FortiGuard Labs Threat Research
RootedCon is a security conference held from the 1st to the 3rd of March in Madrid, Spain. This year’s conference was the ninth iteration, and one could see the results of those years of experience in the flawless organization at the event.
To paraphrase their official site:
“At RootedCON members of the security community, students, professionals, businesses, hobbyists, state forces, hackers and, why not, artists and academics, could, can, and may speak and present their ideas.”
We at Fortinet were proud to be Gold sponsors of the event, which was subdivided into three different sub-tracks: ”Security,” “Devops,” and “Fwhibbit”.
Here is a review of some of the very interesting talks I was able to attend at the conference:
It was an incredible pleasure to attend the talk delivered by the man behind Ida Pro, Ilfak Guilfanov. He was able to condense into one hour a lot of information about how the Hex-Rays decompiler acts in order to simplify the machine code and make it readable for humans. Microcode is the intermediate language used by HR to generate the C-like code we are used to seeing.
Microcode has been in development for the past 10 years, and in all this time has been based on one single commandment: simplicity.
Ilfak illustrated the process behind the design of the software, as well as some of the mistakes made in designing Microcode, like mapping the stack frame to micro-registers instead of creating a new operand type. When he realized that it was not a good idea, there was already too much code relying on it, making it almost impossible to remove.
Microcode has been recently made public in the 7.1 release of IDA. You can also find more information by downloading the slides used for this presentation.
Our friends Gal Elbaz and Eran Vaknin from Check Point presented their research from last year’s discovery of a very interesting work-around abusing WSL (Windows Subsystem for Linux) to run malware on a Windows system, even when protected by AV software.
Bashware is a technique that leverages the fact that WSL uses what is called a pico process to run ELF binaries on Windows. The ELF binaries run in pico processes and are basically invisible to the AV software, as Pico processes do not have any of the common Windows process characteristics, while having the same capabilities.
If an attacker is able to get access to the victim’s machine in some way, it is trivial to check if WSL is enabled, and if it is not, to activate it. Once this is done, all that is required is to enable developer mode by changing a couple of registry key values. Once this step is done, the attacker can silently install a Linux distribution with a simple command. Finally, by installing the open source program WineHQ, which enables the running of Windows programs on Linux, the attacker is able to run any Windows malware on the Windows machine without it being detected by AV software.
If you are interested, you can find more information on the blogpost Check Point released last September.
Finally, I was lucky enough to present Fortinet’s ongoing research on the evolution of IoT botnets, with particular focus on Mirai and its variants.
The presentation started with a brief introduction to the original Mirai botnet, followed by a quick technical analysis of the code base and the setup of the honeypot used to obtain samples.
Finally, the presentation concluded by presenting some interesting variants we were able to obtain, in addition to the exploits and attack vectors used by them.
You can find the slides used in the presentation here.
In conclusion, I was very happy to be given the opportunity to participate in this conference, to share our work, and to meet other experts in the security field as well as passionate students.
Finally, a big thanks to the Spanish Fortinet team. They were extremely professional and welcoming, making me feel at home. Moreover, nothing can go wrong while sharing tapas and drinking cervezas.
If you want to find out more about this great conference, you can head to their website as well as to their Twitter and YouTube pages.
-= FortiGuard Lion Team =-
Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.