Marion Marschalek - The Big Evil in Small Pieces - A Malware Reverser's Fairytale


Malware is like a puzzle for big boys – or girls. There’s a big mess of (binary) information and one has to determine all the pieces lying around, make the right connections and form a big picture so that others can easily understand the malware. That ‘one’ is called Reverse Engineer and the whole puzzle building process is usually a serious nuisance, nowadays.

This talk is about reverse engineering one specifically troubling piece of malware. I will give an insight on how to tackle a multi-threaded file-infecting spy-bot and specifically focus on the anti-analysis measures found. The sample uses exceptions to obfuscate the execution path, hinders debugging, obfuscates API calls using a jump table and includes loads of ugly junk code. My talk intends to shed some light on the merely shallow documentation of the binary layout of Windows Structured Exception Handling (SEH), point out complications in analyzing object oriented C++ binaries and give an insight on how to tackle multi-threaded executables.

Bio: Marion Marschalek

Marion Marschalek (@pinkflawd) is currently employed at IKARUS Security Software GmbH based in Vienna, Austria. She is working as Malware Analyst and in Incident Response for two years now. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St. Pölten and writes articles for the German c’t magazine. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.

Fyodor Yarochkin and Vladimir Kropotov - Pearls of Cybercrime: malicious campaigns of year 2013


In this presentation we'll walk through a set of interesting campaigns that we've observed this year, discuss evolution of techniques used for malicious activities this year and demonstrate a number of tools that we have developed to automate analysis, detection and investigation of malicious activities.

Bio: Fyodor Yarochkin

Fyodor Yarochkin (xecure-lab, is a Security Researcher at Academia Sinica/Taiwan. He is a happy programmer and AI hobbyist in his free time. He is also a major contributor to Open Source security tools (snort, xprobe, etc). Fyodor has extensive experience in forensic analysis of malicious software, computer crime incidents, and intrusion detection. With his recent interest in large-scale computing he has access to terabytes of interesting data at hand F

Bio: Vladimir Kropotov

Vladimir Kropotov is an independent security researcher and Security Operations Center lead at one of the biggest Russian companies. His main interests lie in network traffic analysis, incident response, botnet investigations, and cybercrime. He is a frequent speaker at a number of conferences including HITB, CARO, PhDays and ZeroNights.

Andrea Barisani and Daniele Bianco - Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface.


It is generally assumed that sending and sniffing arbitrary Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) has historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released.

This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored.

We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.

Bio: Andrea Barisani

Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.

His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting.

Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.

He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.

Bio: Daniele Bianco

Daniele Bianco began his professional career as a system administrator in scientific organizations. His interest in centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructures.

One of his passions has always been exploring hardware and electronic devices. Currently he is Inverse Path's resident Hardware Hacker. His primary activities focus on hardware customization, embedded system integration and the design of remote monitoring networks for M2M infrastructures.

He is an active contributor to the Open Source community and an invited speaker at many international IT security events.

Dominique Bongard - Deanonymizing members of French political forums by breaking gravatar hashes


Gravatar is a service that federates a user's avatar (his profile picture) across websites and forums. To display a user's gravatar, a site only has to display an "img" tag with the source pointing to<id>, <id> being the MD5 hash of the user's registered email address.

In 2008 already, researchers have shown that it was possible to guess the email addresses of more than 10% of the members of by using variations of their username and comparing the resulting MD5 hash with the gravatar URL. Although technically interesting, the attack was quickly dismissed at the time because recovering email addresses was not perceived as a security risk.

The situation is different on political forums were people tend to prefer anonymity because their comments could have serious consequences in real life. People could lose their jobs, be intimidated by political opponents, or prosecuted for their ideas, especially in countries where free speech laws are not as strong as in the United States.

In this talk, we present a work in progress in which we have harvested the gravatar hashes of more than 2400 users from the major French speaking political forums. With a simple brute force rule and a few days of cracking on an HD7970, we have recovered more than 20% of the members' email addresses. In several cases, we were able to find the real identity of the user by cross-checking the recovered addresses with websites like ebay.

Bio: Dominique Bongard

Dominique Bongard is the founder of 0xcite, a Swiss company focusing on security for mobile and embedded devices. His previous position during 8 years consisted of leading the Threat Intelligence team for Kudelski Nagravision. Dominique is an experienced reverse-engineer and he regularly competes in Capture The Flag events.

Adrian Furtuna - Practical exploitation of rounding vulnerabilities in internet banking applications


This talk discusses rounding vulnerabilities which are often present in internet banking applications. Several techniques for exploiting these vulnerabilities are presented, including a machine that abuses the digipass/security token in order to allow an attacker to perform a high number of transactions automatically, in a short period of time.

Bio: Adrian Furtuna

Adrian Furtuna is a Security Consultant at KPMG Romania, where he leads the penetration testing team in verifying the security of web applications, mobile applications and network infrastructures.

He has a PhD in Computer Science obtained at the Military Technical Academy of Bucharest, Romania. During his PhD program he has extensively studied various attack techniques utilized in Red Teaming engagements and he has designed a set of scenarios for cyber defense exercises.

Adrian is also the founder of, a place where penetration testers can find a collection of ethical hacking tools that can be used online in their engagements.

David Guillen Fandos - Spin: Static instrumentation for binary reverse-engineering


This paper discusses binary instrumentation as a method to reverse-engineer binaries. In the past binary instrumentation has been used for executable analysis in the areas of computer architecture, executable performance and malware analysis among others but our research pursues to use this technique to improve existing reverse engineering tools and proceedings. We work with Intel's pintool and present a new tool called spin, which performs on-the-fly static binary instrumentation. The aim of the tool is to hook functions within the executable to better understand how it works and to perform data sniffing. We also document some successful use cases consisting in binary patching and data sniffing, in fact the original purpose of the tool was to automatically find functions to patch them or sniff data from they parameters.

Bio: David Guillen Fandos

David graduated in Computer Science (20129 and Telecommunications Engineering (2013) from Polytechnic University of Catalonia in Barcelona. He loves computer architecture, operating systems, compilers and hacking of course. Reverse engineering and obfuscation are his main research areas. He has also worked in video-games since he was 14 and developed video-games for consoles such as PSP and GamCube/Wii. He has passion for electronics and hardware hacking, specially firmware and driver developing. At the moment he hasn't published any research done in those fields. He is currently working at Intel in the area of processor architecture design.

Shift - Interactive Deobfuscation


Interactive deobfuscation is an idea which originally rose from the view that automatic deobfuscation can't cover all know obfuscation techniques and doesn't always give reliable outcomes of deobfuscated code, in most cases you'd have one specific framework or set of scripts which would try to solve X problems with Y constraints (e.g the program must be a full blown PE or ELF), usually after sometime they would fail to do so as different obfuscations or new techniques have rose and they would fail.

Interactive deobfuscation comes into the playground by claiming that deobfuscation shouldn't be done 100% automatically but with user interaction. A user can pick how deobfuscation would occur (static/dynamic/full blown executable or code fragments) and what sort of operations should be done and where, by using a modular set of scripts/fw it is possible to remove different layer of the obfuscated code and thus eventually get a clean representation of the code before it was obfuscated. The fw isn't perfect and has it's own flaws, but imo it shouldn't be perfect but provide a pluggable environment and easy way to remove different types of obfuscations, it should evolve and lighly drift with the advacement of protections in the field.

During the talk I will give an example of how I solved the wb aes challenge given in NoSuchCon 2013 and how it was possible to extract the AES key from the code w/ interactive deobfuscation.

Bio: Shift

J. Butterworth, C. Kallenberg, X. Kovah - BIOS Chronomancy: Fixing the Core Root of Trust for Measurement


In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). In this talk we look at the implementation of the SRTM from a Dell Latitude E6400 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.

We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware.

