SlideShare una empresa de Scribd logo

When developer's api simplify user mode rootkits developing.

Yury Chemerkin
Yury Chemerkin

This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits. http://hakin9.org/theultimat/

Tecnología
1 de 7
Descargar para leer sin conexión
DEFENCE When Developers API Simplify User-mode Rootkits Developing This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as user-mode rootkits. C ybercrime is becoming a growing threat to soci- • Mobile malware uses the same techniques as PC ety. The thefts of information, website crashing malware to infect mobile devices. or manipulating online payment traffic are also • The greatest mobile malware risk comes from rapid increasing. Many organizations offer various services in proliferation of applications from app stores. the battle against digital crime, such as network or data • RIM BlackBerry, Google Android, and Apple iOS monitors and extractions tools. It is interesting mainly to operating systems suffer predominantly from spy- authorities and financial institutions, but they are acces- ware applications sible to every organization. Smartphones have been equipped with operating It’s totally right. If you want to distribute malware take systems that compare in complexity with those on desk- the most popular application or game, most popular top computers. This trend makes them vulnerable to lot device what you are going to infect and place malware of the same threats as desktop OS. The past several application into „warez”-storage. For example, take years of mobile malware are no longer only in the theo- any game for Android/iOS, that is not free (like angry ry. There has been malware, loss, theft, data communi- birds) and place a supposedly cracked version on the cation interception, exploitation, etc. This has been be- non-official android market. The application does not cause of the decreasing cost of mobile devices which even need to be the game. To prove this idea let’s go allowed them to enrich the software interfaces that back to November 2010 when security researchers allows users to interact better with the cyber and the Jon Oberheide and Zach Lanier unveiled an Android physical worlds. For example, mobile devices are often exploit at an Intel security conference in Oregon. They pre-installed with a number of applications, including cli- showed that the Android security model include a se- ents for location-based services and general-purpose curity flaw that allows an application to invisibly down- web browsers used forchatting and social networking. load additional exe-applications, known as APK files, The increasing number of mobile-related exploits tends without requiring the user’s permissions. Their proof- to impact security breaches which have put the industry of-concept malware did not contain any actual mali- at a critical point. That’s the greatest risk to all mobile OS cious code; it simply portrayed itself as bonus levels moving to involve the rapid development, and distribution for Angry Birds that, once installed, would open up throughout so-called app markets While most of applica- more levels for the player. In reality, nothing related to tion markets provide an ideal transportation mechanism Angry Birds was ever included in the application. How- for the delivery of malicious software to the heart ofindus- ever, Oberheide and Lanier proved that users could try’s networks. According to Juniper Networks the follow- be tricked into downloading this application, and that ing mobile malware take place: the application could download and install addition- al applications without prompting the user to approve • Mobile device and OS market share and mobile the additional installs, or to verify and agreement re- malware infection rates are linked quired for the background applications to be installed. 124 01/2012
When Developers API Simplify User-mode Rootkits Developing Unfortunately, BlackBerry suffers from the same prob- system call, the execution of that system call follows a lem. Mobile environments makevery attractive targets predetermined path and after that rootkit can intercept to attackers. Important personal and financial informa- it. One of the most common user mode techniques is tion can easily be compromised because phone us- the one in memory modification of system libraries. age is a part of day-to-day user activities. For example, That’s why applications run in their own memory mobile devices are being used for chatting, email, stor- space and the rootkit needs to patch the memory space ing personal data even financial data, pictures, videos, of every running application to provide self-control. GPS tracks and audio notes. Moreover, the rootkits have to monitor for new applica- A rootkit is a stealth type of malicious software – de- tions to patch those programs’ memory space too (need signed to keep itself, other files, or network connections to explain the security rings if they are referenced). hidden from detection. A rootkit typically intercepts com- User-mode rootkits run in Ring 3, along with other mon API calls to modify or filter information from the op- applications as user, rather than low-level system pro- erating system to keep itself hidden. For example, it can cesses. They have a number of possible installation intercept requests to file explorer and cause it to keep vectors to intercept and modify the standard behaviour certain files hidden from display, even reporting false of application programming interfaces (APIs). Some in- file counts and sizes to the user. There are legitimate ject a dynamically-linked library like a. DLL file on Win- uses for rootkits by law enforcement, parents or em- dows into processes, and are thereby able to execute ployers wishing to retain remote command and control inside any target process to spoof it. Injection mecha- and/or the ability to monitor activity on their employee’s nisms include: or children’s computer systems. Another example, rootkits are commonly used to con- • Use of vendor-supplied application extensions. For ceal keyloggers, which steal sensitive user data, such example, Windows Explorer as well as any mobile as passwords and credit card numbers, by silently log- platform like BlackBerry has public interfaces that ging keystrokes. Rootkits are design to maintain ac- allow third parties to extend its functionality. cess to targeted computers. Rootkits can also disable • Interception of messages. the firewall/antivirus tools by replacing files, changing • Exploitation of security vulnerabilities. settings or modifying what the antivirus application can • Function hooking or patching of commonly used see. None of these activities are directly visible to the APIs, for example, to mask a running process or user because the rootkit conceals its presence. file that resides on a file system. There are several kinds of rootkits. They are bootkits, firmware user-mode kernel and hypervisor. A further Windows-based rootkits are modifying paths and sys- discussion needs to compare kernel mode with user- tem structures these methods are used to mask net- mode rootkits. work activity, registry keys, and processes Rootkits Kernel mode rootkits involve system hooking or modi- modify all the things which could alert a user to the fication in kernel space which is the ideal place because