Archived Blog

SSTIC 2009 Conference

06.11.2009 - 1:50 PM

I just returned from the SSTIC conference that took place in Rennes, France, last week. I have been going to this conference since 2003. It is the best security conference in France.

In 2003, I presented on how to manually unpack Asprotect and rebuild stolen bytes, as well as redirected imports. In 2004, I presented my own Heuristic Detection research on PE file infectors.

This year there were a lot of interesting topics, including, but not limited to Reverse Engineering, Fuzzing, Windows Mobile Malwares, Malware Analysis, Rootkits, DMA, and more.

The presentations I really enjoyed and that related to what we do at Websense Security Labs™ include:

Data tainting for malware analysis, by Florent Marceau. Mr. Marceau presented a platform for malware analysis used mostly with Banking Trojans. These Trojans actually get an encrypted configuration file from a remote server they control, telling the Trojan which bank site needs to be monitored. Using data tainting (following data propagation between RAM, CPU, etc.), the platform manages to get the decrypted configuration data used by the malware without any reverse engineering of the samples. The talk was very interesting and included demonstrations.

Automatic deobfuscation of binaries, by Alexandre Gazet and Yoann Guillot. This talk presented on how METASM (written by Yoann, himself) can be used to analyze code that has been virtualized by a Protection System. It covered all phases of deobfuscation of the Virtual Machine handlers using various techniques, and demonstrated how easy it is to recover the original code automatically. The second part of the talk introduced the decompilation feature of METASM, which looked quite powerful. This was my favorite talk, considering it had assembly code on every slide. ;-)

Marc Dacier presented the WOMBAT Project. It's basically a world wide deployment of next generation honeypots. He presented results gathered by the project and talked about how the data helps us understand existing and emerging threats on the Internet. A very interesting talk.

Christophe Devine and Guillaume Vissian presented on How to compromise a machine using the PCI bus. They used a FPGA card to perform a demonstration, and they explained how they had to implement a little CPU to carry out their attack. The demo showed how they could bypass the Windows Logon prompt as soon as they plugged their card into the computer. Replugging the card would automatically unpatch the machine in order to maintain stealth. Another very interesting presentation.

ACPI and SMI was presented by Loic Duflot. The presentation started with a demonstration of an ACPI backdoor that allows the attacker to get root access on an infected machine after the power adaptor is unplugged a few times. The presentation focused on TxT/Presidio mechanisms, SMM mode, SMI and ACPI. The presentation showed the audience that it was possible to modify the SMI treatment routines and the ACPI tables. Really technical, as usual. A very nice talk.

Lastly, Smartphone security was presented by Romain Raboin. This presentation showed various security mechanism on several platforms: BlackBerry, iPhone, Symbian, and Windows Mobile. After the introduction, a study of commercial spyware working on these platforms was presented. Finally, Romain presented techniques to infect a smartphone, such as automatic execution of executables with a smart card (remember USB?) and a very nice technique allowing a smartphone to be infected from a host computer using a stealthy, undocumented feature of the RAPI.

Security Researcher: Nicolas Brulez

Bookmark This Post: