RootedCon Wrap Up

It was an incredible pleasure to attend the talk delivered by the man behind Ida Pro, Ilfak Guilfanov. He was able to condense into one hour a lot of information about how the Hex-Rays decompiler acts in order to simplify the machine code and make it readable for humans. Microcode is the intermediate language used by HR to generate the C-like code we are used to seeing.

Microcode has been in development for the past 10 years, and in all this time has been based on one single commandment: simplicity.

Ilfak illustrated the process behind the design of the software, as well as some of the mistakes made in designing Microcode, like mapping the stack frame to micro-registers instead of creating a new operand type. When he realized that it was not a good idea, there was already too much code relying on it, making it almost impossible to remove.

Microcode has been recently made public in the 7.1 release of IDA. You can also find more information by downloading the slides used for this presentation.

Our friends Gal Elbaz and Eran Vaknin from Check Point presented their research from last year’s discovery of a very interesting work-around abusing WSL (Windows Subsystem for Linux) to run malware on a Windows system, even when protected by AV software.

Bashware is a technique that leverages the fact that WSL uses what is called a pico process to run ELF binaries on Windows. The ELF binaries run in pico processes and are basically invisible to the AV software, as Pico processes do not have any of the common Windows process characteristics, while having the same capabilities.

If an attacker is able to get access to the victim’s machine in some way, it is trivial to check if WSL is enabled, and if it is not, to activate it. Once this is done, all that is required is to enable developer mode by changing a couple of registry key values. Once this step is done, the attacker can silently install a Linux distribution with a simple command. Finally, by installing the open source program WineHQ, which enables the running of Windows programs on Linux, the attacker is able to run any Windows malware on the Windows machine without it being detected by AV software.

If you are interested, you can find more information on the blogpost Check Point released last September.

Finally, I was lucky enough to present Fortinet’s ongoing research on the evolution of IoT botnets, with particular focus on Mirai and its variants.

The presentation started with a brief introduction to the original Mirai botnet, followed by a quick technical analysis of the code base and the setup of the honeypot used to obtain samples.

Finally, the presentation concluded by presenting some interesting variants we were able to obtain, in addition to the exploits and attack vectors used by them.