Special notice: The program is subjected to changes. The workshop organizers will try to maintain the program. However, in the event a speaker is unable to come, or any other unforeseen problems, the program can be changed.
Abstracts: Click on lecture title to view abstract
Workshop Chair: Gabor Szappanos, Virusbuster Ltd., Hungary

DAY 1 | Monday - May 4, 2009
08.00 - 09.00 Breakfast and Registration
09.00 - 09.15 Welcome Message
Gabor Szappanos, Virusbuster, Hungary
09.15 - 10.00 Keynote: The Exploit, the exploiter, the exploited ...
Righard J. Zwienenberg, Norman, The Netherlands
As long as there have been computer systems, vulnerabilities exist and have been exploited. There are people that have made it their business to find vulnerabilities and there are people that have made it their business to 'use' the vulnerabilities. And you have people that do both. And as well, their motives are as diverse. What kind of companies are keeping themselves busy looking for exploits, what kind of people are (mis)using them. What are they looking for, what are they after? The presentation will deal with this going back to the early nineties to very recent events. Will we ever resolve the problem of exploits, being the exploited? Or be the exploiter?
10.00 - 10.45 Jumping Through the Hoops: Impact of Adobe Acrobat and Reader Exploits
Marian Radu and Andrei Florin Saygo, Microsoft Research and Response, Dublin, Ireland
Every code execution vulnerability in Adobe Acrobat and Reader applications potentially has a huge security impact due to the fact that PDF documents are used in almost all corporate and government institutions, and is also widespread among home users. In the past year, we have seen an increase in malware attacks that involve specially crafted PDF files as links in the malware deployment chain. The paper will be presenting an overview of the attack vector, in-depth exploitation details and steps undergone by the malware authors to conceal their code. We will comment upon the trend of existing and possibly future vulnerabilities. We will also discuss the threats deployed by these exploits and present telemetry data gathered by Microsoft's antimalware products including the geographical distribution of PDF-based attacks.
10.45 - 11.00 Culinary Break
11.00 - 11.45 Stock Market Impacts and Economics of Zero-Day Vulnerabilities
Anthony Bettini, McAfee Avert Labs
This talk focuses on the technical (both financial and computer security-based) aspects of the impacts of zero-day vulnerabilities on equities markets. In particular, we examine the historical correlation between zero-day vulnerabilities and stock market prices. With real world examples, we look to see if, on average, stock prices are adversely affected by zero-day vulnerabilities (with and without exploits). We compare and contrast this affect across vendors and vulnerabilities, based on factors such as: ease of exploitation, patch availability, vendor, year, etc. This talk builds on the analysis of Microsoft's Patch Tuesday that McAfee presented in the McAfee Security Journal at: here
11.45 - 12.30 The Exploitation Process of MS08-067 Vulnerability
Pierre-Marc Bureau, Juraj Malcho, Eset
On October 23rd of 2008, Microsoft released an out of band patch to fix a privately reported vulnerability. The vulnerability can allow remote code execution without authentication and affects all major versions of the Windows operating system. When the details of the security vulnerability have been made public, it was clear that malware authors from around the globe would seize this opportunity to gain control over a significant number of vulnerable systems.

This presentation gives a timeline of the exploitation of the MS08-067 vulnerability with special attention to malware. We will give technical details on the vulnerability and on the evolution of various malware families that exploit it, from the targeted Trojan Win32/Gimmiv.A to the infamous Win32/Conficker worm. We will see how exploitation codes have been modified over time to improve reliability and target more versions of the Windows operating system. Finally, we will study the geographical distribution of each threat as well as their general prevalence.
12.30 - 13.45 International Lunch
13.45 - 14.30 Effects-Based Vulnerability Detection: An Overview
Richard Ford, Florida Institute of Technology and Marco Carvalho, Institute for Human Machine Cognition
Vulnerability detection and mitigation remains a significant challenge for commercial and academic researchers. Furthermore, current trends in malware have dramatically increased the danger posed by so-called zero-day vulnerabilities. However, to date there has been little success in defending from these attacks, as anti-malware technology is historically signature based and reactive in nature.

In this presentation, we provide a survey of the state of the art in effects based security. Such approaches are typically generic, and differ significantly from known-vulnerability detection and heuristic methods in that they focus on the impact of an attack as opposed to detection of attack traffic per se. This approach is attractive as it tends to reduce false positive rates, as the detection system is moderated by actual impact on protected applications. Research sources are not limited to our own work, but are taken from a broad literature search. As such, the goal of the talk is to provide attendees with a broad overview of the latest published research in this area, in addition to some of our own research on Danger Theory-based exploit detection systems. The relative merits and costs of these approaches are explored, and practical application assessed.
14.30 - 15.15 Generic Detection of File Format-Based Exploits
Bruce Dang and Cristian Craioveanu ,Microsoft USA
As operating systems security matures, attackers are focusing more time and resources on exploiting vulnerabilities found in client-side applications. This approach has many immediate advantages for attackers. For example, some applications are so ubiquitous that they reside on most consumers' and enterprises' computers, thus increasing the potential success rate and scope of an attack. Furthermore, due to consumer familiarity with these popular applications, social engineering becomes much easier to employ.

In practice, implementing accurate and effective protection against this type of threat is not an easy task to accomplish. In this paper, we present a systematic, generic technique, used to detect malicious Office documents (Word, Excel, PowerPoint, etc.). We show how this technique can also be extended to support other proprietary file formats or data structures (Adobe SWF, PDF, etc.). In addition, we discuss the reliability of applying this method to real world scenarios and its effectiveness in detecting unknown exploits as measured by telemetry data gathered in Microsoft's security labs.
15.15 - 15.30 Culinary Break
15.30 - 16.15 Using Markov Models To Detect Code Execution Exploits
Christoph Alme and Dennis Elser, McAfee Inc., Germany
Recent years have seen the introduction of valuable countermeasures to prevent the remote execution of machine code. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are respective examples. Since these are around, exploits are no longer a problem and have vanished from the threat landscape. Well, unfortunately not. Actually the number of drive-by infection websites continues to grow. In 2008, the Microsoft Access Snapshot Viewer vulnerability and the Internet Explorer XML Data Binding vulnerability have been prominent examples of high-profile Zero-Day vulnerabilities, being quickly utilized for attacks in-the-wild.

While above mentioned run-time countermeasures exist, exploits – and zero-day exploits in particular – continue to be the most dangerous threat out there today, for reasons including the sometimes limited scope of stack cookies, applications not using the respective compiler options and, last but not least, the delay between availability of patches and their actual deployment.

While desktop Anti-Malware solutions have added buffer overflow detections to their Host Intrusion Prevention Systems (HIPS), for our intended usage on corporate network gateways, we are bound to static inspection of all traffic: looking for a needle in quite a big haystack. Scanning for No-Operation (NOP) slides is looking for smoke to assume there's fire. To spot the fire instead, which does not always necessarily produce any smoke, we combine Recursive Traversal disassembly and Markov Models to represent shellcode as (IA-32) instruction chains and spot any occurences in a probabilistic manner.
16.15 - 17.00 Detecting Office Exploits: The good, the bad and the ugly
Maksym Schipka and Andrey Krukov, Kaspersky Labs
Detecting exploits in office documents has been a long-neglected area of anti-malware protection. With the advances in targeted malware and the bad guys looking for easier, less technical, but better socially engineered ways to get into the end user's computer and install malware on it, generic and specific detection of exploits becomes a hot topic for any anti-malware vendor who wants to keep providing good defence to their customers. Without disclosing any ground-breaking ideas in detecting malicious office documents, this presentation will use one or two office exploit examples to outline and sum up different ways malicious office files can be detected, analyse advantages and disadvantages of such detection methods and sum up with recommendations for anti-malware vendors.
17.00 - 17.30 Attacking the Cloud
Peter Szor, Symantec Corporation
Cloud scanning is a relatively new approach in antivirus products, yet it quickly gained popularity among security vendors due to its promise to enhance client protection.

Due to the increased load of definitions data on client systems, the promise is that cloud based protection might be the ultimate answer to avoid delivering each signature to the antivirus clients, but provide protection as a service instead. When the cloud fails, the protection falls back to the level provided by the client side protection. Thus, over time, the decreased level of client based signature protection might expose users to significantly more successful attacks. Certainly, client protection is not limited to signatures, but also other kinds of protection flavors such as behavior blocking among others. Unfortunately, accurate and reliable testing of dynamical prevention technology is in very early stage today.

