ZeroNights 2012: Do you want hardcore?

ZeroNights 2012, as in the past year, is held with the support and participation of Yandex. We are very happy to work with such a famous company again. The other day, Yandex has opened a program to reward researchers for found vulnerabilities in web services and mobile applications called “ Hunting for bugs ”. We are proud to note that this is the first software developer in the post-Soviet space who reacted so responsibly to the security of its products. The first results of the program will be announced at ZeroNights 2012, which, as before, will concentrate in itself all the most interesting and relevant information from the world of information security in Russia.

We are also pleased to announce that the network of hostels Bear Hostels provides conference visitors with a 10% discount. We are waiting for you to visit, in whatever city you live!
')
Another good news: thanks to the fact that we were able to somewhat optimize the conference budget, the cost of tickets for individuals is now 7,000 rubles. RISSPA and DEFCON Group members are eligible for a 10 percent discount.

We also removed the restriction on the number of registrations at the student rate. Recall that from October 1, the cost of participation for undergraduate and graduate students is 1900 rubles. The student package includes attendance at the conference, including all the workshops, participation in competitions with prizes, as well as coffee breaks.

New reports

Reverse analysis and reconstruction of the Win32 / Flamer object-oriented architecture

In the main program, the great and terrible (:)) Alexander Matrosov together with Evgeny Rodionov (Russia) will talk about the insides of Flamer without any idle talk.

In this report, you will not find any mention of exposing government structures involved in the development of Win32 / Flamer, as well as various conspiracy theories on the subject of cyber weapons. The report will discuss approaches to reverse analysis of malicious software that has an object-oriented architecture, using the example of one of the most complex threats since the anti-virus industry. On the example of Win32 / Flamer, the technique developed by the authors in the process of analyzing such complex threats as Stuxnet, Duqu and Festi will be presented. The presentation will present the problems encountered in the process of analyzing these threats and the ways to solve them using the tools from Hex-Rays. Also, the authors of the report will present the results of their research on the reconstruction of the object-oriented platform on the basis of which Win32 / Flamer was developed, and demonstrate its relationship with Stuxnet / Duqu / Gauss at the level of code and architecture.

Applied anti-forzics: rootkits, kernel vulnerabilities and all-all

Dmitry Oleksyuk aka Cr4sh (Russia) will break your understanding of advanced rootkit techniques, including enlighten the audience on the use of rootkits in targeted attacks.

Currently, the most widely known rootkits are used in malicious programs of mass distribution. However, they are also used in targeted attacks, which is why rootkit technologies can be divided into two large groups. The main difference between rootkits used in targeted attacks and their more massive counterparts is that they should not only prevent the system from being compromised in its daily operation mode (remain invisible to the user and anti-virus programs), but also have the qualities that would make it difficult for a rootkit to be detected when it is targeted by highly qualified forensic experts.

This report will discuss in detail the following questions:

• The main approaches to the detection of malicious code in the study of a compromised system.
• Practical aspects of the implementation of rootkits for use in targeted attacks.
• Demonstration of conceptual rootkits using interesting techniques for hiding and executing code in ring0.
• Ways of detecting the concepts considered during the report.

PS The information that will be presented to the public is not just another useless research like "a new way of intercepting some garbage in the OS kernel." The main objective of the speaker is to demonstrate examples and results of an integrated approach to the development of complexly detectable malicious code.

Malware Review for Mac OS X

For some time now, Apple has stopped boasting of the absence of viruses in its products, and with the help of Ivan Sorokin (Russia) you can learn more about this.

Currently, Dr.Web has about 20 types of malware for the Mac OS X operating system. The report presents a comparative analysis of key representatives. At the same time, various aspects are considered as criteria for comparison, ranging from the purpose of the malicious program to the distinctive features of each threat family.

How to steal from a thief: break IonCube VM and reverse exploit assemblies

Speaker: Mohamed Saher (USA).

An exploit kit is a collection of malicious programs that are usually used to perform automated driveby attacks in order to further spread viruses. Such a kit can be bought on the black market (mainly from Russian cybercriminals) for prices ranging from a few hundred to a couple thousand dollars and even more. Recently, renting exploit packs located on a particular server has also become a common practice. Thus, a competitive market has emerged with many players, including many different authors. A few years ago, MPack appeared - one of the first such tools. Soon it was followed by the ICE-Pack, Fire-Pack and many others. Among the well-known modern exploit packs - for example, Eleonore, YES Exploit Pack and Crimepack.

To protect their exploit kits, cybercriminals use solutions to translate source code into bytecode (virtualized and obfuscated). It is then encoded and transmitted to the loader, which distributes it through a PHP page. Sold exploit kits are also protected by a strict licensing policy that prohibits copying and distribution.

In my talk I will talk about how the ionCube copy protection system is used to protect exploit kits. I will also show how to crack this protection and restore the source code of the exploit, as well as how to figure out which IP addresses are tied to a specific exploit license.

Plan:

• Understanding Copy Protection (Virtual Machine Architecture)
• VM interiors
• VM settings
• What does VM have under the hood (decoding and deobfuscation)
• Hacking a license encryption algorithm
• Retrieving license information from a VM header
• findings

The most complex copy protection systems are based on virtualization technologies, and there is little public information on practical deobfuscation of real protections, so we strongly recommend that you pay attention to this report.

Security of modern payment technologies: EMV, NFC, etc.?

Here you can hear the terrible truth about the security of modern payment technologies performed by Nikita Abdullin (Russia) - a person who has studied the work of the entire chain “client - card - terminal - acquirer - MPS - issuer - money - issuer - acquirer - terminal - product / service / money is a client "at all levels from iron to accounting.

Have you ever thought about the reliability and security of high-tech means of payment that live in your wallet and pockets? The very time to find out about this - the report examines the security aspects of modern electronic payment technologies from the "real world": EMV microprocessor bank cards and payment solutions based on NFC-enabled devices (Near Field Communication). The principles of operation of these technologies will be described, and both previously known and new attack vectors and countermeasures, forecasts and analytics will be considered.

Fast track

Fast track allows young information security enthusiasts to give a presentation of the research within 15 minutes.

Kirill Samosadny (Russia) will talk about the use of the potential of Flash-banner networks for the implementation of massive CSRF-attacks.
Fedor Yarochkin (Taiwan), Vladimir Kropotov (Russia) and Vitaly Chetvertak (Russia) will present a brief overview of the mass malware distribution campaigns in 2012. Emphasis will be placed on the circumvention technique for automatically detecting the presence of dangerous content on compromised servers.

Read more: 2012.zeronights.ru/fasttrack

Workshops

Random numbers Take two

Workshop from Russian experts - Arseniy Reutov, Timur Yunusov and Dmitry Nagibin (Russia) - is dedicated to attacks on random number generator in PHP.

The analysis of the work of George Argyros and Aggelos Kiayias, presented at BlackHat 2012, revealed that pseudo-random number generators used in PHP are very “pseudo”. As a result, a set of tools was created to implement attacks on session generators and other security features in PHP. Exploits have also been prepared for carrying out this type of attack on the latest versions of various popular web applications.

During the workshop will be presented:

• theoretical calculations about the mechanisms of session creation and initialization / use of a pseudo-random number generator in different versions of PHP;
• the practical implementation of attacks to predict random password reset tokens and random new passwords, and the PHPSESSID Seed Bruteforce utility, which attacks the random number generator;
• vulnerabilities in the latest versions of web applications UMI.CMS, OpenCart, Data Life Engine;
• recommendations for developers to avoid such problems.

Advanced Exploit Development (x32). Browser Edition

You will find a fascinating practical excursion into the world of exploits under Windows 7 with our guide - Alexey Sintsov (Moon). Having spent only 5 hours of time, you will understand from “A” to “Z” in the development of combat exploits for Windows 7, in particular for the IE9 browser.

