DAY 1 | MONDAY - MAY 4, 2009

08.00 - 09.00 Registration

09.00 - 09.15 WELCOME MESSAGE Gabor Szappanos, Virusbuster, Hungary


Righard J. Zwienenberg, Norman, The Netherlands

Abstract: As long as there have been computer systems, vulnerabilities exist and have been exploited. There are people that have made it their business to find vulnerabilities and there are people that have made it their business to 'use' the vulnerabilities. And you have people that do both. And as well, their motives are as diverse. What kind of companies are keeping themselves busy looking for exploits, what kind of people are (mis)using them. What are they looking for, what are they after? The presentation will deal with this going back to the early nineties to very recent events. Will we ever resolve the problem of exploits, being the exploited? Or be the exploiter?


Marian Radu and Andrei Florin Saygo, Microsoft Research and Response, Dublin, Ireland

Abstract: Every code execution vulnerability in Adobe Acrobat and Reader applications potentially has a huge security impact due to the fact that PDF documents are used in almost all corporate and government institutions, and is also widespread among home users. In the past year, we have seen an increase in malware attacks that involve specially crafted PDF files as links in the malware deployment chain. The paper will be presenting an overview of the attack vector, in-depth exploitation details and steps undergone by the malware authors to conceal their code. We will comment upon the trend of existing and possibly future vulnerabilities. We will also discuss the threats deployed by these exploits and present telemetry data gathered by Microsoft's antimalware products including the geographical distribution of PDF-based attacks.

10.45 - 11.00 Culinary Break


Anthony Bettini, McAfee Avert Labs

Abstract: This talk focuses on the technical (both financial and computer security-based) aspects of the impacts of zero-day vulnerabilities on equities markets. In particular, we examine the historical correlation between zero-day vulnerabilities and stock market prices. With real world examples, we look to see if, on average, stock prices are adversely affected by zero-day vulnerabilities (with and without exploits). We compare and contrast this affect across vendors and vulnerabilities, based on factors such as: ease of exploitation, patch availability, vendor, year, etc. This talk builds on the analysis of Microsoft's Patch Tuesday that McAfee presented in the McAfee Security Journal at: herePresentation: download


Pierre-Marc Bureau, Juraj Malcho, Eset

Abstract:On October 23rd of 2008, Microsoft released an out of band patch to fix a privately reported vulnerability. The vulnerability can allow remote code execution without authentication and affects all major versions of the Windows operating system. When the details of the security vulnerability have been made public, it was clear that malware authors from around the globe would seize this opportunity to gain control over a significant number of vulnerable systems. This presentation gives a timeline of the exploitation of the MS08-067 vulnerability with special attention to malware. We will give technical details on the vulnerability and on the evolution of various malware families that exploit it, from the targeted Trojan Win32/Gimmiv.A to the infamous Win32/Conficker worm. We will see how exploitation codes have been modified over time to improve reliability and target more versions of the Windows operating system. Finally, we will study the geographical distribution of each threat as well as their general prevalence.

12.30 - 13.45 International Lunch


Jimmy Shah, Mobile Security Researcher, McAfee

Abstract:Mobile phones have gotten more complex and feature rich. Mobiles are now more and more becoming the personal and sometimes sole computer for people. Unlike their desktop counterparts, mobile phones lack much of the protection that exists. Due to this lack of protection malicious parties have begun creating malware and attempting to discover exploitable vulnerabilities. While standard installable mobile malware is starting to lose ground due to program and developer verification programs(signed firmware updates and application installs), vulnerability exploits are looking more and more attractive as an entry point. The goal is now to bypass or even disable code verification. Once you're on the device, there's nothing there to stop you.Content handlers(browser, image viewers, audio players, runtimes, etc.) are rich targets on mobile devices. Mis-implementation or insufficient verification of content open the door for exploitation. And as they are the primary interface for content, the OS usually provides no hooks or prior access. Updates to handlers short of a full firmware update are usually not straightforward. These problems can be resolved in part by integrating security into the content handling chain. An image viewer can submit an image file or data stream to a scanner and receive a determination on whether to continue processing.Fortunately standardization has started in the mobile industry. The Open Mobile Alliance(OMA) has produced a standard for Client Side Content Screening in order to help curb malware and exploits that are passed amongst various mobile devices and through mobile networks. The presentation will cover how integrated content security helps to protect against exploits and how standards like that of the OMA help to increase interoperability.

Presentation: download


Bruce Dang and Cristian Craioveanu ,Microsoft USA

Abstract:As operating systems security matures, attackers are focusing more time and resources on exploiting vulnerabilities found in client-side applications. This approach has many immediate advantages for attackers. For example, some applications are so ubiquitous that they reside on most consumers' and enterprises' computers, thus increasing the potential success rate and scope of an attack. Furthermore, due to consumer familiarity with these popular applications, social engineering becomes much easier to employ. In practice, implementing accurate and effective protection against this type of threat is not an easy task to accomplish. In this paper, we present a systematic, generic technique, used to detect malicious Office documents (Word, Excel, PowerPoint, etc.). We show how this technique can also be extended to support other proprietary file formats or data structures (Adobe SWF, PDF, etc.). In addition, we discuss the reliability of applying this method to real world scenarios and its effectiveness in detecting unknown exploits as measured by telemetry data gathered in Microsoft's security labs. Presentation: contact directly the author for the presentation.15.15 - 15.30 Culinary Break


Christoph Alme and Dennis Elser, McAfee Inc., Germany

Abstract:Recent years have seen the introduction of valuable countermeasures to prevent the remote execution of machine code. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are respective examples. Since these are around, exploits are no longer a problem and have vanished from the threat landscape. Well, unfortunately not. Actually the number of drive-by infection websites continues to grow. In 2008, the Microsoft Access Snapshot Viewer vulnerability and the Internet Explorer XML Data Binding vulnerability have been prominent examples of high-profile Zero-Day vulnerabilities, being quickly utilized for attacks in-the-wild. While above mentioned run-time countermeasures exist, exploits – and zero-day exploits in particular – continue to be the most dangerous threat out there today, for reasons including the sometimes limited scope of stack cookies, applications not using the respective compiler options and, last but not least, the delay between availability of patches and their actual deployment. While desktop Anti-Malware solutions have added buffer overflow detections to their Host Intrusion Prevention Systems (HIPS), for our intended usage on corporate network gateways, we are bound to static inspection of all traffic: looking for a needle in quite a big haystack. Scanning for No-Operation (NOP) slides is looking for smoke to assume there's fire. To spot the fire instead, which does not always necessarily produce any smoke, we combine Recursive Traversal disassembly and Markov Models to represent shellcode as (IA-32) instruction chains and spot any occurences in a probabilistic manner.


Maksym Schipka and Andrey Krukov, Kaspersky Labs

Abstract:Detecting exploits in office documents has been a long-neglected area of anti-malware protection. With the advances in targeted malware and the bad guys looking for easier, less technical, but better socially engineered ways to get into the end user's computer and install malware on it, generic and specific detection of exploits becomes a hot topic for any anti-malware vendor who wants to keep providing good defence to their customers. Without disclosing any ground-breaking ideas in detecting malicious office documents, this presentation will use one or two office exploit examples to outline and sum up different ways malicious office files can be detected, analyse advantages and disadvantages of such detection methods and sum up with recommendations for anti-malware vendors.


Peter Szor, Symantec Corporation

Abstract:Cloud scanning is a relatively new approach in antivirus products, yet it quickly gained popularity among security vendors due to its promise to enhance client protection. Due to the increased load of definitions data on client systems, the promise is that cloud based protection might be the ultimate answer to avoid delivering each signature to the antivirus clients, but provide protection as a service instead. When the cloud fails, the protection falls back to the level provided by the client side protection. Thus, over time, the decreased level of client based signature protection might expose users to significantly more successful attacks. Certainly, client protection is not limited to signatures, but also other kinds of protection flavors such as behavior blocking among others. Unfortunately, accurate and reliable testing of dynamical prevention technology is in very early stage today. This talk will focus on cloud scanning vulnerabilities, and their possible exploitation with some specific examples to raise the awareness for security vendors of what should be avoided.Presentation: contact directly the author for the presentation.

19.00 Hospitality program

DAY 2 | TUESDAY - MAY 5, 2009

08.30 - 09.45 Registration


Maik Morgenstern and Andreas Marx, AV-Test GmbH

Abstract:Vulnerabilities in different kinds of applications are one of the most common ways for malware infiltration as they usually work without any user interaction and the person in front of the PC might not even recognize that his system is infected. This silent installation method is considered as being superior by the malware authors when compared with e-mail attachments or web downloads which still require some more double-clicks. When testing exploit-prevention mechanisms in anti-malware products, a lot more than simple file scanning (to gain some "detection scores") is required. In order to get meaningful results the vulnerable application (in the exploitable version) has to be installed on the test system. The actual exploit has to be introduced on the usual infection vector to test the exploit-prevention mechanisms in anti-malware products. This paper will focus on some of the most widespread types of vulnerabilities and exploits, such as for web browsers, office applications and media players. We will discuss an approach for the "real world" testing with a focus on the following aspects:

›› proper introduction of the exploit to the vulnerable application,

›› the tracking of all relevant system changes,

›› reproducibility and comparability,

›› a rating scheme for the detection and blocking of malicious activities

plus the removal of installed malicious components.


Ivan Teblin, McAfee Avert, Aylesbury, UK

Abstract:Protection provided by security scanners are an important part of any computer system. If there were a simple way to construct malicious objects that would bypass AV scanners, that would constitute a serious security risk. One of the approaches actively used nowadays in order to bypass protection and avoid detection by security software is exploiting weaknesses and quirks in Win32 and Win64 PE format specifications. The main danger of this approach is that both known and unknown malware can be rendered unrecognizable by an AV scanner – all by manipulating just a few bytes. Portable Executable (PE) format is the main file format of applications and shared libraries for the family of very popular Microsoft Windows operating systems. Because it is so popular, PE format naturally became an important target for exploitation. The fact that Microsoft Windows OS accepts significantly wider variations than is described in the official Microsoft PE format specification is widely known to both security experts and malware authors. Bad guys frequently use it for the purpose of hiding and obfuscating malware. However, the real process of loading a PE file appears to be so obscure and undocumented, that even experienced security specialist may not be aware of all its various dark corners. Thus, such 'hidden' undocumented parts of PE specification may get overlooked (fully or partially) by security software making it vulnerable against PE-based exploits. Another direction of PE-based exploits is denial of service attacks. As stated above, even working PE files present large variations of dangerous deviations from standard PE file format. Of course, intentionally corrupted PE files have literary infinite number of ways to cause a crash of the vulnerable scanner or even remote code execution.

During our research we could not find any popular debugging or analysis tool free from PE vulnerabilities. We consider it as an important indication that software analysts and developers underestimate complexity of PE parsing.

We review a number of root causes of major vulnerabilities in PE file format and test them against IDA Pro code analyser, which is one of the most popular tools used by security researchers and other low-level code professionals.

We list and classify discussed vulnerabilities (with sample PE files) performing some live demonstrations. Files used in research and presentation will be available for download. Presentation: contact directly the author for the presentation.

11.15 - 11.30 Culinary Break


Jozsef Illes, Virusbuster Ltd, Hungary

Abstract:In our presentation we examine three file formats: AutoIt executables, NSIS installers and SWF files. They share some key features that make them really ideal for today's malware development. They all have a scripting facility that enables developers to implement complex tasks. They tend to run in a wide variety of operating environments with little dependency on external resources: AutoIt and NSIS executables run on all flavors of Microsoft Windows and SWF is supported on Windows, Linux, Mac and so on. They are easy to access: AutoIt is a freeware, NSIS is open source and SWF has an open specification. All of the three formats in question provide a means of compression which makes files suitable for network delivery. In addition, AutoIt supports encryption of scripts. Therefore a good anti-malware solution must provide support for scanning these file formats in an intelligent way. We take up the challenge and show how a virus search engine can be enabled to dive into AutoIt, NSIS and SWF files.


Aditya Kapoor and Rachit Mathur McAfee Avert Labs

Abstract:In this paper we will present the analysis of widely exploited vulnerability (MS08-067) by W32/Conficker worm and illustrate the weakness in the code that is being exploited. This paper further illustrates timeline of Conficker worm and how it became a potent threat. With traces of the challenges Gromozon Trojan posed two years ago there were many detection and cleaning challenges in this threat. While the spaghetti obfuscated DLL poses detection challenges, it does no less to ensure that cleaning the threat is equally challenging. With the use of API hooking, ACLs and handles the threat poses some serious cleaning challenges that posed difficulties for many AV products. We will illustrate methods to clean this threat. Furthermore, this paper will also shed light on the payload (motive) of this modern day exploit based malcode, and draws potential links to existing malware gangs. This can help explain financial aspects of this threat and vulnerability, we will briefly touch upon that. Finally the best practices to defend/contain a similar zero day exploit will be discussed along with tips for incident response to quickly locate and quarantine the infected machines on a LAN. Presentation: download13.00 - 14.00 International Lunch


Abhijit P. Kulkarni and Prakash D. Jagdale, Quick Heal Research and Development Center

Abstract:Memory Scanner is an integral part of most of the Anti-Virus products. The paper discusses the vulnerabilities present in the Anti-Virus Memory Scanners, which can be exploited by the malware writers. Few of the vulnerabilities are present due to the OS APIs used by the Memory Scanners and others are due to the way the Memory Scanners are implemented on 64-bit Windows. There is increase in number of 64-bit processors and 64-bit computing. Few of the Anti-Virus products have all their components as 64-bit, few have all components as 32-bit and few have combination of both. Irrespective of the implementations, the vulnerabilities which we are going to discuss are present in all types of Anti-Virus Memory Scanners. From our research, the vulnerabilities exist in the latest versions of almost all AVs. The paper will also propose a working solution for all the vulnerabilities discussed.


Ziv Mador, Microsoft Malware Protection Center

Abstract:One of the techniques malware uses to spread is by exploiting vulnerabilities in operating systems or in a variety of applications. In most cases these exploits still require some social engineering however late in 2008, the antimalware industry has also observed a worm which spreads with no user interaction by exploiting the critical Windows vulnerability MS08-067. The worm dubbed as Conficker also uses other techniques to spread such as guessing weak passwords for network shares or via removable media. Other exploits however use other vulnerabilities, in a variety of applications or in ActiveX controls from various software vendors. Attackers often use HTML code which tries to exploit various vulnerabilities in different browsers such as Internet Explorer and Firefox. This presentation will review some of the characteristics of the exploits we have seen recently. It will include observations from the Microsoft Software Security Incident Response Process (SSIRP) and from its most current Security Intelligence Report. Presentation: download

15.30 - 15.45 Culinary Break


Roel Schouwenberg, Kaspersky Lab

Abstract:Some of Kaspersky Lab's products feature a vulnerability scanner. Many users automatically send us the results for this type of scan. Using this system we manage to see trends across a significant number of systems used by all sorts of end-users. In this presentation we'll have a look at a number of interesting statistics and correlations. Amongst others we'll have looks at the most common vulnerabilities and patch trends from users across the globe. The non-public nature of the CARO workshop will allow for otherwise non-disclosed details to be discussed.


Nick FitzGerald, AVG Technologies

Abstract:A look into the popular packaged web exploit kits and their evolution.

17.15 - 17.30 CLOSING REMARKS

Gabor Szappanos, Virusbuster, Hungary