed in detail.

    The participant will receive:
    • Principles of exploiting vulnerabilities in IE browser
      • Buffer overflow on stack
      • Memory usage after freeing
    • Browser combat exploitation skills
    • Understanding the principle of operation of the advanced defense mechanisms of MS Windows 7
      • DEP / Permanent DEP
      • ASLR
      • stack canary
      • safeSEH
    • How to bypass such protection
    • Skills for working with the Immunity Debugger and the mona.py plugin

    RFID: Jokers in the sleeve

    Kirill Salamatin aka Del (Russia) and Andrey Tsumanov (Russia) will present a 4-hour workshop, where they will teach visitors how to manipulate contactless cards and protect themselves from such manipulations. The sniffer jacket and much more can be felt and tested in action!

    image

    The program includes:
    • Contactless Card World
      • Areas of use today and in the future
      • Let us respect Art. 187 and Art. 159 of the Criminal Code
      • Examples of poorly designed systems (ski and water parks, entertainment centers, transportation systems)
      • What mistakes do system developers make
      • Minimum clone card protection
      • Practical tips for protecting ACS from clones

    • Means of hidden unauthorized reading of data at a distance
      • Stand-alone cloner EM-Marine - show in work
      • Antenna EM-Marine for reading at a distance of a meter - show the picture
      • Traditional ACR122U reader - easily masked if desired
      • The sniffer jacket is the highlight of the program, let’s give a touch and show in action

    • Unauthorized card reader protection
      • What are the solutions on the market?
      • Shielding covers for a biometric passport - show in work
      • Shielding holders for contactless cards - we will also show if they manage to arrive
      • "Faraday cage" for contactless cards do it yourself - make sure that it works

    • Card manipulations 125kHz
      • Just take it
      • Just write
      • Multiple cards in one device
      • The main problem of using EM-Marine

    • Mifare Classic Card Manipulation
      • Specialized emulator devices
      • Dual Smart Cards JCOP31. How can they help an attacker?
      • Reader emulation
      • Communicators with NFC
      • Software and hardware for manipulations
      • Mifare Classic Card Hacking Toolkit
      • Getting keys from a Mifare Classic card - demo

    • Mifare zero
      • Manufacturer rewritable cards
      • What are they
      • Recording Software Overview
      • Demonstration of the result
      • ACS-level clone defenses

    We are waiting for you in Infospace on November 19 and 20!

    Also popular now: