SlideShare ist ein Scribd-Unternehmen logo

B-Sides Seattle 2012 Offensive Defense

Als PPT, PDF herunterladen
Stephan Chenette
Stephan Chenette

2012 B-Sides and ToorCon Talk Offensive Defense Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.

Technologie
1 von 60
Offensive Defense Stephan Chenette, Director of Security Research & Development 1
Who Am I? • Stephan Chenette • Director of Security R&D @ IOActive •Building / Breaking / Hacking / Researching • R&D @ eEye Digital Security 4+ years • Head Security Researcher @ Websense ~6 years • (Graduate Student @ UCSD - Network Security) 2
What I will NOT talk about • Offensive Defense •Active Defense • Retaliating during an attack • Striking back against adversaries • Technical/Legal • HoneyTraps •CrowdStrike, Cylance, …Facebook, etc. Recent Discussions: • http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk/ • http:// blogs.csoonline.com/security-leadership/2469/caution-not-executing-offensive-actions-against-our-adversaries-high-risk • http://www.honeynet.org/node/1004 3
What I WILL talk about • Offensive Defense •“Smart Defense” •Understanding of malware/exploit defense techniques • Ability to question and call BS on marketing/sales unrealistic claims •Current Malware Distribution Networks (MDNs) •Explanation of defense techniques •Attacking defense techniques •(Note: This is similar to a talk I did at EkoParty Argentina 2012) 4
Statement Research in evading defensive technology is a personal research interest of mine 5
Malware Distribution Networks (MDNs) 6
Malware Distribution Networks Malware has evolved into a profitable business for cyber criminals •Complex/Organized/Distributed Network •Malware Distribution Network (MDNs) •Pay-per-install (PPI) clients (RogueAV, SpamBot, keylogger) •PPI Services •PPI Affiliates (landing pages, redirection services, etc.) 7
Malware Distribution Networks (MDNs) 2 3 4 1 Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir ) 8
Malware Distribution Networks (MDNs) Single Sample Repository A repository that does not update the malicious executable for the lifetime of the repository. Multiple Sample Repository A repository that performs updates to the malicious executable over time, but is not generating the samples for each request Polymorphic/Metamorphic Repository A repository that produces a unique malicious executable for every download request 9
Malware Kits Source: (http://blogs.rsa.com/got-an-extra-40000-lying-around-carberp-is-back-on-the-market/) 10
Exploit kits and Malware Blackhole | Ingognito || ZeroAccess | TDSS Source: Manufacturing Compromise: The Emergence of Exploit-as-a-Service (http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf) 11
Current State of Malware Defense (Tech.) 12
Defense Layers 13
Current Defense Techniques (limited) • Hash • Signatures • Heuristics • Semantics-aware detection 14
Attacking Defense Techniques 1. Defense technologies need to keep latency low …so they sacrifice analysis to that end (if a connection/analysis is taking too long they will in some cases fail open) 2. Correct Implementation is difficult 15
Current Techniques Attacker Defender Easier to bypass Easier to implement Harder to change Harder to implement 16
Hash detection • Full file hashing •MD5, SHA1, SHA256 • Portable Executable (PE) •Sectional hashing •Custom hashing •Fuzzy hashing (ssdeep) • Error on the side of caution 17
Signatures • Regular Expression based signatures (PCRE, RE2) • Byte-signatures rule ASPack {         strings:         $ = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? (43 | 44) ?? B8 ?? ?? (43 | 44) ?? 03 C5 }         $ = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }         $ = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }         $ = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD }         $ = { 60 E8 41 06 00 00 EB 41 }         $ = { 60 E8 7? 05 00 00 EB (33 | 4C) }              condition:                  for any of them : ($ at entrypoint) } • Deeper contextual content scanning with proprietary language 18
Signatures • Syntax mutation easily defeats this technique • Garbage Code Insertion e.g. NOP, “MOV ax, ax”, “SUB ax 0” • Register Renaming • Subroutine Permutation • Code Reordering through Jumps • Equivalent instruction substitution Instruction Equivalent instruction MOV EAX, EBX PUSH EBX, POP EAX Call Emulated Call Misused Call CALL <target> PUSH <PC + sizeof(PUSH) + sizeof(JMP)> CALL <target> JMP <target> .target POP <register-name> • Same behavior but different syntax 19
Signatures AV engines were forced to evolve and use heuristics by way of emulation/behavioral analysis due to: •Polymorphic engines • Encrypt body with randomly generated encryption algorithm • Private key normally in decoding engine •Metamorphic engines • Employs obfuscation/substitution techniques instead of encryption • Junk insertion, equivalent instruction substitution, etc. 20
Heuristics General term for the different techniques used to detect malware by their behavior Emulation, API hooking, sand-boxing, file anomalies and other analysis techniques Rule A Rule B Rule C IF Rule A then Rule B then Rule C then Poison Ivy Source: (http://http://hooked-on-mnemonics.blogspot.com) 21
Heuristics • Defeating heuristics • Detect emulation and execute different code path • Break emulation engine • Avoid the heuristics if you can • Overall solid method • Possible false positives 22
Semantics-aware Detection • Captured execution trace is transformed into a higher-level representation capturing its semantic meaning, i.e., the trace is first abstracted before being compared to a malicious behavior • Make the time to build the code flow or extraction of a model infeasible for real-time AV using time lock puzzles • A common anti-emulation trick is to introduce loops that take a relatively long time to compute. The • loop may in fact take so long to emulate that the antivirus scanner gives up. • a packed binary can be quickly created by an attacker which is guaranteed to require a predefined and easily adjustable number of computationally expensive operations to rebuild a cryptographic key. This key is then used in a strong cryptographic cipher to decrypt the next stage. • Intermediate representation (IR) • Abstract Syntax Trees, Register Transfer Language 23
Semantics-aware Detection Good idea in theory, but unknown (to me) how widely implemented this is in security products 24
Semantics-aware Detection And how correct is it implemented ? (e.g. took veracode 10+ years to get right) Limited support for equivalent code sequences a = b * 2 a = b << 1 A left arithmetic shift by n is equivalent to multiplying by 2n (provided the value does not overflow) 25
Recap 26
Recap Technology Attack Technique Hash-detection Sufficiently altering binary/exploit Signature-detection Garbage Code Insertion Register Renaming Subroutine Permutation Code Reordering through Jumps Equivalent instruction substitution Content Fragmentation Heuristic-detection Avoid matching heuristic-detection decision tree, add enough benign functionality that heuristics detection fails open due to false positive mitigation Semantic-detection Avoid matching semantic-detection decision tree or find semantic which semantic-detection engine has not translated properly, (see heuristic- 27 detection for more attacks)
Looking Beyond… Too often the assumption is that when analyzing malware or a file exploit – all the malicious content to be found is within the file boundaries and available all at one moment in time. This is not always the case… Web pages – Script Fragmentation [link] Mobile Apps (Java/JavaScript bridges [link][link]) 28
Malware Detection Reality Check • How well are current detection techniques working? 33%! 29
Malware Detection Reality Check Imperva Blog: “Assessing the Effectiveness of Antivirus Solutions” Excerpt: '....Imperva collected and analyzed more than 80 previously non-cataloged viruses against more than 40 antivirus solutions. They found that less than 5% of anti-virus solutions in the study were able to initially detect previously non-cataloged viruses and that many solutions took up to a month or longer following the initial scan to update their signatures......' 30
Malware Trends 31
Trend of Malware Creation Observation: # of Malware Samples are increasing Source: Mcafee Global Q12012 Threat Report (http://mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf) 32
Trend of Malware Creation Observation: # of Android Malware Samples are increasing Source: Kaspersky Q12012 Threat Report (http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012) 33
How I interpret those results… current techniques aren’t really succeeding 34
Who qualifies AV defense products AV-Test Security Essentials failed to recognize enough zero-day threats with detection rates of only 69% , where the average is 89% [link] AV-Comparatives ICSA Labs NSS Labs EICAR Etc. 35
Malware Defense is really hard… • Benign software can look like malware ClamAV detected as malware why: signature database isn’t encrypted so the strings match signatures 36
Malware Defense is really hard… • Malware can look/act like benign software • ~70,000 new pieces of malware a day • Gauss – Encrypted DLL • Zeus – Downloading encrypted binaries • Java or .NET malware – e.g. recent "Japanese remote control malware virus“ used to make death threats on web forums • Starting with Vista and Windows Server 2008 and continuing into Windows 7, .NET is now a native part of the OS installation. •Analysis of the byte code of an interpreted language 37
Typical Scenario Client binary is malware but isn’t detected. If considered suspicious, files are sent back to “home base/cloud” lab for analysis (feedback mechanism) 1.Sent to sandbox system 2.Meta data report is created for easier export of new rules a. Hash and blacklist entries are added b. Signatures are added c. Heuristic detection is added 38
The Overworked Malware Analyst 39
Solving the problem with people Malware Analysts Malware Samples Samples A D!! L O O VER 40
The Future of Malware Defense Perhaps there should be more science and statistical modeling applied to malware defense – as an additional layer. 41
Modeling attacks and attackers Malware detection As malware approaches ∞ we can’t manually add detection for every file. We must model WHAT actions malware take, WHERE it makes connected to and HOW it performs it’s actions. Attribution As Attack Surface approaches ∞ we can’t defend everything from everyone. We must model WHO is after WHICH assets and HOW they attack. 42
The Future of Malware Defense IF we are going to start modeling we must make some assumptions: •Attackers are lazy, they are going to change their code and techniques only enough to avoid detection •The majority of malware/exploits code and techniques will continue to represent future malware/exploits 43
Machine learning Machine learning – is where we train computers to make statistical decisions on real-time data based on inputted data While machine learning as a concept has been around for decades and has been used in everything from anti-spam engines to Google™ algorithms for translating text, it is only now being applied to web filtering, DLP and malware content analysis. 44
Statistics Manual observation: Historically certain malware has •No icon •No description or company in resource section •Is packed •Lives in windows directory or user profile These are the type of “features” that expert humans would feed to machine learning classifiers to learn 45
The Future of Malware Defense Network File System Physical Memory Inspection Point Every Layer provides various degrees of “features” to inspect 46
Malware features in action … • Features: •Static: • Packed • File size • Origin •Dynamic (Network) • Makes a connection • Number of DNS request • Encrypted Communication • Burst/length of communication •Dynamic (File) • Register keys • File level modifications 47
Detecting shellcode • Marchov chains (NLP) To determine probability of instruction sequences 0.3 • Technique clustering 0.7 0.4 0.6 XOR     ECX, ECX                    ; ECX = 0      MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])      MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr      MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder next_module:      MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address      MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)      MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)      CMP     [EDI + 12*2], CL            ; modulename[12] == 0 ?      JNE     next_module                 ; No: try next module. 48
PDF Example Features • Compressed JavaScript • PDF header location e.g %PDF - within first 1024 bytes • Does it contain an embedded file (e.g. flash, sound file) • Signed by a trusted certificate • Encoded/Encrypted Streams e.g. FlatDecode • Names hex escaped • Bogus xref table Reference: http://blog.fireeye.com/files/27c3_julia_wolf_omg-wtf-pdf.pdf 49
Statistics Based Detection Tools 50
Machine Learning Just another layer in the defenses Take all technologies and each are used as features in themselves • Signatures • Heuristics • Semantics 51
Combating Machine Learning 52
Offensive Thinking - AI Technology Attack Technique Machine Learning / 1. Machine learning can be prone to false positives and false negatives if feature Natural Language and sample sets aren’t extensive enough Processing 2. Detection via machine learning can be defeated if an attacker can find out what the features are and avoid them 3. Classifier Training can be poisoned if an attacker can influence the training set 4. Functionality typically used for benign actions can be used to conduct malicious actions 5. Machine Learning can't detect a new weapon if it doesn’t know it exist or doesn’t know how to interpret/parse it (HTML5 objects for heap spraying or improvements to file format) 53
Recap 54
Test defenses on your network • Get Samples… •Private logs, Setting up Honeypots, Infected machines, Private Security Mailing lists •Open Malware - http://offensivecomputing.net/ • Myself and another researcher are working on an API… •Research websites e.g. malr, zeustracker • DMZ’d / replicated network • Establish a role for Security Architect • Hire a Consulting Firm to architect a security 55 framework for your organization
Conclusion • Independent testing should be done on attempting to bypass file/network layers of defense • External reconnaissance • Penetration • Internal reconnaissance + stage persistent state • Exfiltration • An understanding of the limitations of each defensive layer should be part of deciding how to build your network • OS – ASLR, DEP, HIPS, FIREWALL, etc. • NETWORK - FILTERING, IPS, IDS, FIREWALL, etc. 56 • LOGGING and CORRELATION
Conclusion Proper security is all about a defense-in-depth strategy. Create multiple layers of defense. Every layer presenting a different set of challenges, requiring different skill sets and technology. So every layer will increase the time and effort to compromise your environment and exfiltration data. 57
Conclusion If security strategy is successful: via your layered defenses the attack is stopped before exfiltration of data can happen. 58
Questions? questions.py: while len(questions) > 0: if time <= 0: break print answers[questions.pop()] 59
Thanks! Stephan Chenette | @StephanChenette Director of Research and Development IOActive, Inc. http://ioactive.com 60

Empfohlen

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 

Empfohlen

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingWon Ju Jub
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingWon Ju Jub
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 

Was ist angesagt? (20)

Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration Testing
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
 

Ähnlich wie B-Sides Seattle 2012 Offensive Defense

Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Reversing Microsoft patches to reveal vulnerable code
Reversing Microsoft patches to reveal vulnerable codeReversing Microsoft patches to reveal vulnerable code
Reversing Microsoft patches to reveal vulnerable codeHarsimran Walia
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 

Ähnlich wie B-Sides Seattle 2012 Offensive Defense (20)

Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
Reversing Microsoft patches to reveal vulnerable code
Reversing Microsoft patches to reveal vulnerable codeReversing Microsoft patches to reveal vulnerable code
Reversing Microsoft patches to reveal vulnerable code
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Super1
Super1Super1
Super1
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 

Mehr von Stephan Chenette

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 

Mehr von Stephan Chenette (9)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 

Kürzlich hochgeladen

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 

Kürzlich hochgeladen (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

B-Sides Seattle 2012 Offensive Defense

  • 1. Offensive Defense Stephan Chenette, Director of Security Research & Development 1
  • 2. Who Am I? • Stephan Chenette • Director of Security R&D @ IOActive •Building / Breaking / Hacking / Researching • R&D @ eEye Digital Security 4+ years • Head Security Researcher @ Websense ~6 years • (Graduate Student @ UCSD - Network Security) 2
  • 3. What I will NOT talk about • Offensive Defense •Active Defense • Retaliating during an attack • Striking back against adversaries • Technical/Legal • HoneyTraps •CrowdStrike, Cylance, …Facebook, etc. Recent Discussions: • http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk/ • http:// blogs.csoonline.com/security-leadership/2469/caution-not-executing-offensive-actions-against-our-adversaries-high-risk • http://www.honeynet.org/node/1004 3
  • 4. What I WILL talk about • Offensive Defense •“Smart Defense” •Understanding of malware/exploit defense techniques • Ability to question and call BS on marketing/sales unrealistic claims •Current Malware Distribution Networks (MDNs) •Explanation of defense techniques •Attacking defense techniques •(Note: This is similar to a talk I did at EkoParty Argentina 2012) 4
  • 5. Statement Research in evading defensive technology is a personal research interest of mine 5
  • 7. Malware Distribution Networks Malware has evolved into a profitable business for cyber criminals •Complex/Organized/Distributed Network •Malware Distribution Network (MDNs) •Pay-per-install (PPI) clients (RogueAV, SpamBot, keylogger) •PPI Services •PPI Affiliates (landing pages, redirection services, etc.) 7
  • 8. Malware Distribution Networks (MDNs) 2 3 4 1 Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir ) 8
  • 9. Malware Distribution Networks (MDNs) Single Sample Repository A repository that does not update the malicious executable for the lifetime of the repository. Multiple Sample Repository A repository that performs updates to the malicious executable over time, but is not generating the samples for each request Polymorphic/Metamorphic Repository A repository that produces a unique malicious executable for every download request 9
  • 10. Malware Kits Source: (http://blogs.rsa.com/got-an-extra-40000-lying-around-carberp-is-back-on-the-market/) 10
  • 11. Exploit kits and Malware Blackhole | Ingognito || ZeroAccess | TDSS Source: Manufacturing Compromise: The Emergence of Exploit-as-a-Service (http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf) 11
  • 12. Current State of Malware Defense (Tech.) 12
  • 14. Current Defense Techniques (limited) • Hash • Signatures • Heuristics • Semantics-aware detection 14