To fix the un-trustworthy SRTM we apply the technique of "timing-based attestation" to create a custom SRTM that can detect malicious modifications of itself. We call our timing-based attestation system "BIOS Chronomancy" because the extra trust is divined from timing, and we show that it could be incorporated into vendor BIOSes as a stronger root of trust for measurement.

Bio:J. Butterworth

John Butterworth is a security researcher at The MITRE Corporation who specializes in low level system security. He is applying his electrical engineering background and firmware engineering background to investigate UEFI/BIOS security. John is developing a 2 day BIOS security class for

Bio:C. Kallenberg

Corey Kallenberg is a security researcher currently employed by The MITRE Corporation. Corey specializes in low level system development, vulnerability discovery and exploitation, and rootkit analysis. Corey’s current focus is on BIOS/UEFI security. Corey has previously presented his research at DEFCON, Blackhat USA, IEEE S&P and NoSuchCon. Corey has contributed 5 days of classes to covering Linux & Windows memory corruption exploits, and Windows exploit mitigation bypass techniques.

Bio:X. Kovah

Xeno is a Lead InfoSec Engineer at The MITRE Corporation, a not-for-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno has also contributed 8 days of classes on deep system security to, with an additional 2 day class on Intel TXT to be added in early 2014.

Fran Cisco - Wiretapping an entire Cisco VOIP environment - Exploiting the Call Manager


Cisco VOIP environment are widely deployed. In this presentation we will demonstrate how it is possible to take the control of an entire Cisco VOIP system by targeting the Call Manager (CUCM, Cisco Unified Communications Manager).

We will discuss the advantages of controlling a Call Manager. It is a central and core component of a VOIP network architecture. Taking the control of it allows to perform several attacks. All the SCCP traffic is sent to this component which means that, once controlled, it is then possible to modify these packets in order to wiretape the entire VOIP network.

We will present the methodology used to perform that audit, and will demonstrate in details how six different vulnerabilities (including five 0day) can be ombined together and exploited to take the full control of a Call Manager.

Bio: Fran Cisco

Francisco is a security consultant at Lexfo. He has been working on exploit development, code analysis, and more recently on VOIP systems.

David Szili, Mihaly Zagon - Time to evolve? Applying red and blue team CTF tactics in IT security


Operation Aurora (2009), Stuxnet (2010), security breach at RSA (2011), breaches at LinkedIn, Yahoo!, Twitter, Apple and Dropbox (2012), major U.S. weapons designs compromised (2013); only a few of the biggest security breaches known by the public.

The current situation resembles very much to attack-defense type capture the flag (CTF) games where red and blue teams face each other. The aim of the defenders is to protect their systems and detect attacker activity, while the attackers try to gain and maintain access in the fastest and most efficient way.

But there is a huge difference: this is not a game and the private sector is heavily affected. The threat is permanent and attacks are becoming more and more sophisticated while traditional ways of defending networks seem to be failing. Our presentation is built around the analogy of CTF games and the way we and a few other security professionals started to think about the future of IT security.

After a few thoughts on the new directions of red team and penetration testing services and tools, we will present what could be enhanced in terms of methodology and team collaboration in order to provide more valuable services for clients. We will show a demo network, and compromise it with the aid of the team collaboration tool developed by us, called Warlord Framework, which might become very handy during red team engagements or CTF games.

In the second half of our presentation, we will switch sides and play the same attack scenario, but this time with new monitoring and active defensive solutions in place and see what blue team members can do to stop an ongoing attack. We will concentrate on detection, go through some of the alerts generated during the demo scenario and consider possible improvements. We will also set various traps and honeypot variants to show how to spot malicious activity and keep away the attackers from a network.

The takeaway of our presentation for penetration testers in our audience is to make them rethink their methodologies and try to enforce more realistic scope for their projects. After our presentation, those security professionals who are constantly fighting with the “dark side” probably would be more willing to accept these wider scopes and they will be able to use some of the few simple defensive tips and tricks shown to strengthen their network defenses.

Bio: David Szili

David was around 10 years old when he got his first computer, a 486DX2. One of the first games he played was Sim City and he pretty much sucked at it. For some reason it was easier for him to open up the binaries of his saved games with a hex editor and overwrite the amount of money he had. Since then, David keeps on undermining other people's hard work and he tries to make a living out of it as a penetration tester, currently working at Dimension Data Luxembourg. As he matured a little over time, he discovered that making stuff is also very cool, so now he likes to spend his free time on hobby electronics projects or developing IT security tools.

Bio: Mihaly Zagon

Mihaly grew up on playing Civilization I, Railroad Tycoon and sometimes Formula One Grand Prix on his father’s computer. He always enjoyed building awesome railroad lines and managing the company. However, he sometimes spent way more money than he could afford and this is how he found his first integer overflow, which resulted in unlimited cash. Later, he spent hours and hours with the black screen of Softice. Although a couple of things have changed and nowadays he prefers Civilization V, the "black screens" have remained. In his professional life, after several years of penetration testing he is now building automated security solutions at Prezi.

Cédric Halbronn, Nicolas Hureau - Debugging and Reversing the HTC Android Bootloader


Whether you consider desktops, smartphones or the embedded world, most complex systems rely on a piece of software called the bootloader to launch their system. There have been extensive research and attacks on iPhone bootloaders, but the Android world is quite large with multiple hardware manufacturers, and therefore has not been fully explored yet. In this paper we present tools developed to assist us in assessing the security of an unknown low-level software, as well as the the beginning of our reversing efforts targeting HTC ANdroid bootloader, HBOOT.

Bio: Cédric Halbronn

Cedric Halbronn is a security researcher working at Sogeti ESEC R&D lab. He has a background in telecom engineering and security. He has been working for 3 years on smartphone security (Window Mobile, iPhone and Android). He has presented his work to various conferences such as 2009, HITB 2010 or SSTIC 2010. Nowadays, his researches are mainly focused on vulnerability discovery and exploitation.

Bio: Nicolas Hureau

Nicolas Hureau is a recently graduated security researcher currently working at Sogeti ESEC R&D. His interests mainly lies in reverse engineering and mobile security. He also likes to play CTF games when he has time.

Thijs Houtenbos, Dennis Pellikaan - Automated vulnerability scanning and exploitation


Automated vulnerability scanning is often used in professional development environments to find critical security issues. But what if those techniques are applied to scripts with their sourcecode available on the internet? Many scripts are shared on sites like Sourceforge and GitHub, but security might not have been a priority during their development. Using a completely automated approach, a large number of these scripts were downloaded, analysed for vulnerabilities, tested, and finally websites using these scripts were searched for. Combining the information gathered during all these steps in this approach, a list can be generated of web servers running vulnerable code and the parameters needed to exploit these.

Because each of these steps is completely automated, it is possible to continuously download new or updated scripts, and find vulnerable systems that are open to the internet.

During this project, more than 23,000 scripts were downloaded of which more than 2,500 were identified as containing possible vulnerable code. Using the Google search engine, it was possible to find almost 8,000 installations of these vulnerable scripts.

Bio:Thijs Houtenbos

Bio: Dennis Pellikaan

Inbar Raz - Physical (in)security - It's not -all- about Cyber


Today's threat landscape is all about Cyber. We have cyber threats, cyber security, cyber warfare, cyber intelligence, cyber espionage... Cyber is almost unanymously identified with the Internet, but sometimes, it's not -all- about the internet. The focus on Internet access and the efforts to concentrate the defenses in that front, lead to some wrong assumptions and the overlooking of some simpler, yet just-as-dangerous attack vectors.

Bio: Inbar Raz

Inbar has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 on his Dragon 64. At 13 he got a PC, and promptly started Reverse Engineering at the age of 14 and through high-school he was a key figure in the Israeli BBS scene. He spent most of his career in the Internet Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an earlier age. Among his other hobbies is hardware hacking and modding and he's on the organizing committee of - the Israeli version of a Maker Fair, not limited to all things electronic.