The browser is a window into the world of the Internet, so it is not surprising that various adverse elements climb through a window directly into our home. This course is designed for those who are interested in understanding how these elements penetrate the house, exploiting browser vulnerabilities (or its plug-ins), such as buffer overflow or memory use upon release. In addition, it will be discussed in detail how various defense mechanisms work and are deceived, which should prevent penetration. We will study typical attacks on OS protection mechanisms and software, such as DEP / ASLR / SafeSEH / GS, consider the HeapSpray technique and execute arbitrary code to bypass all defenses! All attacks and exploits will be reproduced by the participants during the workshop, which will allow them to independently assess the threats and the real possibilities of such attacks.

The program includes:

• Typical problems of the browser (for example, IE and its plug-ins)
  
  • What is a BoF, and how to take control?
    
    • RET
    • Seh
    • vTable
  • How does exploiting plugin vulnerabilities differ from exploiting browser vulnerabilities?
• Features of operation (what is different from the server software, other browsers)
  
  • HeapSpray in IE9
  • protection bypass
  • vanilla DEP (IE6-7)
  • permanent DEP + ASLR bypass (if there is a module without ASLR support)
  • ROP (StackPivot)
  • GS + DEP + ASLR
  • safeSeh + GS + DEP + ASLR
  • ASLR bypass (even if all modules support ASLR!)
• What is UaF, and how to take control?
  
  • What prevents uaf?
• Differences from Firefox / Opera / Safari / Chrome

At all key stages calc.exe will be obtained, that is, the participants themselves will bypass the protective methods and collect exploits - for this, the necessary details and the essence of the attacks will be analyzed in detail.

The participant will receive:

• Principles of exploitation of vulnerabilities in IE browser
  
  • Stack buffer overflow
  • Memory use after release
• Ability to create combat exploits for the browser
• Understanding of the principle of work of the advanced protective mechanisms of MS Windows 7
  • DEP / Permanent DEP
  • ASLR
  • stack canary
  • safeSEH
• How to bypass such protection
• Skills of working with Immunity Debugger and the mona.py plugin

RFID: Jokers in the sleeve

Kirill Salamatin aka Del (Russia) and Andrei Tsumanov (Russia) will present a 4-hour master class, where they will teach visitors to manipulate contactless cards and defend themselves against such manipulations. The jacket-sniffer and much more can be felt and tested in action!



The program includes:

• Contactless Card World
  
  • Areas of use today and in the future
  • Let's respect art. 187 and art. 159 of the Criminal Code
  • Examples of poorly designed systems (ski and water parks, entertainment centers, transportation systems)
  • What mistakes make system developers
  • Minimum card security from cloning
  • Practical tips for protecting an ACS from clones
  
  
• Means of hidden unauthorized reading data at a distance
  
  • Autonomous EM-Marine cloner - show in work
  • EM-Marine antenna for reading at a distance of a meter - show a picture
  • Traditional reader ACR122U - easily masked if desired
  • Jacket-sniffer - the nail of the program, let's touch and show in action
  
  
• Remedies for unauthorized card reading
  
  • What solutions exist on the market?
  • Screening covers for a biometric passport - show in work
  • Screening holders for contactless cards - also show if you have time to come
  • "Faraday cage" for contactless cards with your own hands - make sure that it works
  
  
• 125kHz card manipulation
  
  • Just count
  • Just write
  • Multiple cards in one device
  • The main problem of using EM-Marine
  
  
• Manipulations with Mifare Classic cards
  
  • Specialized emulator devices
  • Dual smart cards JCOP31. How can they help an attacker?
  • Reader emulation
  • Communicators with NFC
  • Soft and hardware for manipulations
  • Tools for hacking cards Mifare Classic
  • Getting keys from a Mifare Classic card - demo
  
  
• Mifare zero
  
  • Cards with rewritable manufacturer unit
  • What they are
  • Review software for writing
  • Demonstration of the result
  • Clone protection at the access control level

We are waiting for you in Infospace on November 19 and 20!