Ambush - Catching Intruders at Any Point

BSidesLV 2012

Presented by: Matt Weeks (Scriptjunkie)
Date: Wednesday July 25, 2012
Time: 11:00 - 11:50
Location: Track 1
Track: Breaking Ground

Intrusion detection and prevention systems monitor a point or set of points such as a network connection. In response, malware authors hide traffic through these points with encryption, encoding, and obfuscation. This presentation will demonstrate a different strategy, based not on another point but on the flexibility to add almost any point dynamically, with a new function call hooking system, capable of intercepting virtually any set of API functions system-wide. This is in contrast to existing HIPS's, which are limited to functions chosen during design and only monitor certain actions, such as file and registry edits. It uses dynamic code generation to expand on existing hooking techniques, overcoming challenges with different function definitions, architectures, and associated calling conventions.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API's, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

Matt Weeks

Matt Weeks has performed research in mathematics in chaos and cryptology, and focuses on information security. He enjoys finding ways to break application security, writing shellcode, and creating post-exploitation techniques. Also known as scriptjunkie, he has developed for the Metasploit framework, wrote the sessionthief MITM tool, has spoken at conferences such as DEFCON and Black Hat, and broke a cryptosystem based on chaos theory. He runs the site http://www.scriptjunkie.us/


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats