Confidence - (24-25.05 2011 Krakow)
Język: polski | english

Alexandr Matrosov

Aleksandr Matrosov is currently working at ESET as Senior Malware Researcher since joining the company in October 2009 as a virus researcher, and working remotely from Russia. He has worked as a security researcher since 2003 for major Russian companies. He is also a Lecturer at Cryptology and Discrete Mathematics department of National Research Nuclear University in Moscow, and co-author of the research papers “Stuxnet Under the Microscope” and “TDL3: The Rootkit of All Evil?” and is frequently invited to speak at Russian security conferences. Nowadays he specializes in the complete analysis of difficult malicious threats and research into cybercrime activity.

Temat prezentacji:
Defeating x64: The Evolution of the TDL Rootkit

Język prezentacji:
Angielski

Abstrakt:
In this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.