This talk will focus on cloud scanning vulnerabilities, and their possible exploitation with some specific examples to raise the awareness for security vendors of what should be avoided.

19.00 Hospitality program

DAY 2 | Tuesday - May 5, 2009
08.30 - 09.45 Registration
09.45 - 10.30 Testing exploit-prevention mechanisms in anti-malware products
Maik Morgenstern and Andreas Marx, AV-Test GmbH
Vulnerabilities in different kinds of applications are one of the most common ways for malware infiltration as they usually work without any user interaction and the person in front of the PC might not even recognize that his system is infected. This silent installation method is considered as being superior by the malware authors when compared with e-mail attachments or web downloads which still require some more double-clicks.

When testing exploit-prevention mechanisms in anti-malware products, a lot more than simple file scanning (to gain some "detection scores") is required. In order to get meaningful results the vulnerable application (in the exploitable version) has to be installed on the test system. The actual exploit has to be introduced on the usual infection vector to test the exploit-prevention mechanisms in anti-malware products.

This paper will focus on some of the most widespread types of vulnerabilities and exploits, such as for web browsers, office applications and media players. We will discuss an approach for the "real world" testing with a focus on the following aspects:
››  proper introduction of the exploit to the vulnerable application,
››  the tracking of all relevant system changes,
››  reproducibility and comparability,
››  a rating scheme for the detection and blocking of malicious activities
    plus the removal of installed malicious components.
10.30 - 11.15 PE format as a source of vulnerabilities
Ivan Teblin, McAfee Avert, Aylesbury, UK
Protection provided by security scanners are an important part of any computer system. If there were a simple way to construct malicious objects that would bypass AV scanners, that would constitute a serious security risk. One of the approaches actively used nowadays in order to bypass protection and avoid detection by security software is exploiting weaknesses and quirks in Win32 and Win64 PE format specifications. The main danger of this approach is that both known and unknown malware can be rendered unrecognizable by an AV scanner – all by manipulating just a few bytes.

Portable Executable (PE) format is the main file format of applications and shared libraries for the family of very popular Microsoft Windows operating systems. Because it is so popular, PE format naturally became an important target for exploitation.

The fact that Microsoft Windows OS accepts significantly wider variations than is described in the official Microsoft PE format specification is widely known to both security experts and malware authors. Bad guys frequently use it for the purpose of hiding and obfuscating malware. However, the real process of loading a PE file appears to be so obscure and undocumented, that even experienced security specialist may not be aware of all its various dark corners. Thus, such 'hidden' undocumented parts of PE specification may get overlooked (fully or partially) by security software making it vulnerable against PE-based exploits.

Another direction of PE-based exploits is denial of service attacks. As stated above, even working PE files present large variations of dangerous deviations from standard PE file format. Of course, intentionally corrupted PE files have literary infinite number of ways to cause a crash of the vulnerable scanner or even remote code execution.

During our research we could not find any popular debugging or analysis tool free from PE vulnerabilities. We consider it as an important indication that software analysts and developers underestimate complexity of PE parsing.

We review a number of root causes of major vulnerabilities in PE file format and test them against IDA Pro code analyser, which is one of the most popular tools used by security researchers and other low-level code professionals.

We list and classify discussed vulnerabilities (with sample PE files) performing some live demonstrations. Files used in research and presentation will be available for download.
11.15 - 11.30 Culinary Break
11.30 - 12.15 Vulnerable formats: a View from an AV Engine
Jozsef Illes, Virusbuster Ltd, Hungary
In our presentation we examine three file formats: AutoIt executables, NSIS installers and SWF files.

They share some key features that make them really ideal for today's malware development. They all have a scripting facility that enables developers to implement complex tasks. They tend to run in a wide variety of operating environments with little dependency on external resources: AutoIt and NSIS executables run on all flavors of Microsoft Windows and SWF is supported on Windows, Linux, Mac and so on. They are easy to access: AutoIt is a freeware, NSIS is open source and SWF has an open specification.

