This workshop is an hands-on approach to introduces the participants to the basic exploitation techniques of scripting engines. The exercise will focus on real world examples around mruby, a lightweight Ruby interpreter easily customizable to limit or completely remove I/O operation and act as a sandbox. Through successful exploitation, the participants will be able to execute arbitrary native code from a ruby script, bypassing any restriction to the ruby APIs.
The participants will be guided to look for common vulnerability patterns, successfully set up their exploit and ultimately, get control of the instruction pointer to escape the mruby virtual machine. Finally, some defensive measure will be seen to harden the vulnerable engine and limit the side-effects of a successful exploit.
As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.
The purpose of this workshop is to familiarize participants with assembly language. At the end of the workshop, participants will be able to understand shellcode and optimize it to avoid null bytes or blacklisted characters.
The workshop will show basics of x86_64 assembly using Intel syntax.
The workshop will begin with an overview of the various detection and automation mechanisms available in LimaCharlie.
Afterwards we will create Detections and Hunters for LimaCharlie that will automate the detection and investigation of specific malware samples (provided for the Workshop, attendees can also bring their own). Continue reading…