  • 15. Attacking Defense Techniques 1. Defense technologies need to keep latency low …so they sacrifice analysis to that end (if a connection/analysis is taking too long they will in some cases fail open) 2. Correct Implementation is difficult 15
  • 16. Current Techniques Attacker Defender Easier to bypass Easier to implement Harder to change Harder to implement 16
  • 17. Hash detection • Full file hashing •MD5, SHA1, SHA256 • Portable Executable (PE) •Sectional hashing •Custom hashing •Fuzzy hashing (ssdeep) • Error on the side of caution 17
  • 18. Signatures • Regular Expression based signatures (PCRE, RE2) • Byte-signatures rule ASPack {         strings:         $ = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? (43 | 44) ?? B8 ?? ?? (43 | 44) ?? 03 C5 }         $ = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }         $ = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }         $ = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD }         $ = { 60 E8 41 06 00 00 EB 41 }         $ = { 60 E8 7? 05 00 00 EB (33 | 4C) }              condition:                  for any of them : ($ at entrypoint) } • Deeper contextual content scanning with proprietary language 18
  • 19. Signatures • Syntax mutation easily defeats this technique • Garbage Code Insertion e.g. NOP, “MOV ax, ax”, “SUB ax 0” • Register Renaming • Subroutine Permutation • Code Reordering through Jumps • Equivalent instruction substitution Instruction Equivalent instruction MOV EAX, EBX PUSH EBX, POP EAX Call Emulated Call Misused Call CALL <target> PUSH <PC + sizeof(PUSH) + sizeof(JMP)> CALL <target> JMP <target> .target POP <register-name> • Same behavior but different syntax 19
  • 20. Signatures AV engines were forced to evolve and use heuristics by way of emulation/behavioral analysis due to: •Polymorphic engines • Encrypt body with randomly generated encryption algorithm • Private key normally in decoding engine •Metamorphic engines • Employs obfuscation/substitution techniques instead of encryption • Junk insertion, equivalent instruction substitution, etc. 20
  • 21. Heuristics General term for the different techniques used to detect malware by their behavior Emulation, API hooking, sand-boxing, file anomalies and other analysis techniques Rule A Rule B Rule C IF Rule A then Rule B then Rule C then Poison Ivy Source: (http://http://hooked-on-mnemonics.blogspot.com) 21
  • 22. Heuristics • Defeating heuristics • Detect emulation and execute different code path • Break emulation engine • Avoid the heuristics if you can • Overall solid method • Possible false positives 22
  • 23. Semantics-aware Detection • Captured execution trace is transformed into a higher-level representation capturing its semantic meaning, i.e., the trace is first abstracted before being compared to a malicious behavior • Make the time to build the code flow or extraction of a model infeasible for real-time AV using time lock puzzles • A common anti-emulation trick is to introduce loops that take a relatively long time to compute. The • loop may in fact take so long to emulate that the antivirus scanner gives up. • a packed binary can be quickly created by an attacker which is guaranteed to require a predefined and easily adjustable number of computationally expensive operations to rebuild a cryptographic key. This key is then used in a strong cryptographic cipher to decrypt the next stage. • Intermediate representation (IR) • Abstract Syntax Trees, Register Transfer Language 23
  • 24. Semantics-aware Detection Good idea in theory, but unknown (to me) how widely implemented this is in security products 24
  • 25. Semantics-aware Detection And how correct is it implemented ? (e.g. took veracode 10+ years to get right) Limited support for equivalent code sequences a = b * 2 a = b << 1 A left arithmetic shift by n is equivalent to multiplying by 2n (provided the value does not overflow) 25
  • 27. Recap Technology Attack Technique Hash-detection Sufficiently altering binary/exploit Signature-detection Garbage Code Insertion Register Renaming Subroutine Permutation Code Reordering through Jumps Equivalent instruction substitution Content Fragmentation Heuristic-detection Avoid matching heuristic-detection decision tree, add enough benign functionality that heuristics detection fails open due to false positive mitigation Semantic-detection Avoid matching semantic-detection decision tree or find semantic which semantic-detection engine has not translated properly, (see heuristic- 27 detection for more attacks)
  • 28. Looking Beyond… Too often the assumption is that when analyzing malware or a file exploit – all the malicious content to be found is within the file boundaries and available all at one moment in time. This is not always the case… Web pages – Script Fragmentation [link] Mobile Apps (Java/JavaScript bridges [link][link]) 28
  • 29. Malware Detection Reality Check • How well are current detection techniques working? 33%! 29
  • 30. Malware Detection Reality Check Imperva Blog: “Assessing the Effectiveness of Antivirus Solutions” Excerpt: '....Imperva collected and analyzed more than 80 previously non-cataloged viruses against more than 40 antivirus solutions. They found that less than 5% of anti-virus solutions in the study were able to initially detect previously non-cataloged viruses and that many solutions took up to a month or longer following the initial scan to update their signatures......' 30
  • 32. Trend of Malware Creation Observation: # of Malware Samples are increasing Source: Mcafee Global Q12012 Threat Report (http://mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf) 32
  • 33. Trend of Malware Creation Observation: # of Android Malware Samples are increasing Source: Kaspersky Q12012 Threat Report (http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012) 33
  • 34. How I interpret those results… current techniques aren’t really succeeding 34
  • 35. Who qualifies AV defense products AV-Test Security Essentials failed to recognize enough zero-day threats with detection rates of only 69% , where the average is 89% [link] AV-Comparatives ICSA Labs NSS Labs EICAR Etc. 35
  • 36. Malware Defense is really hard… • Benign software can look like malware ClamAV detected as malware why: signature database isn’t encrypted so the strings match signatures 36
  • 37. Malware Defense is really hard… • Malware can look/act like benign software • ~70,000 new pieces of malware a day • Gauss – Encrypted DLL • Zeus – Downloading encrypted binaries • Java or .NET malware – e.g. recent "Japanese remote control malware virus“ used to make death threats on web forums • Starting with Vista and Windows Server 2008 and continuing into Windows 7, .NET is now a native part of the OS installation. •Analysis of the byte code of an interpreted language 37
  • 38. Typical Scenario Client binary is malware but isn’t detected. If considered suspicious, files are sent back to “home base/cloud” lab for analysis (feedback mechanism) 1.Sent to sandbox system 2.Meta data report is created for easier export of new rules a. Hash and blacklist entries are added b. Signatures are added c. Heuristic detection is added 38
  • 40. Solving the problem with people Malware Analysts Malware Samples Samples A D!! L O O VER 40
  • 41. The Future of Malware Defense Perhaps there should be more science and statistical modeling applied to malware defense – as an additional layer. 41
  • 42. Modeling attacks and attackers Malware detection As malware approaches ∞ we can’t manually add detection for every file. We must model WHAT actions malware take, WHERE it makes connected to and HOW it performs it’s actions. Attribution As Attack Surface approaches ∞ we can’t defend everything from everyone. We must model WHO is after WHICH assets and HOW they attack. 42
  • 43. The Future of Malware Defense IF we are going to start modeling we must make some assumptions: •Attackers are lazy, they are going to change their code and techniques only enough to avoid detection •The majority of malware/exploits code and techniques will continue to represent future malware/exploits 43
  • 44. Machine learning Machine learning – is where we train computers to make statistical decisions on real-time data based on inputted data While machine learning as a concept has been around for decades and has been used in everything from anti-spam engines to Google™ algorithms for translating text, it is only now being applied to web filtering, DLP and malware content analysis. 44