fact that a malicious program is active in the system. it is at the lowest level, highest level of security and Implementation in user mode rootkits is relatively easy. thus, is the most reliable and robust method of system Most often, a method based on hooking API functions hooking. is used to modify the path to executables. As a system call’s execution path leaves user mode Many of rootkits techniques are well documented and enters kernel mode, it must pass through a gate. and use normal applications. Example: a desktop fire- This gate must be able to recognize the purpose of the wall program may use similar hooking things to watch incoming system call and initiate the execution of code and alert the user to any outgoing network connec- inside the kernel space and then return results back to tions while a rootkit will use it to hide their backdoor the incoming user mode system call. It’s some kind of activities. The legitimizing effect of commercial rootkit a proxy between user mode and kernel mode. One of software is leading away from user-mode and toward the rootkit techniques is to simply modify the data struc- kernel-mode techniques at first glance. However, user- tures in kernel memory. For example, kernel memory mode rootkits still have the ability to bypass security must keep a list of all running processes and a root- applications Non-official market places are now wide- kit can simply remove themselves and other malicious ly available on the Internet therefore malware writers processes they wish to hide from this list. Rootkits do don’t even ponder over how to spread it. It’s very easy this by inserting or patching the process that list running to integrate several technologies into one malware at- processes and then filter what processes are reported tack. as running. User-mode rootkits exist for *NIX, Windows and are User mode rootkits involve system hooking in the user known for mobile devices such as Android or BlackBer- or application space. Whenever an application makes a ry. www.hakin9.org/en 125
DEFENCE Why not BlackBerry? always been among the most basic usability principles. BlackBerry smartphone applications include inherent vi- Showing asterisks while users enter complex codes rus protection and spyware protection that is designed definitely fails to comply. Other background was key- to contain and prevent the spread of viruses and spy- stroke emulation as a kind of underlying principle of ware to other applications. Security is known as the cor- direct interaction with screen. BlackBerry has an API nerstone of the BlackBerry system that allows users to managed with applications that eventually ask user to confidently access sensitive information. choose restriction via showing API-requests. Why does Previous attacks on BlackBerry included: several a user agree with it? Some application such as phone exploits, password thefts, screen information, chats manager have no way to communicate with high lev- messages and other data. All of these described at- el hardware to catch incoming calls and auto pick up. tacks are possible to put into practice on application It seems there is no failure because user installs ap- (user-mode) level. While root mode provides powerful plications and allows their policies. However, the issue ability to feel like God, application level has the abil- covers all screens that can be managed by keystroke ity for wide spreading, easy distribution, misleading emulation or navigation emulation, or any textbox. One and finally easy developing. The most popular solu- exploit shown in the article which was by „noising” the tion in security field is to operate as always under at- inputting text field. The major concept is in using the tack. Well-established products will provide the end most complex password in range of 14-18 symbols with user with some protection. Meanwhile vendors start to case-sensitive. That’s right, you’re obliged to use the develop security measures as hackers continue to de- most complex password and you never see the noise- velop new rootkit/exploits. That’s why an application symbol until unmasking happen, which usually leads to level is one of most interesting to research and actu- device wiping (Figure 1 and 2). ally it will always be relevant and useful to take it under Next bad idea discussed in the same article based investigation. Forensic investigation can be conducted on global permission of screen-capturing as previous on cloud or mobile devices, but you’re still able to ex- keystroke emulation. You can choose whether you want tract most data. (Computer and servers) However, it’s to use such application, for example, to capture a lot of really a problem when accessing the network card on screenshots to make a video tutorial are only between high level at first glance, but don’t forget about browser yes and no. Thus, in my other article (Why is password plugin, IM plugin and etc. Therefore this type of level protection a fallacy point of view? Hakin9 Extra, June is based on opened API for developers clearly leads to 2011) I showed that you can to sniff password data. Two exploitation. issues for further discussions: Coming back to my previous articles I’m going to re- fresh some ideas of these attacks. First article discussed • Keylogger password protection (Is Data Secure on the Password • Datalogger Protected Blackberry Device? Hakin9, February 2011) mainly password masking as point of protection. It’s ob- Many thanks to Apple’s patent (if I’m not mistaken) to vious that in most cases masking passwords doesn’t the asterisk masking lagging. More details: when you even increase security, but it does cost your business touch screen to type a character a big-scaled pre- due to login failures. Visualizing the system status has view appears. When you do the same while typing Figure 1. Noising password field Figure 2. Result of noising password field 126 01/2012
When Developers API Simplify User-mode Rootkits Developing Figure 3. Screen-capture of browser #1 Figure 5. Screen-capture of password’s creation window password into masked text box you can see that ev- Some kind of answer: Clipboard manager restricts da- ery character is going to be masked by asterisk or ta extracting while window of Password Keeper/Black- black circle in about~1-2 second afterward. It’s quite Berry Wallet is active until you minimize it or close it. true to all mobile devices. But if you use a hardware Is it really needed in protection by password masking keyboard you will never see it. Reasonably, password (Figure 8)? preview is only used when the keyboard is a sure type Next failures with password discussed in that article or multitap keyboard. The bold keyboard is a full key- highlight attacker capabilities to steal password while board so it won’t duplicate that behavior. Such preview you’re syncing your device with a PC (discussed Win- is screen-shot-able. Average statistical data shows dows-based PC only) from password by catching sync- 300-400 msec is good to steal each button press like event and start to screen capturing for example. There’s letters, numeric, switching between letter and numeric protect the PC side too. There are four attacks there. or symbols or pressing some kind of shift/caps lock. If Unfortunately, we can’t get a screen-capture. you want to be totally sure set a 100 msec timer to get First of them dealt with previous version of BlackBer- everything (Figure 3-7). ry Device Manager (4-5 version) developed by C++. It Despite the big bug in good managing password divides into two builds (Windows Seven and Windows by your brain and previous exploitation each user XP). Second of them was referring to BlackBerry Desk- has a problem with password managers. BlackBerry top Manager (6 version) developed mainly by .NET. gives an opportunity to choose pre-nstalled Password Third of them expanded the previous in case of get- Keeper or BlackBerry Wallet. Both can be screen-cap- ting password that types before backup starts. Fourth of tured! A good question is why can’t we take control them dealt with silent connecting if you’ve got a device over all windows application (even 3rd party apps)? password to wipe for example. Figure 4. Screen-capture of browser #1 Figure 6. Screen-capture of device-unlocking www.hakin9.org/en 127
DEFENCE Figure 7. Screen-capture of device-unlocking while PC-syncing Figure 9. Attacking BlackBerry Device Manager Recalling knowledge about system messages and if the editbox is masked you can’t copy text, because system object answers to us that edit box is a simple you get a NULL-pointer. Well then do unmask, copy and field for typing characters ~32k in length with a pass- mask again. wordchar property. It has default #0 value or NULL or 0. In 2003 a MS Windows PostMessage API Unmasked Other masking character could be a black circle or as- Password Weakness was found. Declared affects for terisk or anything else. 0x25CF is unicode character of MS Windows 2000, XP and could effectively allow un- black circle. Every system object like modal window or masked passwords to be copied into a user’s clipboard textbox responds to API subroutine such as SendMes- or other buffer. EM_SETPASSWORDCHAR (Type sage or PostMessage. Both subroutines send the spec- UINT, Message) messages sets the password mask ified message to a window or windows. But if you need character in password edit box controls. PostMessage to post a message in the message queue associated may be abused in combination with EM_SETPASS- with a thread you should use the PostMessage func- WORDCHAR messages to cause an unmasked pass- tion. Parameters’ syntax is the same. First parameter is word to be placed into a buffer which could potentially (Type: HWND) a handle to the window whose window be accessed through other means by an unauthorized procedure will receive the message. Second parameter process. The unmasked password can be copied while is (Type: UINT) a message to be sent. Other two pa- this is occurring. If we try to use this code in Vista or rameters (Type: WPARAM, Type: LPARAM) represent Windows 7 we get nothing, because it’s more correct to an additional message-specific information. It’s easy to set system hook in owner address space via loading a guess that we need in WM_GETTEXT (0x000D) mes- DLL-Cather. But at this rate you should know OS ver- sage because it copies the text that corresponds to a sion, right? Roughly, we need a so called Major Version window into a buffer provided by the caller. However, to distinct XP and Seven. Most of this repeats previous Figure 8. Screen of BlackBerry Wallet Figure 10. Attacking BlackBerry Desktop Software 128 01/2012
When Developers API Simplify User-mode Rootkits Developing Listing 1. FaceBook Additional Info FaceBook Additional Info Friendly name: Facebook Description: Facebook?® for BlackBerry?® smartphones makes it even easier to connect and share while you're on the go... Version: 2.0.0.37 Vendor: Research In Motion Limited Copyright: (null) Listing 2. FaceBook Additional Info PhoneArguments phoneArgs = new PhoneArguments(PhoneArguments.ARG_CALL, premium_number); Invoke.invokeApplication(Invoke.APP_TYPE_PHONE, phoneArgs); parts when you deal with BlackBerry Desktop Manager. $10k per month. Don’t forget that developing is easy You can filter by application name or etc to gain access and needs to be compact. Look a Listing 2. to type the password. Three HwndWrapper as class- Whereas premium_number is a string and PhoneArgu- name text were presented in my article to catch back- ments may used by default. up-password as some kind of extended filters (Figure 9 However, BlackBerry Enterprise Solution has sever- and 10). al powerful rules to manage with emails, phone num- Most of these attacks filled forensics article (To Get bers or sms/mms. Administrator can add rules like +7r Round To The Heart Of Fortress, Hakin9 Extra, August to disallow incoming or outcoming calls (or both types) 2011). This article discovered problem with antiforensic to Russian Federation. The same with emails despite of methods especially when we talk about live forensics. spam filtering. As example, we can extract device information, hard- The idea was to highlight the failure of group policy ware Id, PIN, OS Version, some more applications like such as I have discussed it. Some of them are obvious a facebook (Listing 1). if you’re an Android user. When users try to download Using live methods we are able to extract Address any application or game a permission request asking to Book, Calendar Events, Call History, Browser histo- allow it to install BlackBerry is quite contrary but if you ry and bookmarks, Memos and Tasks, Screen-shots, allow sms or email permission to application and you Camera-shots, Videocamera-shots, Clipboard, Location activate any possible action in relation to message like tracking (cell, wifi, gps, bluetooth), SMS/MMS/Emails, deleting, creating, reading, intercepting and etc. while Pictures, Videos, Voice notes, and other file, IMs, etc. Amazon (AWS) The Cloud has feature to control in cus- BlackBerry EXIF-Picture information tells you about file- tom policy mode any possible API declared as a devel- name, details of camera e.g. RIM BlackBerry Torch as oper API. name, DateTime, Resolution or GPS. Also, you can find saved IM history (even BBM) on internal storage or SD- storage. All files filled IM history has a simple CSV-for- Yury Chemerkin mat: Date/Time, ID Sender, ID Receiver, and Data. Graduated fromRussian State University for the Humanities The security conference InfoSecurity Russia 2011 (http://rggu.com/) in 2010. At present postgraduate at RSUH. mentioned several API to protect from forensics ana- Information Security Researcher since 2009 and currently lyzing in point of emails and PIN. It reconstructs PIN or works as a mobile and social infosecurity researcher in Mos- email message with any property of flag, such received, cow. rejected, read, delivered and etc. Idea consists in simu- Experienced in Reverse Engineering, Software Programming, lating a lot of messages to water down the purport of the Cyber & Mobile Security Researching, Documentation, Securi- proof thread. ty Writing as regular contributing. Now researching Cloud Se- To imagine how many type of information your device curity and Social Privacy. owns just look above. And it’s only personal data. There E-mail: many trojans that steal money by calling to Antarctica yury.chemerkin@gmail.com (yury.chemerkin@facebook.com) or Dominican Republic. If every call costs at least $3 Facebook: www.facebook.com/yury.chemerkin per minute, then one compromised device can lead to LinkedIn: www.linkedin.com/in/yurychemerkin www.hakin9.org/en 129

Recomendados

Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
Yury Chemerkin
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guide
Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
STO STRATEGY
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
P50 fahl
P50 fahlP50 fahl
P50 fahl
Комсс Файквэе
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android Smartphones
IOSR Journals
 

Recomendados

Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
Yury Chemerkin
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guide
Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
STO STRATEGY
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
London School of Cyber Security
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
P50 fahl
P50 fahlP50 fahl
P50 fahl
Комсс Файквэе
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android Smartphones
IOSR Journals
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
ecarrow
 
Internet application
Internet applicationInternet application
Internet application
Rezaul Rahat
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
Ali J
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security Threats
Umakant Mishra
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
Imaging Network Technology, LLC
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
K Singh
 
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
vivatechijri
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
Felipe Prado
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
WritingHubUK
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
apyn
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
Malware
MalwareMalware
Malware
zelkan19
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
the_ro0t
 
Vulnerabilities in Mobile Devices
Vulnerabilities in Mobile DevicesVulnerabilities in Mobile Devices
Vulnerabilities in Mobile Devices
CSCJournals
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
Courtland Smith
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 

Más contenido relacionado

La actualidad más candente

Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
ecarrow
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
Ali J
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
K Singh
 
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
vivatechijri
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
apyn
 
Vulnerabilities in Mobile Devices
Vulnerabilities in Mobile DevicesVulnerabilities in Mobile Devices
Vulnerabilities in Mobile Devices
CSCJournals
 

La actualidad más candente (20)

How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
 
Internet application
Internet applicationInternet application
Internet application
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security Threats
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
 
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
A Comparative Study of Different File Sharing Applications and Wi-Fi Direct T...
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
Malware
MalwareMalware
Malware
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
Vulnerabilities in Mobile Devices
Vulnerabilities in Mobile DevicesVulnerabilities in Mobile Devices
Vulnerabilities in Mobile Devices
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 

Similar a When developer's api simplify user mode rootkits developing.

Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
IJCNCJournal
 
Secure Computing With Java
Secure Computing With JavaSecure Computing With Java
Secure Computing With Java
white paper
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
praveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware Infection
Webroot
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Education
ijtsrd
 

Similar a When developer's api simplify user mode rootkits developing. (20)

IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Download
DownloadDownload
Download
 
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Irjet v7 i3811
Irjet v7 i3811Irjet v7 i3811
Irjet v7 i3811
 
Secure Computing With Java
Secure Computing With JavaSecure Computing With Java
Secure Computing With Java
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Code protection
Code protectionCode protection
Code protection
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware Infection
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Education
 

Más de Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
Yury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
Yury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
Yury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
Yury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
Yury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
Yury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
Yury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
Yury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
Yury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
Yury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
Yury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
Yury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 

Más de Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

When developer's api simplify user mode rootkits developing.

  • 1.
  • 2. DEFENCE When Developers API Simplify User-mode Rootkits Developing This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as user-mode rootkits. C ybercrime is becoming a growing threat to soci- • Mobile malware uses the same techniques as PC ety. The thefts of information, website crashing malware to infect mobile devices. or manipulating online payment traffic are also • The greatest mobile malware risk comes from rapid increasing. Many organizations offer various services in proliferation of applications from app stores. the battle against digital crime, such as network or data • RIM BlackBerry, Google Android, and Apple iOS monitors and extractions tools. It is interesting mainly to operating systems suffer predominantly from spy- authorities and financial institutions, but they are acces- ware applications sible to every organization. Smartphones have been equipped with operating It’s totally right. If you want to distribute malware take systems that compare in complexity with those on desk- the most popular application or game, most popular top computers. This trend makes them vulnerable to lot device what you are going to infect and place malware of the same threats as desktop OS. The past several application into „warez”-storage. For example, take years of mobile malware are no longer only in the theo- any game for Android/iOS, that is not free (like angry ry. There has been malware, loss, theft, data communi- birds) and place a supposedly cracked version on the cation interception, exploitation, etc. This has been be- non-official android market. The application does not cause of the decreasing cost of mobile devices which even need to be the game. To prove this idea let’s go allowed them to enrich the software interfaces that back to November 2010 when security researchers allows users to interact better with the cyber and the Jon Oberheide and Zach Lanier unveiled an Android physical worlds. For example, mobile devices are often exploit at an Intel security conference in Oregon. They pre-installed with a number of applications, including cli- showed that the Android security model include a se- ents for location-based services and general-purpose curity flaw that allows an application to invisibly down- web browsers used forchatting and social networking. load additional exe-applications, known as APK files, The increasing number of mobile-related exploits tends without requiring the user’s permissions. Their proof- to impact security breaches which have put the industry of-concept malware did not contain any actual mali- at a critical point. That’s the greatest risk to all mobile OS cious code; it simply portrayed itself as bonus levels moving to involve the rapid development, and distribution for Angry Birds that, once installed, would open up throughout so-called app markets While most of applica- more levels for the player. In reality, nothing related to tion markets provide an ideal transportation mechanism Angry Birds was ever included in the application. How- for the delivery of malicious software to the heart ofindus- ever, Oberheide and Lanier proved that users could try’s networks. According to Juniper Networks the follow- be tricked into downloading this application, and that ing mobile malware take place: the application could download and install addition- al applications without prompting the user to approve • Mobile device and OS market share and mobile the additional installs, or to verify and agreement re- malware infection rates are linked quired for the background applications to be installed. 124 01/2012
