The TDL3 rootkit is a sophisticated rootkit variant that targets 64-bit machines. It gains control during the boot sequence by altering the Master Boot Record, avoiding detection from security preventions. The TDL3 rootkit encodes and decrypts files to avoid detection, hunts for processes to infect, and has mechanisms to prevent removal like a watchdog thread. It was the first significant 64-bit rootkit and poses risks as malware evolves in an ongoing security "chess match".
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
* Know the reasons why various operating systems exist and how they are functioned for dedicated purposes
* Understand the basic concepts while building system software from scratch
• How can we benefit from cheap ARM boards and the related open source tools?
- Raspberry Pi & STM32F4-Discovery
As virtualization technology becomes pervasive there is a continuing demand to increase the performance of guest virtual machines. Many hardware virtualization techniques, such as nested paging and IOMMU, have already been developed to accelerate the guest virtual machines frequent operations in different areas. However, one area that has not yet been addressed is the handling of interrupts in a virtual machine environment.
This presentation talks about the design of AMD virtual interrupt controller (AVIC). The AVIC architecture addresses the overhead of interrupt processing in a virtualized environment by applying hardware acceleration to three major components of interrupt processing: 1) Delivery of interrupts directly from I/O devices to a guest operating system; 2) Interprocessor interrupts between the virtual CPUs in a guest; 3) Local APIC accesses by guest operating systems.
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
* Know the reasons why various operating systems exist and how they are functioned for dedicated purposes
* Understand the basic concepts while building system software from scratch
• How can we benefit from cheap ARM boards and the related open source tools?
- Raspberry Pi & STM32F4-Discovery
As virtualization technology becomes pervasive there is a continuing demand to increase the performance of guest virtual machines. Many hardware virtualization techniques, such as nested paging and IOMMU, have already been developed to accelerate the guest virtual machines frequent operations in different areas. However, one area that has not yet been addressed is the handling of interrupts in a virtual machine environment.
This presentation talks about the design of AMD virtual interrupt controller (AVIC). The AVIC architecture addresses the overhead of interrupt processing in a virtualized environment by applying hardware acceleration to three major components of interrupt processing: 1) Delivery of interrupts directly from I/O devices to a guest operating system; 2) Interprocessor interrupts between the virtual CPUs in a guest; 3) Local APIC accesses by guest operating systems.
Presentation at Android Builders Summit 2012.
Based on the experience of working with ODM companies and SoC vendors, this session would discuss how to figure out the performance hotspot of certain Android devices and then improve in various areas including graphics and boot time. This session consists of the detailed components which seem to be independent from each other in traditional view. However, the situation changes a lot in Android system view since everything is coupled in a mass. Three frequently mentioned items in Android engineering are selected as the entry points: 2D/3D graphics, runtime, and boot time. Audience: Developers who work on Android system integration and platform enablement.
Information and network security 29 international data encryption algorithmVaibhav Khanna
International Data Encryption Algorithm (IDEA) is a once-proprietary free and open block cipher that was once intended to replace Data Encryption Standard (DES). IDEA has been and is optionally available for use with Pretty Good Privacy (PGP). IDEA has been succeeded by the IDEA NXT algorithm
Qt Application Programming with C++ is one of the best Qt QML training and courses in Bangalore India. This workshop is ideal for anyone who want to get started with developing GUI Application using Qt framework. Starting with basics, this workshop covers developing multi-threaded, multimedia and 2D graphics based applications with multiple Do-It-Yourself (DIY) exercises.
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...The Linux Foundation
Linaro has published VM System specification for ARM Processors, which provides a set of guidelines for both guest OS and hypervisor implementations, such that building OS images according to these guidelines guarantees that those images can also run on hypervisors compliant with this specification.
One of the spec requirements is that the hypervisor must provide an emulated PL011 UART as a serial console which meets the minimum requirements in SBSA UART as defined in ARM Server Base Architecture Document. In this presentation, Bhupinder Thakur will cover the motivation behind VM System spec requirements and the work done for adding support of PL011 emulation in Xen.
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
Hypervisors are becoming increasingly widespread in embedded environments. Their use-case is different from server virtualization, and so are their requirements. The ability to run containerized applications is often a requirement. Xen on ARM is embracing the new challenges with innovative solutions.
This talk will discuss cutting-edge Xen on ARM features for embedded deployments, including dom0less, where multiple domains are started directly by Xen at boot. The presentation will explain the reasons why Xen is an excellent runtime environment for containerized apps and will introduce a new proposal for a Xen Project sub-project to create the ideal platform for secure containers in embedded.
