In a twisted sort of way, today’s threats are kind of thrilling. Hacker movies of yesterday have nothing on the reality of today.When I first learned how buffer overflows worked I was amazed. But reflective memory attacks go way beyond “simple” buffer overflows.
Reflective memory attacks allows the bad guy to silently load large programs and execute them inside an already running process, using it’s memory, resources and authority. These attacks bypass common security technologies like AV and application whitelisting because they don’t drop any file onto the file system. They basically just allocate some memory, write the malicious code into it and then (usually) spin up a thread executing that code. That’s actually not a very unusual sequence of operations so it’s really hard to detect.
In this presentation, we will do a deep dive exclusively into reflective memory attacks. You will learn:
• How reflect memory attacks work
• Why they’re called reflective
• Why traditional security technologies don’t catch them
• Methods for detecting them
• Crippling performance problems caused by some detection methods
• Tradeoff between detection and performance
Joining me will be Dan Teal who invented CoreTrace (acquired by Lumension) Bouncer technology. Dan will shed light on this advanced topic and then briefly show how Lumension Endpoint Security Suite incorporates Bouncer technology to detect reflective memory attacks without hurting performance.