  • 3. When Developers API Simplify User-mode Rootkits Developing Unfortunately, BlackBerry suffers from the same prob- system call, the execution of that system call follows a lem. Mobile environments makevery attractive targets predetermined path and after that rootkit can intercept to attackers. Important personal and financial informa- it. One of the most common user mode techniques is tion can easily be compromised because phone us- the one in memory modification of system libraries. age is a part of day-to-day user activities. For example, That’s why applications run in their own memory mobile devices are being used for chatting, email, stor- space and the rootkit needs to patch the memory space ing personal data even financial data, pictures, videos, of every running application to provide self-control. GPS tracks and audio notes. Moreover, the rootkits have to monitor for new applica- A rootkit is a stealth type of malicious software – de- tions to patch those programs’ memory space too (need signed to keep itself, other files, or network connections to explain the security rings if they are referenced). hidden from detection. A rootkit typically intercepts com- User-mode rootkits run in Ring 3, along with other mon API calls to modify or filter information from the op- applications as user, rather than low-level system pro- erating system to keep itself hidden. For example, it can cesses. They have a number of possible installation intercept requests to file explorer and cause it to keep vectors to intercept and modify the standard behaviour certain files hidden from display, even reporting false of application programming interfaces (APIs). Some in- file counts and sizes to the user. There are legitimate ject a dynamically-linked library like a. DLL file on Win- uses for rootkits by law enforcement, parents or em- dows into processes, and are thereby able to execute ployers wishing to retain remote command and control inside any target process to spoof it. Injection mecha- and/or the ability to monitor activity on their employee’s nisms include: or children’s computer systems. Another example, rootkits are commonly used to con- • Use of vendor-supplied application extensions. For ceal keyloggers, which steal sensitive user data, such example, Windows Explorer as well as any mobile as passwords and credit card numbers, by silently log- platform like BlackBerry has public interfaces that ging keystrokes. Rootkits are design to maintain ac- allow third parties to extend its functionality. cess to targeted computers. Rootkits can also disable • Interception of messages. the firewall/antivirus tools by replacing files, changing • Exploitation of security vulnerabilities. settings or modifying what the antivirus application can • Function hooking or patching of commonly used see. None of these activities are directly visible to the APIs, for example, to mask a running process or user because the rootkit conceals its presence. file that resides on a file system. There are several kinds of rootkits. They are bootkits, firmware user-mode kernel and hypervisor. A further Windows-based rootkits are modifying paths and sys- discussion needs to compare kernel mode with user- tem structures these methods are used to mask net- mode rootkits. work activity, registry keys, and processes Rootkits Kernel mode rootkits involve system hooking or modi- modify all the things which could alert a user to the fication in kernel space which is the ideal place because fact that a malicious program is active in the system. it is at the lowest level, highest level of security and Implementation in user mode rootkits is relatively easy. thus, is the most reliable and robust method of system Most often, a method based on hooking API functions hooking. is used to modify the path to executables. As a system call’s execution path leaves user mode Many of rootkits techniques are well documented and enters kernel mode, it must pass through a gate. and use normal applications. Example: a desktop fire- This gate must be able to recognize the purpose of the wall program may use similar hooking things to watch incoming system call and initiate the execution of code and alert the user to any outgoing network connec- inside the kernel space and then return results back to tions while a rootkit will use it to hide their backdoor the incoming user mode system call. It’s some kind of activities. The legitimizing effect of commercial rootkit a proxy between user mode and kernel mode. One of software is leading away from user-mode and toward the rootkit techniques is to simply modify the data struc- kernel-mode techniques at first glance. However, user- tures in kernel memory. For example, kernel memory mode rootkits still have the ability to bypass security must keep a list of all running processes and a root- applications Non-official market places are now wide- kit can simply remove themselves and other malicious ly available on the Internet therefore malware writers processes they wish to hide from this list. Rootkits do don’t even ponder over how to spread it. It’s very easy this by inserting or patching the process that list running to integrate several technologies into one malware at- processes and then filter what processes are reported tack. as running. User-mode rootkits exist for *NIX, Windows and are User mode rootkits involve system hooking in the user known for mobile devices such as Android or BlackBer- or application space. Whenever an application makes a ry. www.hakin9.org/en 125
  • 4. DEFENCE Why not BlackBerry? always been among the most basic usability principles. BlackBerry smartphone applications include inherent vi- Showing asterisks while users enter complex codes rus protection and spyware protection that is designed definitely fails to comply. Other background was key- to contain and prevent the spread of viruses and spy- stroke emulation as a kind of underlying principle of ware to other applications. Security is known as the cor- direct interaction with screen. BlackBerry has an API nerstone of the BlackBerry system that allows users to managed with applications that eventually ask user to confidently access sensitive information. choose restriction via showing API-requests. Why does Previous attacks on BlackBerry included: several a user agree with it? Some application such as phone exploits, password thefts, screen information, chats manager have no way to communicate with high lev- messages and other data. All of these described at- el hardware to catch incoming calls and auto pick up. tacks are possible to put into practice on application It seems there is no failure because user installs ap- (user-mode) level. While root mode provides powerful plications and allows their policies. However, the issue ability to feel like God, application level has the abil- covers all screens that can be managed by keystroke ity for wide spreading, easy distribution, misleading emulation or navigation emulation, or any textbox. One and finally easy developing. The most popular solu- exploit shown in the article which was by „noising” the tion in security field is to operate as always under at- inputting text field. The major concept is in using the tack. Well-established products will provide the end most complex password in range of 14-18 symbols with user with some protection. Meanwhile vendors start to case-sensitive. That’s right, you’re obliged to use the develop security measures as hackers continue to de- most complex password and you never see the noise- velop new rootkit/exploits. That’s why an application symbol until unmasking happen, which usually leads to level is one of most interesting to research and actu- device wiping (Figure 1 and 2). ally it will always be relevant and useful to take it under Next bad idea discussed in the same article based investigation. Forensic investigation can be conducted on global permission of screen-capturing as previous on cloud or mobile devices, but you’re still able to ex- keystroke emulation. You can choose whether you want tract most data. (Computer and servers) However, it’s to use such application, for example, to capture a lot of really a problem when accessing the network card on screenshots to make a video tutorial are only between high level at first glance, but don’t forget about browser yes and no. Thus, in my other article (Why is password plugin, IM plugin and etc. Therefore this type of level protection a fallacy point of view? Hakin9 Extra, June is based on opened API for developers clearly leads to 2011) I showed that you can to sniff password data. Two exploitation. issues for further discussions: Coming back to my previous articles I’m going to re- fresh some ideas of these attacks. First article discussed • Keylogger password protection (Is Data Secure on the Password • Datalogger Protected Blackberry Device? Hakin9, February 2011) mainly password masking as point of protection. It’s ob- Many thanks to Apple’s patent (if I’m not mistaken) to vious that in most cases masking passwords doesn’t the asterisk masking lagging. More details: when you even increase security, but it does cost your business touch screen to type a character a big-scaled pre- due to login failures. Visualizing the system status has view appears. When you do the same while typing Figure 1. Noising password field Figure 2. Result of noising password field 126 01/2012
  • 5. When Developers API Simplify User-mode Rootkits Developing Figure 3. Screen-capture of browser #1 Figure 5. Screen-capture of password’s creation window password into masked text box you can see that ev- Some kind of answer: Clipboard manager restricts da- ery character is going to be masked by asterisk or ta extracting while window of Password Keeper/Black- black circle in about~1-2 second afterward. It’s quite Berry Wallet is active until you minimize it or close it. true to all mobile devices. But if you use a hardware Is it really needed in protection by password masking keyboard you will never see it. Reasonably, password (Figure 8)? preview is only used when the keyboard is a sure type Next failures with password discussed in that article or multitap keyboard. The bold keyboard is a full key- highlight attacker capabilities to steal password while board so it won’t duplicate that behavior. Such preview you’re syncing your device with a PC (discussed Win- is screen-shot-able. Average statistical data shows dows-based PC only) from password by catching sync- 300-400 msec is good to steal each button press like event and start to screen capturing for example. There’s letters, numeric, switching between letter and numeric protect the PC side too. There are four attacks there. or symbols or pressing some kind of shift/caps lock. If Unfortunately, we can’t get a screen-capture. you want to be totally sure set a 100 msec timer to get First of them dealt with previous version of BlackBer- everything (Figure 3-7). ry Device Manager (4-5 version) developed by C++. It Despite the big bug in good managing password divides into two builds (Windows Seven and Windows by your brain and previous exploitation each user XP). Second of them was referring to BlackBerry Desk- has a problem with password managers. BlackBerry top Manager (6 version) developed mainly by .NET. gives an opportunity to choose pre-nstalled Password Third of them expanded the previous in case of get- Keeper or BlackBerry Wallet. Both can be screen-cap- ting password that types before backup starts. Fourth of tured! A good question is why can’t we take control them dealt with silent connecting if you’ve got a device over all windows application (even 3rd party apps)? password to wipe for example. Figure 4. Screen-capture of browser #1 Figure 6. Screen-capture of device-unlocking www.hakin9.org/en 127
  • 6. DEFENCE Figure 7. Screen-capture of device-unlocking while PC-syncing Figure 9. Attacking BlackBerry Device Manager Recalling knowledge about system messages and if the editbox is masked you can’t copy text, because system object answers to us that edit box is a simple you get a NULL-pointer. Well then do unmask, copy and field for typing characters ~32k in length with a pass- mask again. wordchar property. It has default #0 value or NULL or 0. In 2003 a MS Windows PostMessage API Unmasked Other masking character could be a black circle or as- Password Weakness was found. Declared affects for terisk or anything else. 0x25CF is unicode character of MS Windows 2000, XP and could effectively allow un- black circle. Every system object like modal window or masked passwords to be copied into a user’s clipboard textbox responds to API subroutine such as SendMes- or other buffer. EM_SETPASSWORDCHAR (Type sage or PostMessage. Both subroutines send the spec- UINT, Message) messages sets the password mask ified message to a window or windows. But if you need character in password edit box controls. PostMessage to post a message in the message queue associated may be abused in combination with EM_SETPASS- with a thread you should use the PostMessage func- WORDCHAR messages to cause an unmasked pass- tion. Parameters’ syntax is the same. First parameter is word to be placed into a buffer which could potentially (Type: HWND) a handle to the window whose window be accessed through other means by an unauthorized procedure will receive the message. Second parameter process. The unmasked password can be copied while is (Type: UINT) a message to be sent. Other two pa- this is occurring. If we try to use this code in Vista or rameters (Type: WPARAM, Type: LPARAM) represent Windows 7 we get nothing, because it’s more correct to an additional message-specific information. It’s easy to set system hook in owner address space via loading a guess that we need in WM_GETTEXT (0x000D) mes- DLL-Cather. But at this rate you should know OS ver- sage because it copies the text that corresponds to a sion, right? Roughly, we need a so called Major Version window into a buffer provided by the caller. However, to distinct XP and Seven. Most of this repeats previous Figure 8. Screen of BlackBerry Wallet Figure 10. Attacking BlackBerry Desktop Software 128 01/2012
  • 7. When Developers API Simplify User-mode Rootkits Developing Listing 1. FaceBook Additional Info FaceBook Additional Info Friendly name: Facebook Description: Facebook?® for BlackBerry?® smartphones makes it even easier to connect and share while you're on the go... Version: 2.0.0.37 Vendor: Research In Motion Limited Copyright: (null) Listing 2. FaceBook Additional Info PhoneArguments phoneArgs = new PhoneArguments(PhoneArguments.ARG_CALL, premium_number); Invoke.invokeApplication(Invoke.APP_TYPE_PHONE, phoneArgs); parts when you deal with BlackBerry Desktop Manager. $10k per month. Don’t forget that developing is easy You can filter by application name or etc to gain access and needs to be compact. Look a Listing 2. to type the password. Three HwndWrapper as class- Whereas premium_number is a string and PhoneArgu- name text were presented in my article to catch back- ments may used by default. up-password as some kind of extended filters (Figure 9 However, BlackBerry Enterprise Solution has sever- and 10). al powerful rules to manage with emails, phone num- Most of these attacks filled forensics article (To Get bers or sms/mms. Administrator can add rules like +7r Round To The Heart Of Fortress, Hakin9 Extra, August to disallow incoming or outcoming calls (or both types) 2011). This article discovered problem with antiforensic to Russian Federation. The same with emails despite of methods especially when we talk about live forensics. spam filtering. As example, we can extract device information, hard- The idea was to highlight the failure of group policy ware Id, PIN, OS Version, some more applications like such as I have discussed it. Some of them are obvious a facebook (Listing 1). if you’re an Android user. When users try to download Using live methods we are able to extract Address any application or game a permission request asking to Book, Calendar Events, Call History, Browser histo- allow it to install BlackBerry is quite contrary but if you ry and bookmarks, Memos and Tasks, Screen-shots, allow sms or email permission to application and you Camera-shots, Videocamera-shots, Clipboard, Location activate any possible action in relation to message like tracking (cell, wifi, gps, bluetooth), SMS/MMS/Emails, deleting, creating, reading, intercepting and etc. while Pictures, Videos, Voice notes, and other file, IMs, etc. Amazon (AWS) The Cloud has feature to control in cus- BlackBerry EXIF-Picture information tells you about file- tom policy mode any possible API declared as a devel- name, details of camera e.g. RIM BlackBerry Torch as oper API. name, DateTime, Resolution or GPS. Also, you can find saved IM history (even BBM) on internal storage or SD- storage. All files filled IM history has a simple CSV-for- Yury Chemerkin mat: Date/Time, ID Sender, ID Receiver, and Data. Graduated fromRussian State University for the Humanities The security conference InfoSecurity Russia 2011 (http://rggu.com/) in 2010. At present postgraduate at RSUH. mentioned several API to protect from forensics ana- Information Security Researcher since 2009 and currently lyzing in point of emails and PIN. It reconstructs PIN or works as a mobile and social infosecurity researcher in Mos- email message with any property of flag, such received, cow. rejected, read, delivered and etc. Idea consists in simu- Experienced in Reverse Engineering, Software Programming, lating a lot of messages to water down the purport of the Cyber & Mobile Security Researching, Documentation, Securi- proof thread. ty Writing as regular contributing. Now researching Cloud Se- To imagine how many type of information your device curity and Social Privacy. owns just look above. And it’s only personal data. There E-mail: many trojans that steal money by calling to Antarctica yury.chemerkin@gmail.com (yury.chemerkin@facebook.com) or Dominican Republic. If every call costs at least $3 Facebook: www.facebook.com/yury.chemerkin per minute, then one compromised device can lead to LinkedIn: www.linkedin.com/in/yurychemerkin www.hakin9.org/en 129