HKG18-113- Secure Data Path work with i.MX8MLinaro
"Session ID: HKG18-113
Session Name: HKG18-113 - Secure Data Path work with i.MX8M
Speaker: Cyrille Fleury
Track: Digital Home
★ Session Summary ★
NXP presentation on Secure Data Path work with i.MX8M Soc. Demonstrate 4K PlayReady playback with Android 8.1 running on i.MX8M. Focus on security (MS SL3000 and Widevine level 1)
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-113/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-113.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-113.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Digital Home
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961"
A tutorial for beginners who are curious to learn about the Linux boot process. If you have any more doubts, you can contact me through my email given in the slide, or through my blog: mastro77.blogspot.in
Presentation at Android Builders Summit 2012.
Based on the experience of working with ODM companies and SoC vendors, this session would discuss how to figure out the performance hotspot of certain Android devices and then improve in various areas including graphics and boot time. This session consists of the detailed components which seem to be independent from each other in traditional view. However, the situation changes a lot in Android system view since everything is coupled in a mass. Three frequently mentioned items in Android engineering are selected as the entry points: 2D/3D graphics, runtime, and boot time. Audience: Developers who work on Android system integration and platform enablement.
Information and network security 29 international data encryption algorithmVaibhav Khanna
International Data Encryption Algorithm (IDEA) is a once-proprietary free and open block cipher that was once intended to replace Data Encryption Standard (DES). IDEA has been and is optionally available for use with Pretty Good Privacy (PGP). IDEA has been succeeded by the IDEA NXT algorithm
Qt Application Programming with C++ is one of the best Qt QML training and courses in Bangalore India. This workshop is ideal for anyone who want to get started with developing GUI Application using Qt framework. Starting with basics, this workshop covers developing multi-threaded, multimedia and 2D graphics based applications with multiple Do-It-Yourself (DIY) exercises.
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...The Linux Foundation
Linaro has published VM System specification for ARM Processors, which provides a set of guidelines for both guest OS and hypervisor implementations, such that building OS images according to these guidelines guarantees that those images can also run on hypervisors compliant with this specification.
One of the spec requirements is that the hypervisor must provide an emulated PL011 UART as a serial console which meets the minimum requirements in SBSA UART as defined in ARM Server Base Architecture Document. In this presentation, Bhupinder Thakur will cover the motivation behind VM System spec requirements and the work done for adding support of PL011 emulation in Xen.
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
Hypervisors are becoming increasingly widespread in embedded environments. Their use-case is different from server virtualization, and so are their requirements. The ability to run containerized applications is often a requirement. Xen on ARM is embracing the new challenges with innovative solutions.
This talk will discuss cutting-edge Xen on ARM features for embedded deployments, including dom0less, where multiple domains are started directly by Xen at boot. The presentation will explain the reasons why Xen is an excellent runtime environment for containerized apps and will introduce a new proposal for a Xen Project sub-project to create the ideal platform for secure containers in embedded.
HKG18-113- Secure Data Path work with i.MX8MLinaro
"Session ID: HKG18-113
Session Name: HKG18-113 - Secure Data Path work with i.MX8M
Speaker: Cyrille Fleury
Track: Digital Home
★ Session Summary ★
NXP presentation on Secure Data Path work with i.MX8M Soc. Demonstrate 4K PlayReady playback with Android 8.1 running on i.MX8M. Focus on security (MS SL3000 and Widevine level 1)
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-113/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-113.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-113.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Digital Home
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961"
A tutorial for beginners who are curious to learn about the Linux boot process. If you have any more doubts, you can contact me through my email given in the slide, or through my blog: mastro77.blogspot.in
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEijdms
Oracle is one of the largest vendors and the best DBMS solution of Object Relational DBMS in the IT world. Oracle Database is one of the three market-leading database technologies, along with Microsoft SQL Server's Database and IBM's DB2. Hence in this paper, we have tried to answer the million-dollar question “What is user’s responsibility to harden the oracle database for its security?” This paper gives practical guidelines for hardening the oracle database, so that attacker will be prevented to get access into the database. The practical lookout for protecting TNS, Accessing Remote Server and Prevention, Accessing Files on Remote Server, Fetching Environment Variables, Privileges and Authorizations, Access Control, writing security policy, Database Encryption, Oracle Data Mask, Standard built in Auditing and Fine Grained Auditing (FGA) is illustrated with SQL syntax and executed with suitable real life examples and its output is tested and verified. This structured method acts as Data Invictus wall for the attacker and protect user’s database.
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
On 40 slides i will introduce the main features of the powerful forensic framework Volatility. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers a case study on the heartbleed bug, a major security issue faced by the internet community in 2014 due to implementation issues.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Presentation by Jared Jageler, David Adler, Noelia Duchovny, and Evan Herrnstadt, analysts in CBO’s Microeconomic Studies and Health Analysis Divisions, at the Association of Environmental and Resource Economists Summer Conference.