Since late 2011, Inbar has been running the Malware and Security Research at Check Point, using his extensive experience of over 20 years in the Internet and Information security fields.

J. Boutet, T. Leclerc - Grand Theft Android: Phishing with permission


In the past few years, smartphones became prevalent in our daily life and especially regarding our business tasks. To elevate security to an appropriate level for enterprise deployment and usage, mobile device management solutions permit to remotely manage, control and secure mobile devices.

This paper presents two contributions based on the Android mobile OS that outline the risk of attacks on mobile device management solutions. The first contribution is a “lambda” application that actually has the ability to spoof legitimate login interfaces from other installed applications. We show that our malicious phishing application permits to stealthily obtain the user credentials disregarding from the legitimate applications’ security measures.

Furthermore, our second contribution presents how we can trick the user into installing such an application without triggering his attention.

We demonstrate that malicious application permission rights can be split among several seemingly harmless applications. Thus, several applications can be combined in such a way that they serve a common goal without any notification or warning.

Combining our two contributions, results in an Android application phishing attack that consists of spoofing a login screen from legitimate applications to which, our distributed malicious application, provides a convenient attack vector.

Bio: J. Boutet

Since November 2008, Joany Boutet is Security Consultant working for Security, Audit and Governance Services, a Telindus Luxembourg Security department. His main focus is on penetration testing and technical vulnerability assessments. He is responsible for network, application and wireless penetration testing, product security evaluations, and risk assessments of critical infrastructure for Telindus' customers. Concerning certifications and qualifications, Joany obtained technical certifications such as • OPST (OSSTMM Professional Security Tester), • GPEN (GIAC Certified Penetration Tester), for which he graded the Gold level with a paper on Android Spyware development using Application Reverse Engineering. • GXPN (GIAC Certified GIAC Exploit Researcher and Advanced Penetration Tester). Joany frequently attends SANS Training and security conferences.

Bio: T. Leclerc

Since August 2011, Tom Leclerc is Security Consultant working for Security, Audit and Governance Services, a Telindus Luxembourg Security department. Tom has a Ph.D. in computer science, which resulted in a list of publications that can be found at He is specialist in distributed systems and networks (routing and dynamic organization of networks, data coherence, data replication …), but acquired since his venue at Telindus, a strong security background. He is involved in several ESA projects. He is one of the main contributors of the ESOC GSGC project; he analysed and developed the prototype for a generic, mission independent, authentication and encryption of Telemetry and Telecommand data exchanged on the space link. The prototype was successfully tested in a POC using the real world systems in the TM/TC processing chain. He is currently working on the GASF (Generic Application Security Framework) for ESA that defines a secure software development lifecycle around the E40C and other related ECCS standards. The framework includes both, the SSDLC as the global governance of a development project but also the necessary tool(s) to assist the developers and the project team in the “hands on” usage of this SSDLC.

Francisco Falcon, Nahuel RIva - Do you know who's watching you?: An in-depth examination of IP cameras attack surface


Nowadays, people buy SoHo IP cameras and install them at home, at the office and at shops to feel safer.

Our research, covering six brands and 28 different models of SoHo IP surveillance cameras in which we have discovered almost 20 vulnerabilities will show that, far from increasing security, this kind of devices may become an enemy of their owners.

In our talk we are going to present the lessons learned during our research activities detailing ways to identify IP cameras on local and public networks, how to gain remote full access to the web interface by exploiting different types of vulnerabilities identified during the research (including manufacturer's backdoor accounts, command injection, authentication bypass, etc.), how to backdoor a firmware to conduct further attacks through compromised cameras, and even how to hijack the live video stream the camera is broadcasting.

Also, during the presentation we will show some demos.

Bio: Francisco Falcon

Francisco Falcon is a Senior exploit writer at Core Security. He started in the reverse engineering field in 2004. He has published security advisories detailing vulnerabilities in software products from IBM, Oracle, Novell, Google and SAP. He is interested in reverse engineering, programming, exploitation and vulnerability research. Also, he has presented at REcon 2012.