All of the three formats in question provide a means of compression which makes files suitable for network delivery. In addition, AutoIt supports encryption of scripts.

Therefore a good anti-malware solution must provide support for scanning these file formats in an intelligent way. We take up the challenge and show how a virus search engine can be enabled to dive into AutoIt, NSIS and SWF files.
12.15 - 13.00 W32/Conficker: Threat and Vulnerability analysis
Aditya Kapoor and Rachit Mathur McAfee Avert Labs
In this paper we will present the analysis of widely exploited vulnerability (MS08-067) by W32/Conficker worm and illustrate the weakness in the code that is being exploited. This paper further illustrates timeline of Conficker worm and how it became a potent threat. With traces of the challenges Gromozon Trojan posed two years ago there were many detection and cleaning challenges in this threat. While the spaghetti obfuscated DLL poses detection challenges, it does no less to ensure that cleaning the threat is equally challenging. With the use of API hooking, ACLs and handles the threat poses some serious cleaning challenges that posed difficulties for many AV products. We will illustrate methods to clean this threat. Furthermore, this paper will also shed light on the payload (motive) of this modern day exploit based malcode, and draws potential links to existing malware gangs. This can help explain financial aspects of this threat and vulnerability, we will briefly touch upon that. Finally the best practices to defend/contain a similar zero day exploit will be discussed along with tips for incident response to quickly locate and quarantine the infected machines on a LAN.
13.00 - 14.00 International Lunch
14.00 - 14.45 Vulnerabilities in Anti-Virus Memory Scanners
Abhijit P. Kulkarni and Prakash D. Jagdale, Quick Heal Research and Development Center
Memory Scanner is an integral part of most of the Anti-Virus products. The paper discusses the vulnerabilities present in the Anti-Virus Memory Scanners, which can be exploited by the malware writers. Few of the vulnerabilities are present due to the OS APIs used by the Memory Scanners and others are due to the way the Memory Scanners are implemented on 64-bit Windows.

There is increase in number of 64-bit processors and 64-bit computing. Few of the Anti-Virus products have all their components as 64-bit, few have all components as 32-bit and few have combination of both. Irrespective of the implementations, the vulnerabilities which we are going to discuss are present in all types of Anti-Virus Memory Scanners.

From our research, the vulnerabilities exist in the latest versions of almost all AVs. The paper will also propose a working solution for all the vulnerabilities discussed.
14.45 - 15.30 Vulnerabilities and Exploits Patterns - What Can We Learn?
Ziv Mador, Microsoft Malware Protection Center
One of the techniques malware uses to spread is by exploiting vulnerabilities in operating systems or in a variety of applications. In most cases these exploits still require some social engineering however late in 2008, the antimalware industry has also observed a worm which spreads with no user interaction by exploiting the critical Windows vulnerability MS08-067. The worm dubbed as Conficker also uses other techniques to spread such as guessing weak passwords for network shares or via removable media.

Other exploits however use other vulnerabilities, in a variety of applications or in ActiveX controls from various software vendors.

Attackers often use HTML code which tries to exploit various vulnerabilities in different browsers such as Internet Explorer and Firefox. This presentation will review some of the characteristics of the exploits we have seen recently. It will include observations from the Microsoft Software Security Incident Response Process (SSIRP) and from its most current Security Intelligence Report.
15.30 - 15.45 Culinary Break
15.45 - 16.30 The (non-)patching users - a look from the trenches
Roel Schouwenberg, Kaspersky Lab
Some of Kaspersky Lab's products feature a vulnerability scanner. Many users automatically send us the results for this type of scan. Using this system we manage to see trends across a significant number of systems used by all sorts of end-users.

In this presentation we'll have a look at a number of interesting statistics and correlations. Amongst others we'll have looks at the most common vulnerabilities and patch trends from users across the globe.

The non-public nature of the CARO workshop will allow for otherwise non-disclosed details to be discussed.
16.30 - 17.15 The Whole Kit and Caboodle
Nick FitzGerald, AVG Technologies
A look into the popular packaged web exploit kits and their evolution.
17.15 - 17.30 Closing Remarks
Gabor Szappanos, Virusbuster, Hungary