Joanna Rutkowska: Rootkits and Encryption Attacks to be Demonstrated on Vista

Joanna Rutkowska, a security researcher known for picking apart the security mechanisms built into Windows, is to demonstrate new ways for hackers to invade Windows Vista, including rootkit techniques and ways to defeat BitLocker drive encryption.

Rutkowska recently announced she will be running a training session called “Understanding Stealth Malware” during the Black Hat Briefings and Training event in Las Vegas, which runs from July 28 to Aug. 2.

The training session, which will be co-presented by researcher Alex Tereshkin, promises to demonstrate new rootkits developed for Vista, ways of defeating hardware-based forensics systems and other techniques Microsoft would probably prefer the world didn’t know.

Rutkowska said she, too, is aware of the need for discretion. “For ethical reasons we want to limit the availability of this course to only ‘legitimate’ companies,” she said in a post on her blog, Invisible Things.

Rutkowska isn’t against Windows as such, but has a track record of ferreting out its weaknesses. She recently uncovered a number of flaws in Vista’s much-hyped User Account Control (UAC) feature, which led Microsoft to declare that the feature wasn’t really intended for security after all.

Until recently she was a researcher for Coseinc, but is now in the process of founding a security startup based in Poland, she said.

Earlier this spring she demonstrated several methods that sophisticated rootkits can use to hide from even the most reliable detection method currently available—hardware-based products that read a system’s RAM.

The demonstration in July will cover such methods, but will be more comprehensive, including unpublished techniques, implementation details, new code and sample rootkits.

The target will be Windows and specifically 64-bit Vista, including new kernel attacks against the latest 64-bit Vista builds.

“These attacks, of course, work on the fly and do not require system reboot and are not afraid of the TPM/BitLocker protection,” she wrote.

TPM (Trusted Platform Module) refers to security systems with a hardware component built into the processor, designed to improve security and specifically to make copy-protection systems more difficult to circumvent. Rutkowska said the demonstrated techniques would work against copy-protection systems, but that this side of things wouldn’t be specifically discussed at the demonstration.

The training is aimed at security and OS developers, forensic investigators and penetration testers, Rutkowska said.

-Matthew Broersma, Techworld.com