Bio: Nahuel Riva

Nahuel C. Riva, aka +NCR/CRC! [ReVeRsEr], has been participating in the information security community since 2003. He was first interested in software protection mechanisms, specially packers. In 2007, he joined the Exploit Writers Team at Core. Also, he has discovered vulnerabilities in high-level enterprise software from Symantec, HP, Adobe and he authored tools like SDT Cleaner, FUU, addp and VSD. He was an instructor at the "Defeating Software Protections" training at Ekoparty in 2010 and 2011. He likes to share what he knows with the community and that is why he has written dozens of publicly available tutorials covering software protection mechanisms and how to defeat them. Also, he has presented at RECon 2012.

Mathias Morbitzer - TCP Idle Scans in IPv6


The most stealthy port scan technique in IPv4 is the TCP Idle Scan, which hides the identity of the attacker. With this technique, the attacker spoofs messages of a third computer, the so-called idle host, and utilizes the identification value in the IPv4 header to see the results of the scan.

With the slowly approaching upgrade of IPv4 with IPv6, one will not be able anymore to conduct the TCP Idle Scan as previously, as the identification value is not statically included in the IPv6 header. This article shows that the TCP Idle Scan is also possible in IPv6, albeit in a different way, namely by using the identification value in the IPv6 extension header for fragmentation.

It is described how the idle host can be forced to use the IPv6 extension header for fragmentation, which contains an identification value, by using ICMPv6 Echo Request messages with large amounts of data as well as ICMPv6 Packet Too Big messages specifying a Maximum Transmission Unit (MTU) smaller than the IPv6 minimum MTU. The attack in IPv6 is trickier than in IPv4, but has the advantage that we only require the idle host not to create fragmented traffic, whereas in IPv4 the idle host is not allowed to create traffic at all.

After discovering how to conduct the TCP Idle Scan in IPv6, 21 different operating systems and versions have been analyzed regarding their properties as idle host. Among those, all nine tested Windows systems could be used as idle host. This shows that the mistake of IPv4 to use predictable identification fields is being repeated in IPv6. Compared to IPv4, the idle host in IPv6 is also not expected to remain idle, but only not to send fragmented packets. To defend against this bigger threat, the article also introduces short-term defenses for administrators as well as long term defenses for vendors.

Bio: Mathias Morbitzer


TCP Idle Scanning using network printers. 2013. Research Paper, Radboud University of Nijmegen. The TCP Idle Scan in IPv6. Masterthesis, Radboud University Nijmegen, Netherlands, August 2013.

Educational experience:

(2011 – 2013) Master Computing Security, Radboud University Nijmegen, Netherlands (2008 – 2011) Bachelor Secure Information Systems, University of Applied Sciences Upper Austria, Campus Hagenberg, Austria

Sebastien Larinier, Guillaume Arcas - Exploit Krawler Framework


Exploit Kits (EK) are collections of malicious objects - JavaScript scripts, PDF files, Shockwave and Java applets - that aim to exploit vulnerabilities in Web browsers and their plugins in order to automatically execute malicious code on a vulnerable computer. It is the most serious threat against web browsers and one of the most popular mean to infect computers without their user’s consent and knowledge. Exploit Kits can be installed on compromised websites (usually in HTML iframe) or malicious servers.

Exploit Krawler is a solution designed to automatically crawl, parse and analyze web pages in order to detect the presence of such malicious codes.

Because Exploit Kits require user’s interaction (like clicking on a link), and because they also tend to detect robots, one of the biggest issues that researcher encounter when trying to automate the crawling of EK is to reproduce human-like behaviour. Security researchers have to deal with some big issues while trying to analyze Exploits Kits: - the biggest one is that EK can require some user’s interaction before triggering their exploits ; - another issue is that some EK are geolocated and contextualized in such a way that a HTTP request that comes from a “wrong” IP address or without some specific User-Agent will not trigger any exploits.