Up the Ratios Bylaws - a Comprehensive Process of Our Organizationuptheratios
Up the Ratios is a non-profit organization dedicated to bridging the gap in STEM education for underprivileged students by providing free, high-quality learning opportunities in robotics and other STEM fields. Our mission is to empower the next generation of innovators, thinkers, and problem-solvers by offering a range of educational programs that foster curiosity, creativity, and critical thinking.
At Up the Ratios, we believe that every student, regardless of their socio-economic background, should have access to the tools and knowledge needed to succeed in today's technology-driven world. To achieve this, we host a variety of free classes, workshops, summer camps, and live lectures tailored to students from underserved communities. Our programs are designed to be engaging and hands-on, allowing students to explore the exciting world of robotics and STEM through practical, real-world applications.
Our free classes cover fundamental concepts in robotics, coding, and engineering, providing students with a strong foundation in these critical areas. Through our interactive workshops, students can dive deeper into specific topics, working on projects that challenge them to apply what they've learned and think creatively. Our summer camps offer an immersive experience where students can collaborate on larger projects, develop their teamwork skills, and gain confidence in their abilities.
In addition to our local programs, Up the Ratios is committed to making a global impact. We take donations of new and gently used robotics parts, which we then distribute to students and educational institutions in other countries. These donations help ensure that young learners worldwide have the resources they need to explore and excel in STEM fields. By supporting education in this way, we aim to nurture a global community of future leaders and innovators.
Our live lectures feature guest speakers from various STEM disciplines, including engineers, scientists, and industry professionals who share their knowledge and experiences with our students. These lectures provide valuable insights into potential career paths and inspire students to pursue their passions in STEM.
Up the Ratios relies on the generosity of donors and volunteers to continue our work. Contributions of time, expertise, and financial support are crucial to sustaining our programs and expanding our reach. Whether you're an individual passionate about education, a professional in the STEM field, or a company looking to give back to the community, there are many ways to get involved and make a difference.
We are proud of the positive impact we've had on the lives of countless students, many of whom have gone on to pursue higher education and careers in STEM. By providing these young minds with the tools and opportunities they need to succeed, we are not only changing their futures but also contributing to the advancement of technology and innovation on a broader scale.
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
Many ways to support street children.pptxSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
2. Topic: TDL3 Rootkit variant
• SANS NewsBites - Volume: XII, Issue: 70
(August 26, 27 & 30, 2010)
• TDL3 Rootkit, version 3.273
• Combination of MBR rootkit, Rustock.C and
old Tdss variants.
• Stealthiest in the world.
3. Rootkits
• Wikipedia – “A rootkit is software that enables
continued privileged access to a computer,
while actively hiding its presence from
administrators by subverting standard
operating system functionality or other
applications”
• High risk, 1-in-5 Windows machines.
• “Root” and “kit”
4. Rootkits
• Netsecurity.about.com – “A rootkit allows
someone, either legitimate or malicious, to
maintain command and control over a
computer system, without the computer
system user knowing about it”
• Typically 32-bit problems
5. Rootkits
• Rootkit are not really viruses
• Machine independent
• Remote access
• Anti-virus level access
6. Prevention
• Digital Signature check for rogue drivers
• “PatchGuard” prevents some changes to
Windows kernel.
• Vista and Win7 do not allow Admin
7. TDL3 Rootkit
• Also known as Alureon rootkit
• More sophisticated
• Version 3.273
• Targets 64-bit machines that were previously
considered safer
• Spread through websites and exploit kits
8. TDL3 Rootkit
• Gains control during the boot sequence
• Alters Master Boot Record. This gets around
the 1st two preventions.
• Enacts a restart, which loads the altered MBR
and catches process signals.
• Encrypted with ROR loop (rotate right).
9. TDL3 Rootkit Details
• Kernel code appears as raw bytes, passes
security.
• TDL3 encodes and decodes files on the fly, so it
can pass as being a piece of the kernel code.
• At startup, hunts for driver object.
• Overwrites 824 bytes, avoiding file size check
• Fake driver object, captures disk I/O, hunts for
kernel32.dll
• Infection
10.
11. TDL3 Rootkit
• Has a watchdog thread to prevent any change to
the service registry key
• No one can get a handle to infected driver file(red
flag)
• In Feb. it caused BSOD with MS10-015 update
• RVA(Relative Virutal Address) offsets of Windows
kernel APIs modified and use them to find
functions. On the update, the values were
changed. After restart, the rootkit called an
invalid address
12. TDL3 fights back
• While this caused a BSOD, it did bring notice
to a potential problem
• TDL3 authors updated within hours that
worked with the update.
• Process was called tdlcmd.dll or z00clicker.dll
13. TDL3 Rootkit
• First significant 64-bit rootkit
• Malware begets more malware
• Anti-virus lag
• Security chess match