Friday 6 October 10:00 - 10:30, Red roomNelson Murilo Rufino (Pangeia)
Chkrootkit will be 20 years old in 2017. The first chkrootkit release was in 1997 and was written by a friend of mine, Klaus (CERT.br team), and me.
Chkrootkit is a suite of posix shell scripts and some tools written in ansi C, which runs in virtually all Unix environments without dependencies. It is able to detect several rootkits, malicious activity (some APTs included), and can perform post mortem forensic analysis to detect kernel module activities and similar. The tool currently detects around 70 known rootkits, worms and many malicious activities.
In this presentation I will discuss the features and methods used to detect rootkits and malware in general, the tool's limitations, and things that can be done to improve it. Chkrootkit is a open-source tool, so suggestions are always welcome. There is no other tool like chkrootkit - all similar tools are able to run only on Linux machines, whereas chkrootkit can run in almost all Unix environments.
Nelson Murilo has been working as a network security analyst since 1992. He is the author of two network security books in Portuguese and a regular contributor to the Brazilian Computer Emergency Response Team's published papers (security guides and technical papers).
Nelson is the author of open source security tools including:
He is a regular speaker both at events in Brazil and at international conferences such as Defcon, Thotcon, SAS Kaspersky, Ekoparty, MS Bluehat and Auscert.
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…