||The program is subjected to changes. The workshop organizers will try to maintain the program. However, in the event a speaker is unable to come, or any other unforeseen problems, the program can be changed.
||Click on lecture title to view abstract
||Gabor Szappanos, Virusbuster Ltd., Hungary
| DAY 1 | Monday - May 4, 2009
|08.00 - 09.00
||Breakfast and Registration
|09.00 - 09.15
Gabor Szappanos, Virusbuster, Hungary
|09.15 - 10.00
Keynote: The Exploit, the exploiter, the exploited ...
Righard J. Zwienenberg, Norman, The Netherlands
As long as there have been computer systems, vulnerabilities exist and have been exploited.
There are people that have made it their business to find vulnerabilities and there are people
that have made it their business to 'use' the vulnerabilities. And you have people that do both.
And as well, their motives are as diverse. What kind of companies are keeping themselves busy
looking for exploits, what kind of people are (mis)using them. What are they looking for, what
are they after? The presentation will deal with this going back to the early nineties to very recent events.
Will we ever resolve the problem of exploits, being the exploited? Or be the exploiter?
|10.00 - 10.45
Jumping Through the Hoops: Impact of Adobe Acrobat and Reader Exploits
Marian Radu and Andrei Florin Saygo, Microsoft Research and Response, Dublin, Ireland
Every code execution vulnerability in Adobe Acrobat and
Reader applications potentially has a huge security impact
due to the fact that PDF documents are used in almost all
corporate and government institutions, and is also widespread
among home users.
In the past year, we have seen an increase in malware attacks that
involve specially crafted PDF files as links in the malware
The paper will be presenting an overview of the attack
vector, in-depth exploitation details and steps undergone
by the malware authors to conceal their code. We will comment
upon the trend of existing and possibly future vulnerabilities.
We will also discuss the threats deployed by these exploits and
present telemetry data gathered by Microsoft's antimalware products
including the geographical distribution of PDF-based attacks.
|10.45 - 11.00
|11.00 - 11.45
Stock Market Impacts and Economics of Zero-Day Vulnerabilities
Anthony Bettini, McAfee Avert Labs
This talk focuses on the technical (both financial and computer security-based)
aspects of the impacts of zero-day vulnerabilities on equities markets.
In particular, we examine the historical correlation between zero-day vulnerabilities
and stock market prices. With real world examples, we look to see if, on average,
stock prices are adversely affected by zero-day vulnerabilities (with and without exploits).
We compare and contrast this affect across vendors and vulnerabilities, based
on factors such as: ease of exploitation, patch availability, vendor, year, etc.
This talk builds on the analysis of Microsoft's Patch Tuesday that McAfee
presented in the McAfee Security Journal at: here
|11.45 - 12.30
The Exploitation Process of MS08-067 Vulnerability
Pierre-Marc Bureau, Juraj Malcho, Eset
On October 23rd of 2008, Microsoft released an out of band patch to fix
a privately reported vulnerability. The vulnerability can allow remote
code execution without authentication and affects all major versions of
the Windows operating system. When the details of the security
vulnerability have been made public, it was clear that malware authors
from around the globe would seize this opportunity to gain control over
a significant number of vulnerable systems.
This presentation gives a timeline of the exploitation of the MS08-067
vulnerability with special attention to malware. We will give technical
details on the vulnerability and on the evolution of various malware
families that exploit it, from the targeted Trojan Win32/Gimmiv.A to the
infamous Win32/Conficker worm. We will see how exploitation codes have
been modified over time to improve reliability and target more versions
of the Windows operating system. Finally, we will study the
geographical distribution of each threat as well as their general
|12.30 - 13.45
|13.45 - 14.30
Effects-Based Vulnerability Detection: An Overview
Richard Ford, Florida Institute of Technology and Marco Carvalho, Institute for Human Machine Cognition
Vulnerability detection and mitigation remains a significant
challenge for commercial and academic researchers. Furthermore,
current trends in malware have dramatically increased the danger
posed by so-called zero-day vulnerabilities. However, to date there
has been little success in defending from these attacks, as anti-malware
technology is historically signature based and reactive in nature.
In this presentation, we provide a survey of the state of the art in
effects based security. Such approaches are typically generic, and
differ significantly from known-vulnerability detection and heuristic
methods in that they focus on the impact of an attack as opposed to
detection of attack traffic per se. This approach is attractive as it
tends to reduce false positive rates, as the detection system is
moderated by actual impact on protected applications. Research
sources are not limited to our own work, but are taken from a
broad literature search. As such, the goal of the talk is to provide
attendees with a broad overview of the latest published research
in this area, in addition to some of our own research on Danger
Theory-based exploit detection systems. The relative merits and
costs of these approaches are explored, and practical application
|14.30 - 15.15
Generic Detection of File Format-Based Exploits
Bruce Dang and Cristian Craioveanu ,Microsoft USA
As operating systems security matures, attackers are focusing
more time and resources on exploiting vulnerabilities found in
client-side applications. This approach has many immediate
advantages for attackers. For example, some applications are
so ubiquitous that they reside on most consumers' and enterprises'
computers, thus increasing the potential success rate and scope of
an attack. Furthermore, due to consumer familiarity with these
popular applications, social engineering becomes much easier
In practice, implementing accurate and effective protection
against this type of threat is not an easy task to accomplish.
In this paper, we present a systematic, generic technique,
used to detect malicious Office documents (Word, Excel,
PowerPoint, etc.). We show how this technique can also be
extended to support other proprietary file formats or data structures
(Adobe SWF, PDF, etc.). In addition, we discuss the reliability
of applying this method to real world scenarios and its effectiveness
in detecting unknown exploits as measured by telemetry data gathered
in Microsoft's security labs.
|15.15 - 15.30
|15.30 - 16.15
Using Markov Models To Detect Code Execution Exploits
Christoph Alme and Dennis Elser, McAfee Inc., Germany
Recent years have seen the introduction of valuable countermeasures
to prevent the remote execution of machine code. Data Execution Prevention
(DEP) and Address Space Layout Randomization (ASLR) are respective
examples. Since these are around, exploits are no longer a problem and
have vanished from the threat landscape. Well, unfortunately not.
Actually the number of drive-by infection websites continues to grow.
In 2008, the Microsoft Access Snapshot Viewer vulnerability and the
Internet Explorer XML Data Binding vulnerability have been prominent
examples of high-profile Zero-Day vulnerabilities, being quickly utilized
for attacks in-the-wild.
While above mentioned run-time countermeasures exist, exploits – and
zero-day exploits in particular – continue to be the most dangerous threat
out there today, for reasons including the sometimes limited scope of stack
cookies, applications not using the respective compiler options and, last
but not least, the delay between availability of patches and their actual deployment.
While desktop Anti-Malware solutions have added buffer overflow
detections to their Host Intrusion Prevention Systems (HIPS), for our
intended usage on corporate network gateways, we are bound to
static inspection of all traffic: looking for a needle in quite a big haystack.
Scanning for No-Operation (NOP) slides is looking for smoke to assume
there's fire. To spot the fire instead, which does not always necessarily
produce any smoke, we combine Recursive Traversal disassembly and
Markov Models to represent shellcode as (IA-32) instruction chains and
spot any occurences in a probabilistic manner.
|16.15 - 17.00
Detecting Office Exploits: The good, the bad and the ugly
Maksym Schipka and Andrey Krukov, Kaspersky Labs
Detecting exploits in office documents has been a long-neglected area of anti-malware protection. With the advances in targeted malware and the bad guys looking for easier, less technical, but better socially engineered ways to get into the end user's computer and install malware on it, generic and specific detection of exploits becomes a hot topic for any anti-malware vendor who wants to keep providing good defence to their customers. Without disclosing any ground-breaking ideas in detecting malicious office documents, this presentation will use one or two office exploit examples to outline and sum up different ways malicious office files can be detected, analyse advantages and disadvantages of such detection methods and sum up with recommendations for anti-malware vendors.
|17.00 - 17.30
Attacking the Cloud
Peter Szor, Symantec Corporation
Cloud scanning is a relatively new approach in antivirus products, yet it
quickly gained popularity among security vendors due to its promise to
enhance client protection.
Due to the increased load of definitions data on client systems, the promise
is that cloud based protection might be the ultimate answer to avoid
delivering each signature to the antivirus clients, but provide protection
as a service instead. When the cloud fails, the protection falls back to
the level provided by the client side protection. Thus, over time, the
decreased level of client based signature protection might expose users to
significantly more successful attacks. Certainly, client protection is not
limited to signatures, but also other kinds of protection flavors such as
behavior blocking among others. Unfortunately, accurate and reliable testing
of dynamical prevention technology is in very early stage today.
This talk will focus on cloud scanning vulnerabilities, and their possible
exploitation with some specific examples to raise the awareness for security
vendors of what should be avoided.
| DAY 2 | Tuesday - May 5, 2009
|08.30 - 09.45
|09.45 - 10.30
Testing exploit-prevention mechanisms in anti-malware products
Maik Morgenstern and Andreas Marx, AV-Test GmbH
Vulnerabilities in different kinds of applications are one of the most
common ways for malware infiltration as they usually work without any
user interaction and the person in front of the PC might not even
recognize that his system is infected. This silent installation method
is considered as being superior by the malware authors when compared
with e-mail attachments or web downloads which still require some more
When testing exploit-prevention mechanisms in anti-malware products, a
lot more than simple file scanning (to gain some "detection scores") is
required. In order to get meaningful results the vulnerable application
(in the exploitable version) has to be installed on the test system. The
actual exploit has to be introduced on the usual infection vector to
test the exploit-prevention mechanisms in anti-malware products.
This paper will focus on some of the most widespread types of
vulnerabilities and exploits, such as for web browsers, office
applications and media players. We will discuss an approach for the
"real world" testing with a focus on the following aspects:
›› proper introduction of the exploit to the vulnerable application,
›› the tracking of all relevant system changes,
›› reproducibility and comparability,
›› a rating scheme for the detection and blocking of malicious activities
plus the removal of installed malicious components.
|10.30 - 11.15
PE format as a source of vulnerabilities
Ivan Teblin, McAfee Avert, Aylesbury, UK
Protection provided by security scanners are an important part of
any computer system. If there were a simple way to construct malicious
objects that would bypass AV scanners, that would constitute a serious
security risk. One of the approaches actively used nowadays in order to
bypass protection and avoid detection by security software is exploiting
weaknesses and quirks in Win32 and Win64 PE format specifications.
The main danger of this approach is that both known and unknown
malware can be rendered unrecognizable by an AV scanner – all by
manipulating just a few bytes.
Portable Executable (PE) format is the main file format of applications
and shared libraries for the family of very popular Microsoft Windows
operating systems. Because it is so popular, PE format naturally became
an important target for exploitation.
The fact that Microsoft Windows OS accepts significantly wider variations
than is described in the official Microsoft PE format specification is widely
known to both security experts and malware authors. Bad guys frequently
use it for the purpose of hiding and obfuscating malware. However, the real
process of loading a PE file appears to be so obscure and undocumented,
that even experienced security specialist may not be aware of all its various
dark corners. Thus, such 'hidden' undocumented parts of PE specification
may get overlooked (fully or partially) by security software making it
vulnerable against PE-based exploits.
Another direction of PE-based exploits is denial of service attacks. As
stated above, even working PE files present large variations of dangerous
deviations from standard PE file format. Of course, intentionally corrupted
PE files have literary infinite number of ways to cause a crash of the
vulnerable scanner or even remote code execution.
During our research we could not find any popular debugging or analysis
tool free from PE vulnerabilities. We consider it as an important indication
that software analysts and developers underestimate complexity of PE parsing.
We review a number of root causes of major vulnerabilities in PE file format
and test them against IDA Pro code analyser, which is one of the most popular
tools used by security researchers and other low-level code professionals.
We list and classify discussed vulnerabilities (with sample PE files) performing
some live demonstrations. Files used in research and presentation will be
available for download.
|11.15 - 11.30
|11.30 - 12.15
Vulnerable formats: a View from an AV Engine
Jozsef Illes, Virusbuster Ltd, Hungary
In our presentation we examine three file formats: AutoIt
executables, NSIS installers and SWF files.
They share some key features that make them really ideal for
today's malware development. They all have a scripting facility
that enables developers to implement complex tasks. They tend
to run in a wide variety of operating environments with little
dependency on external resources: AutoIt and NSIS executables
run on all flavors of Microsoft Windows and SWF is supported on
Windows, Linux, Mac and so on. They are easy to access: AutoIt
is a freeware, NSIS is open source and SWF has an open specification.
