Kernel Exploit Hunting and Mitigation



In the era of cyberwarfare, it becomes a norm to see cyber criminals use multi-level attacks to penetrate a multi-layered protected network infrastructure. We often see APT attackers manipulate 0-day or N-day Windows kernel vulnerabilities in order to guarantee a successful full system compromise. It would be a surprise if we do not see Windows kernel exploit involved in such targeted attacks.

It is also worth noting that beside APT attackers, the botnet operators also seize the opportunity to integrate these publicly, or sometime undisclosed, kernel exploits in their piece of work. One notable example is the CVE-2015-0057 Win32k exploit seen integrated into Dyre, a notorious banking Trojan spreading in the wild. This was first spotted by F-Secure’s proprietary dynamic-analysis system in 20th April 2015 however no information was provided by F-Secure during that time. The exploit was also seen to be removed from newer version of Dyre distributed after late June 2015 since after the disclosure of FireEye. Apart from that, there are a lot more malware families manipulating kernel exploit, to name a few:

• Turla
• Necurs
• Carperb/Rovnix
• Evotoob
• Discpy
• Ramnit

This topic will focus on how to proactively discover the effective samples with kernel exploits, or potentially 0-day kernel exploits, through a dynamic-analysis system. This talk will also detail the analysis of some kernel exploit that could bypass kernel exploit detection and prevention methodology used in HIPS. At last, we will demo a prototype tool on how to mitigate this kernel exploit effectively.

Location: Track 2 Date: May 26, 2016 Time: 2:00 pm - 3:00 pm Broderick Aquilino Wayne Low