  • 45. Statistics Manual observation: Historically certain malware has •No icon •No description or company in resource section •Is packed •Lives in windows directory or user profile These are the type of “features” that expert humans would feed to machine learning classifiers to learn 45
  • 46. The Future of Malware Defense Network File System Physical Memory Inspection Point Every Layer provides various degrees of “features” to inspect 46
  • 47. Malware features in action … • Features: •Static: • Packed • File size • Origin •Dynamic (Network) • Makes a connection • Number of DNS request • Encrypted Communication • Burst/length of communication •Dynamic (File) • Register keys • File level modifications 47
  • 48. Detecting shellcode • Marchov chains (NLP) To determine probability of instruction sequences 0.3 • Technique clustering 0.7 0.4 0.6 XOR     ECX, ECX                    ; ECX = 0      MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])      MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr      MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder next_module:      MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address      MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)      MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)      CMP     [EDI + 12*2], CL            ; modulename[12] == 0 ?      JNE     next_module                 ; No: try next module. 48
  • 49. PDF Example Features • Compressed JavaScript • PDF header location e.g %PDF - within first 1024 bytes • Does it contain an embedded file (e.g. flash, sound file) • Signed by a trusted certificate • Encoded/Encrypted Streams e.g. FlatDecode • Names hex escaped • Bogus xref table Reference: http://blog.fireeye.com/files/27c3_julia_wolf_omg-wtf-pdf.pdf 49
  • 51. Machine Learning Just another layer in the defenses Take all technologies and each are used as features in themselves • Signatures • Heuristics • Semantics 51
  • 53. Offensive Thinking - AI Technology Attack Technique Machine Learning / 1. Machine learning can be prone to false positives and false negatives if feature Natural Language and sample sets aren’t extensive enough Processing 2. Detection via machine learning can be defeated if an attacker can find out what the features are and avoid them 3. Classifier Training can be poisoned if an attacker can influence the training set 4. Functionality typically used for benign actions can be used to conduct malicious actions 5. Machine Learning can't detect a new weapon if it doesn’t know it exist or doesn’t know how to interpret/parse it (HTML5 objects for heap spraying or improvements to file format) 53
  • 55. Test defenses on your network • Get Samples… •Private logs, Setting up Honeypots, Infected machines, Private Security Mailing lists •Open Malware - http://offensivecomputing.net/ • Myself and another researcher are working on an API… •Research websites e.g. malr, zeustracker • DMZ’d / replicated network • Establish a role for Security Architect • Hire a Consulting Firm to architect a security 55 framework for your organization
  • 56. Conclusion • Independent testing should be done on attempting to bypass file/network layers of defense • External reconnaissance • Penetration • Internal reconnaissance + stage persistent state • Exfiltration • An understanding of the limitations of each defensive layer should be part of deciding how to build your network • OS – ASLR, DEP, HIPS, FIREWALL, etc. • NETWORK - FILTERING, IPS, IDS, FIREWALL, etc. 56 • LOGGING and CORRELATION
  • 57. Conclusion Proper security is all about a defense-in-depth strategy. Create multiple layers of defense. Every layer presenting a different set of challenges, requiring different skill sets and technology. So every layer will increase the time and effort to compromise your environment and exfiltration data. 57
  • 58. Conclusion If security strategy is successful: via your layered defenses the attack is stopped before exfiltration of data can happen. 58
  • 59. Questions? questions.py: while len(questions) > 0: if time <= 0: break print answers[questions.pop()] 59
  • 60. Thanks! Stephan Chenette | @StephanChenette Director of Research and Development IOActive, Inc. http://ioactive.com 60