I'm closing out CanSecWest 2008?

  • Article

Well not quite - but I am the second to last speaker on the last day (Friday) - https://cansecwest.com/agenda.html
Ugh - people usually skip out early on the last day to make flights and stuff - so I guess not many people will be staying for my live demos. :)
Live demos?  That's right - I'll be demonstrating not one but two different malicious XLS files that were used in targeted attacks and which exploited an un-initialized stack variable vulnerability corrected in yesterday's Excel update

Since these XLS files were used in very targeted attacks against specific customers I've gone in and cleaned up the malware a bit so as not to disclose any personal information (in these attacks there is an 'outter' XLS file used to trigger the vuln which drop the payloads, and then there's an 'inner' XLS file which is not malformed that is opened after everything is done so that the user thinks everything worked okay - it's these inner well formed XLS files that I had to clean-up which was mildly challenging because they were XORd along with some other 'stuff' somewhere in the file. :)).  And of course the XLS files will be opened in VPCs with no network access. ;)

In my presentation this year I'm going to get pretty deep (with respect to the vulnerability and how it worked) - I'll be walking the audience through some code that my team wrote which mimics the vulnerability in Excel (the un-initialized stack var) and shows how it was used to control EIP (eventually) on XP.  After we understand the vuln - I'll show you what the e-mails that were sent looked like (again sans PII) and then we'll open the scrubbed attachments while running Process Monitor to see what the malware did to the system and to show you what the experience of being owned by a malicious XLS file looks like and to talk about the rights needed to perform the various actions taken by the malware. 

I'll close out by making some recommendations on what you can do to help reduce your risk in situations like this . . . should be a good time - hope more than a few people show up. :)