DC9723 December Meeting

DC9723 December Meeting
When: 19 of December, 2017 from 19:00 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)
Agenda:

Mystique & Automating Infection Marker Extraction – Dana Yosifovich

From 0 to Infinity – Guy

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
Mystique & Automating Infection Marker Extraction – Dana Yosifovich

Abstract:

It is quite common for malware to mark their territory on the endpoint; leaving a sign to avoid infecting the system more than once. If the malicious program notices this infection marker, it will usually terminate. In this talk, I will explain how this behavior can be used to prevent the malware from attacking the machine. I will also show a demo of a tool that automatically generates a list of mutexes that could be used as “vaccines” against the sample (if there are any).

Extended Abstract:

Many organizations already have a process for obtaining IOCs when performing incident response or malware forensics. This talk focuses on techniques for employing indicators for not only detecting infections, but preventing the compromise in the first place. This approach, which entails vaccinating systems against malware on endpoints, can help incident response and threat hunting teams to contain infections.

While malware can implement the marker using many methods, including generating specific files or registry keys, a common approach to marking the machine involves abusing mutex objects. While legitimate processes use mutexes to synchronize access to shared resources on the endpoint, malware can use them to determine whether it is already present on the endpoint.

It’s possible to vaccinate endpoints against infections that involve infection markers by fooling malware into believing that it’s already on the system. However, how could organizations determine whether the specimen relies on infection markers and, what these markers are? This is where Mystique comes in. This open source tool automatically determines the likely mutex-based markers that might be used to immunize endpoints against the malware specimen. Mystique begins by initially executing the user-supplied sample in an analysis sandbox, retrieves the created mutex objects. Then it runs the malware again, this time generating the extracted mutexes, and checks whether generated mutex objects were effective at changing the sample’s execution flow. Mystique’s output is the list of mutexes that can be used to vaccinate endpoints against the malware. Developers can import Mystique and use in other scripts. For example, the user can create a script that downloads malware from a malware repository and automatically feeds those files to mystique.
Mystique is written in Python and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program.

 

Title:

From 0 to Infinity – Guy

Abstract:

The Baseband Processor in modern Cellhpones remains one of the least understood elements, yet is incredibly trusted in order to interact with the Cellular Network as well as with the Application Processor.

This talk aims to shed some light on these dark corner, and provide advice for other reverse engineers trying to explore this area.

This talk focuses on Apple’s iPhone Platform, since their recent move back to the Infineon chipset makes research a lot easier, compared to the previous dominating Hexagon chipset.

I will start by describing the preliminary firmware analysis, during which I created rudimentary map of its different parts and their respective role.
I will proceed revealing the secrets hidden inside the Baseband.
I will conclude by presenting a research environment that I have developed that great simplifies the process of diffing, interacting and fuzzing the Infineon SoC.

Side note: Not dropping any 0days, this is a methodology and process talk.

Leave a Reply