Graphology of an exploit - hunting for exploits by looking for the author's fingerprints

Thursday 1 October 09:00 - 09:30, Green room

Itay Cohen (Check Point Research)
Eyal Itkin (Check Point Research)



Zero-days that are exploited in the wild always gain a lot of attention, and rightly so. But while the malware authors usually get all the credit, the exploit writers – those who work hard to find a vulnerability and develop their top-notch exploit – often remain out of the spotlight.

In the past months, our vulnerability and malware research teams joined efforts to focus on the exploits inside malware and, specifically, on the exploit writers themselves. Starting from a single incident response case, we built a profile of one of the most active exploit developers for Windows. Up until now, we managed to track down more than 10(!) of their Windows Kernel (LPE) exploits, most of which were zero-days at the time of development.

Just as programmers leave their fingerprints in their code, so do exploit developers. This allowed us to apply the same techniques we use to track and attribute malware authors and APT groups to draw a digital composite sketch of the exploit writer.

Join us as we follow our developers’ footsteps and watch their learning curve – starting from selling their 1-day exploits to criminal groups to eventually selling 0-days to nation-state APTs. We will also explain our process of converting exploit artifacts into more samples, identifying the author’s template, and briefly go over the distribution and business model of the attacker. The talk will demonstrate how exploits can be used to track their authors and give a technical peek into the world of in-the-wild exploits.

 

Itay-Cohen-web.jpg

Itay Cohen

Itay Cohen (aka Megabeets) is a security researcher and reverse engineer in the malware and vulnerability research group at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of https://megabeets.net, a security blog focused on making advanced security topics accessible for free.

Itay is a core developer of the open-source reverse engineering framework radare2 and the maintainer of Cutter, radare2’s official GUI. In his free time, he loves to participate in CTF competitions and to contribute to open-source projects.

@megabeets_

 

Eyal-Itkin-web.jpg

Eyal Itkin

Eyal Itkin is a vulnerability researcher in the malware and vulnerability research group at Check Point Research. Eyal has an extensive background in security research that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking RDP or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

@EyalItkin



Back to VB2020 Programme page

Other VB2020 papers

The OST map: mapping malware usage of open-source offensive security tools

Paul Litvak (Intezer)

Hello from the OT side!

Daniel Kapellmann Zafra (FireEye)

XDSpy: stealing government secrets since 2011

Matthieu Faou (ESET)
Francis Labelle (ESET)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.