Joanna Rutkowska
April 21, 2005
Presentation Title: Hide-And-Seek: Defining the Roadmap for Malware Detection on Windows
Presentation Details:
The presentation aims towards defining a detailed list of vital operating system parts as well as a methodology for malware detection. The list will start on such basic levels as actions needed for file system and registry integrity verification, go through user-mode memory validating (detecting additional processes, hooked DLLs, injected threads, etc…) and finally end on such advanced topics as defining vital kernel parts which can be altered by modern rootkit-based malware (with techniques like Raw IRP hooking, various DKOM based manipulations or VMM cheating)
By no means will the presented list be complete, however, the author believes that, in contrast to what many other people may think, there is only a finite number of methods which can be used by malware to compromise a system and hopefully in the future (with the help of the community) the list will “stabilize†and become more complete. Such a reference roadmap/list, will help raise the level of awareness on what is still missing with regards to malware detection and will hopefully stimulate the creation of better detection tools, leaving less and less space for malware to survive.
The presentation will be supported with live demos, in which some interesting malware will be shown as well as detection tools catching it (including some new tools from the author). Some of the topics will be touched briefly (like file system verification), while some other areas, like kernel-level integrity verification will be discussed very deeply (together with description of the latest advances in rootkit technology). At the end, the subject of implementation specific attacks against malware detectors will be briefly discussed.The presentation will focus on the Windows 2000/XP/2003 family of operating systems.
About Joanna:
Joanna Rutkowska is an independent security researcher. Her main interest is in stealth technology, that is, in the methods used by attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She is interested in both detecting this kind of activity and in developing and testing new offensive techniques.
She develops assessment and detection tools mainly for pen-testing companies. She has previously presented at the 21st Chaos Communication Congress, IT Underground 2004 and HiverCon2003. She lives in Warsaw, Poland.