Thursday 25 September 09:30-10:00, Red room.
Eugene Rodionov ESET
Aleksandr Matrosov Intel
David Harley ESET
download slides (PDF)
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
Eugene Rodionov graduated with honours from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009 and successfully defended his Ph.D. thesis in 2012. He has worked over the past five years for several companies, performing software development and malware analysis. He currently works at ESET, where he performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies, reverse engineering and cryptology. Eugene has spoken at security conferences such as REcon, Virus Bulletin, Zeronights, CARO and AVAR, and has co-authored numerous research papers.
Alexander Matrosov has more than ten years of experience of malware analysis, reverse engineering and advanced exploitation techniques. He currently holds a Senior Security Researcher position in the Advanced Threat Research team at Intel. Over the previous four years he focused on advanced malware research at ESET. He is co-author of numerous research papers, including 'Stuxnet Under the Microscope', 'The Evolution of TDL: Conquering x64' and 'Mind the Gapz: The most complex bootkit ever analyzed?'. He is frequently invited to speak at security conferences such as REcon, Ekoparty, Zeronights, AVAR, CARO and Virus Bulletin. Nowadays he specializes in the comprehensive analysis of complex threats, modern vectors of exploitation and hardware security research.