All of the three formats in question provide a means of compression
which makes files suitable for network delivery. In addition, AutoIt
supports encryption of scripts.
Therefore a good anti-malware solution must provide support for scanning
these file formats in an intelligent way. We take up the challenge and
show how a virus search engine can be enabled to dive into AutoIt,
NSIS and SWF files.
|12.15 - 13.00
W32/Conficker: Threat and Vulnerability analysis
Aditya Kapoor and Rachit Mathur McAfee Avert Labs
In this paper we will present the analysis of widely exploited
vulnerability (MS08-067) by W32/Conficker worm and illustrate the
weakness in the code that is being exploited. This paper further
illustrates timeline of Conficker worm and how it became a potent
threat. With traces of the challenges Gromozon Trojan posed two years
ago there were many detection and cleaning challenges in this threat.
While the spaghetti obfuscated DLL poses detection challenges, it does
no less to ensure that cleaning the threat is equally challenging. With
the use of API hooking, ACLs and handles the threat poses some serious
cleaning challenges that posed difficulties for many AV products. We
will illustrate methods to clean this threat. Furthermore, this paper
will also shed light on the payload (motive) of this modern day exploit
based malcode, and draws potential links to existing malware gangs. This
can help explain financial aspects of this threat and vulnerability, we
will briefly touch upon that. Finally the best practices to
defend/contain a similar zero day exploit will be discussed along with
tips for incident response to quickly locate and quarantine the infected
machines on a LAN.
|13.00 - 14.00
|14.00 - 14.45
Vulnerabilities in Anti-Virus Memory Scanners
Abhijit P. Kulkarni and Prakash D. Jagdale, Quick Heal Research and Development Center
Memory Scanner is an integral part of most of the Anti-Virus
products. The paper discusses the vulnerabilities present in the
Anti-Virus Memory Scanners, which can be exploited by
the malware writers. Few of the vulnerabilities are present due
to the OS APIs used by the Memory Scanners and others
are due to the way the Memory Scanners are implemented
on 64-bit Windows.
There is increase in number of 64-bit processors and 64-bit
computing. Few of the Anti-Virus products have all their
components as 64-bit, few have all components as 32-bit
and few have combination of both. Irrespective of the
implementations, the vulnerabilities which we are going to
discuss are present in all types of Anti-Virus Memory Scanners.
From our research, the vulnerabilities exist in the latest versions
of almost all AVs. The paper will also propose a working solution
for all the vulnerabilities discussed.
|14.45 - 15.30
Vulnerabilities and Exploits Patterns - What Can We Learn?
Ziv Mador, Microsoft Malware Protection Center
One of the techniques malware uses to spread is by exploiting
vulnerabilities in operating systems or in a variety of applications.
In most cases these exploits still require some social engineering
however late in 2008, the antimalware industry has also observed
a worm which spreads with no user interaction by exploiting the
critical Windows vulnerability MS08-067. The worm dubbed as
Conficker also uses other techniques to spread such as guessing
weak passwords for network shares or via removable media.
Other exploits however use other vulnerabilities, in a variety of
applications or in ActiveX controls from various software vendors.
Attackers often use HTML code which tries to exploit various
vulnerabilities in different browsers such as Internet Explorer
and Firefox. This presentation will review some of the characteristics
of the exploits we have seen recently. It will include observations
from the Microsoft Software Security Incident Response Process
(SSIRP) and from its most current Security Intelligence Report.
|15.30 - 15.45
|15.45 - 16.30
The (non-)patching users - a look from the trenches
Roel Schouwenberg, Kaspersky Lab
Some of Kaspersky Lab's products feature a vulnerability scanner. Many
users automatically send us the results for this type of scan.
Using this system we manage to see trends across a significant number of
systems used by all sorts of end-users.
In this presentation we'll have a look at a number of interesting
statistics and correlations.
Amongst others we'll have looks at the most common vulnerabilities and
patch trends from users across the globe.
The non-public nature of the CARO workshop will allow for otherwise
non-disclosed details to be discussed.
|16.30 - 17.15
The Whole Kit and Caboodle
Nick FitzGerald, AVG Technologies
A look into the popular packaged web exploit kits and their evolution.
|17.15 - 17.30
Gabor Szappanos, Virusbuster, Hungary