AusCERT2015

Connect with us   ​  

Zoltan Balazs

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.

Before MRG Effitas, he had been working as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass). He has been invited to give presentations at information security conferences worldwide including DEF CON, Hacker Halted USA, Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.

Presentation Title
Sandbox Detection: Leak, Abuse, Test
Abstract

Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. These sandboxes are the number one selling products nowadays, often called as Breach Detection Systems or APT detection systems. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. 

During my research I invented new approaches to detect these sandboxes. I developed (and will publish during my presentation) a tool, which can collect a lot of interesting information from these sandboxes to create statistics how the current technologies work (and fail). After analysing these results I will demonstrate tricks to detect sandboxes. These tricks can’t be easily flagged as malicious. Some sandboxes don’t not interact with the Internet in order to block data extraction, but with some DNS-fu the information can be extracted from these appliances as well. 

This presentation will include a lot of interaction with the audience as we analyse the results together. 

Penetration testers can learn new techniques to detect sandboxes thus evading the detection during the test. 
Sandbox developers can learn new evasion techniques which should be fixed in their product. 
Future and current sandbox customers can test their sandboxes to see how easy they are to evade. 

Second Presentation

Hacking highly secured enterprise environments

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. 

I developed (and published) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools has been tested against Windows server 2012 and Windows 8.1, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included! 

Blue team members can learn new techniques to detect advanced attackers on the network, and tricks they use to bypass detections. 
Red team members, penetration testers can learn new techniques to bypass hardware firewalls, RDP screens protected with two factor authentication, or application white lists.

REGISTER HERE!

Conference Highlights

New Venue
Don't miss the best cyber security conference in Australia at the Surfers Paradise Marriott, only 150 m from Surfers Paradise beach

Conference MC
Comedian and Mathematician Adam Spencer will host the conference, Gala Dinner and Speed Debate

Career Café
Retreat to the back of the exhibition away from the noise for a real coffee at the AusCERT2016 Career Café and chat with specialist Infosec recruiters