Talking about NUSHU - At the 22nd CCC a few days ago, Steven Murdoch gave another good talk about TCP/IP based covert channels detection and you can get his presentation (for free) here. The presentation is *very cool* and I suggest everybody to at least take a look at the pictures showing the differences between the clean Linux Kernel and the one which was infected with NUSHU! It also contains other interesting stuff besides NUSHU detection.
It seems that another academic paper has been written about how to detect my NUSHU covert channel POC and this is very cool of course. What is not cool however, is that you need to pay $19 USD to read it! And I would like to take this opportunity to manifest my disagreement with the idea of pay-to-read research papers and encourage the authors to publish it for free, just as the original NUSHU paper...
Free the papers and have a happy new year!
UPDATE (16-01-2005): I'm very glad to announce that the authors of this paper made it available here for free :) This paper is also pretty amazing as they used neural network to actually distinguish between normal TCP stacks and the NUSHUized ones!
At the beginning of February I will speak about rootkit and malware detection in general at the IT-Defense conference in Dresden, Germany.
In January I will speak about differences between "Rootkit Hunting vs. Compromise Detection" at Black Hat Federal in Washington, DC. You can read more about the presentation here.
The slides for my HITB presentation, as well as the binaries for System Virginity Verifier 1.0, are now available for download. I would like to thank HITB organizers for inviting me for this excellent conference :)
At the end of September I will speak at the HackInTheBox conference in Kuala Lumpur, Malaysia. Highlights of the talk:
Attempt to define Road map for Malware detection on Windows systems. The idea behind it is to create some kind of reference list, specifying what parts of OS are prone to attack and thus should be verified when searching for malware.
Release of some new tools for rootkit/malware detection for Windows.
Discussion about Implementation-specific attacks against public detectors.
The abstract of the talk can be seen here.
Offtopic: FLASHRESCUER is a little tool which can help you recover lost pictures from your FLASH card. You can get it in the here.
I put together several thoughts regarding cross-view based approach to rootkit detection, especially hidden files. This short article can be found in the papers section.
modGREPER 0.1 released!
modGREPER is
a hidden module detector for Windows 2000/XP/2003. It searches through whole
kernel memory in order to find structures which looks like a valid module
description objects.
NUSHU uncovered!
Steven Murdoch and Stephen Lewis, both from Cambridge Computer Laboratory, wrote a
very interesting paper about covert channels in TCP/IP. It contains brief
review of several current implementations, very valuable description of ISN
generators on Linux and OpenBSD and detection of some covert channels,
including NUSHU, and last but not least, description of new covert channel
implementation, called Lathra, which follows the implementation of
the real ISN generator (in Linux and OpenBSD) and thus should be impossible
to detect by ISN analysis... The paper will be presented at the 7th Information Hiding Workshop in
Barcelona and the draft can be found here.
I have added very simple proof-of-concept tool for detecting files hidden by various Windows rootkits. It's called FLISTER and it exploits the bugs (present in all known to me Windows rootkits) in handling ZwQueryDirectoryFile service.
My slides and proof-of-concept code (NUSHU) which I presented at 21th CCC are now available for download. Additionally in the misc section you can find some tcpdump traces for statistical analysis. Happy New Year!
At the end of December I'm going to have a speech at 21th Chaos Communication Congress in Berlin about Implementation of Passive Covert Channels in the Linux Kernel.
You can find more information in the papers section...
Shortly after Dave posted his Trip Report from Poland, I started getting emails from people wanted to know "how to detect VMWare using one instruction"... So, although I'm not the first one who discovered this trick, I decided to put a short paper about it accompanied by a simple C code. This trick is able to detect not only VMWare, but any VMM running on Pentium processor.
Slides for the two presentations I gave at ITUnderground are now available in the papers section (both english and polish versions).
This website has been started!