10-28, 10:00–10:50 (US/Central), Alumni Theater
Rootkits, malware embedded in the kernel, and bootkits, malware embedded in pre boot environment, are an interesting, but extremely dangerous set of malware classes that are on the rise. In this talk, we will look into why these kinds of malware are becoming more popular, what damage can be done in the privilege context they execute in, and what kinds of mitigations exist to prevent system damage.
In the recent past, it was relatively easy for malware authors to develop user mode malware to achieve their goals. There were few exploit mitigations to protect applications, applications were riddled with bugs to be exploited, and once initial access was gained, there was hardly any monitoring capabilities to detect its presence. Nowadays, modern operating system have loads of user mode protections such as DEP, ASLR, CFG, and more. If we assume that a malware sample is able to bypass all active mitigations, operating systems lock down an application's access, and anti-viruses analyze every applications' move. Thus, leading to decreased impact and almost immediate detection. This has motivated malware writers create rootkits: malicious code that runs in the kernel. By running in kernel mode, malware enjoys more implicit trust, and anti-viruses are not as well suited to enforcing security policy. In some cases malware may require increased stealth which has led people to create bootkits: malware that runs in an early boot environment where no operating system is active.
In this talk, we will explore why malware authors are developing rootkits and bootkits despite the incredible difficulty, what kinds of powers malware running at these elevated levels possess, and where things can go wrong in these precarious positions.
Red, Advanced, Technical
Justin Lewis is a Software Engineer at CrowdStrike working on the endpoint sensor both in the kernel and in user mode. Before that Justin worked at Horne Cyber writing ransomware simulations.