Exploit Krawler Framework (EKF) is an answer to this issues. EKF uses a cluster of Selenium driven browsers running in virtual machines (VM), each of them being monitored from the Host in order to detect any compromise after having visited a malicious webpage. Monitoring is implemented through the hypervisor. The hypervisor API is used to dump the memory, dump the disks and also launch actions on the virtual machine. Process, sockets and DLL which are added or removed during the crawl are checked.

Network activities, especially all objects transferred through HTTP(S) from visited websites, are dumped and stored on the host for further analysis. Web objects - HTML code, images, JavaScript, Java applet, binaries, etc - and web tracks - visited IP addresses, domain names, URLs, URIs, User-Agent, cookies, etc - are also stored.

Each VM reaches the web pages through Honeyproxy. So all the accesses are logged and the proxy downloads and stores on disk the whole set of web transactions (pages, applets, executables,...).

The initial URL list is shared inside the cluster and every newly found URL is distributed through a demultiplexer; the goal is to run different browsers on the same URL with different or identical HTTP Referers to trigger the infection, as some EK only triggers on a given Referer and/or for a given browser.

The cluster is spread on different geographical places in order to come from different networks, because some EK also trigger depending on the browser location. When a browser finds a trapped page, it will follow the whole infection chain (redirections, Javascript callbacks) and the VM will be frozen as soon as the first control channel with the central server will be up. Meanwhile, the proxy has registered the whole infection and grabbed the miscellaneous infection vectors (binaries, Java applets...) which exploited the browser vulnerabilities. Once the VM is frozen, the whole memory is dumped for analysis, and the whole file system as well. The VM will be released to let the compromission go on and all the connections to the control channel will be registered to get the whole chain.

Bio: Sebastien Larinier

Sébastien Larinier currently is Senior Researcher and CTO at the CERT Sekoia located in Paris, member honeyproject chapter France and co organizer of botconf.

Sébastien focused his work for the last 5 years on botnet hunting, early compromission detection, and incident response. Python addict he has developed an open-source OSINT framework and supports different opensource projects.

Sébastien presented at various conferences, including NDH, RSSIL, and is mentoring MSc and Law Enforcement students on Open Source Intelligence and digital investigations.

More information is available on : - @sebdraven - @sekoia_fr

Bio: Guillaume Arcas

Guillaume Arcas currently is Senior Researcher and team leader at the CERT Sekoia located in Paris.

Guillaume is involved for numerous years in the development of the honeynet community. Focused on cybercrime for the last 10 years has strong expertise in incident response within financial and telco companies and developed innovative approaches to network forensics

More information is available on : - @y0m - @sekoia_fr

Axelle Apvrille - Playing Hide and Seek with Dalvik Executables


Android’s Dalvik Executables (DEX) are full of sneaky corners, and this is just perfect for a game of Hide and Seek. The first round of the game begins by hiding an entire method within a DEX file. The method hides so well that all common disassemblers (baksmali, apktool, Androguard, IDA Pro...) are unable to see it. Nevertheless, we show the method is still there as we can call it and execute it! The mechanism exploits a lack of verification of methods’ layout and it is particulary convenient to hide a behaviour. Possible implications are the bypassing of market places’ screening or anti-reversing of malware. Then, like in the Hide and Seek game, the second round focuses on finding the hidden parts. The paper explains where to look for hidden data, and we provide a script to un-cloak the DEX file. The method shows back again. The paper also discusses the PoC code and script that demo hiding and unhiding

Bio:Axelle Apvrille

Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS.

She is currently a senior antivirus analyst and researcher at Fortinet, where she more specifically looks into mobile malware, SCADA and exercises her security blogger talents.

Axelle presented at various conferences, including VB, EICAR (best paper award), Insomnihack, ShmooCon, BlackHat Europe.

Known in the community by her more or less mysterious handle "Crypto Girl", she changes from office worker during the day into mighty hacker at night. Like Neo, but with a superhero costume.

Philippe Teuwen - Unveiling online banking authentication devices


Almost all Belgian banks have deployed a modern authentication system for their clients to access online services. They provide a small device with a keyboard, LCD screen and smartcard reader which allows, together with a bank card, to perform web authentication and signature of financial transactions on their site but also merchant websites. We'll discover together what protocol runs behind and evaluate its security compared to the well known EMV standard and its weaknesses and we'll provide a software equivalent, for educational purpose obviously. A recent attempt has even been made to use such devices with the Belgian eID to provide SSO so we'll have a look at it as well...

Bio: Philippe Teuwen

Jurriaan Bremer - Abusing Dalvik Beyond Recognition


With Android becoming a hotter topic by the year, both maliciously speaking as well as in the world of protecting proprietary applications, more and more research tools show up in order to analyze Android applications. These tools focus mostly on Dex files, a binary containing dalvik bytecode - Android's version of compiled java.

During this technical talk we'll explore previously uncovered ways to abuse Dex files in order to break existing tools and analysis methods. We will show how to run arbitrary dalvik bytecode, that is, run any string containing dalvik bytecode. Therefore, using our techniques, we don't have to hardcode our proprietary functionality in the dalvik executable as functions, but instead, we can store it encrypted and decrypt it at runtime when necessary. (Or load it from a resource, the internet, etc.)

Finally, we will show why this approach is interesting, and what it means for a potential attacker. Last but not least, we'll show a final demo which will be published right after the talk.

Bio: Jurriaan Bremer

Jurriaan is a freelance security researcher from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called capture The Flag games as a member of De Eindbazen CTF Team, he's a member of The Honeynet Project, and in his spare time he works as one of the Core Developers of Cuckoo Sandbox.

Walter Belgers - Lockpicking and IT security

In this lecture, Walter Belgers will look at some security flaws in locks to see how they came about. Then, he shows us how similar mistakes are made in software development and deployment. In both cases, we have to deal with design flaws, implementation errors, zero day attacks, brute force attacks, user errors and more. Real life examples will be given and demonstrated. There are some interesting differences in how security is looked at in the hardware and the software world. Both groups can certainly learn each other.

Bio: Walter Belgers

Walter Belgers is an ethical computer hacker by profession and by way of life. During his working hours, he tests the security of IT systems using both technical and social means. In his spare time, he is president of The Open Organisation of Lockpickers (TOOOL) and the fastest Dutch lockpicker. When he has time, he likes to read, sail, collect old Sun computers and drift in an old BMW car.

Peter Haag - Netflow and Security

This talk discusses why netflow can be helpful for CERTs and security people. On the bases of nfdump, various examples explain how netflow can be used to support investigation of incidents and security related questions.

Bio: Peter Haag

Peter Haag works for more than 10 years in the field of incident handling and security. He focuses on network monitoring, malware reverse engineering as well as computer forensics. He is also the author of the network tools NfSen and nfdump.


Didier Stevens - Windows x64: The Essentials

IT Security professionals, pentesters, hackers, … they will all come across 64-bit systems. With a growing install base of Windows 7/8 and Windows Server 2008 R2/2012, the chance of hitting an x64 Windows machine increases as time goes by. We will take a close look at the essential differences between a 32-bit and a 64-bit Windows system from a defender/attacker point of view.

In this workshop we will touch upon important differences between 32-bit and 64-bit Windows. Did you know WoW64 (Windows 32-bit on Windows 64-bit), the system that allows you to run 32-bit applications on 64-bit Windows, presents applications with a different view on the file system and the registry? Why wouldn't you use a 32-bit AV program on x64 Windows, but can you compile a 64-bit application on a 32-bit machine? Did you know 32-bit processes can't load 64-bit DLLs and 64-bit processes can't load 32-bit DLLs? Did you know that x64 shellcode is significantly different from 32-bit shellcode because of the calling convention? Here are some of the exercises for the workshop attendees:

  • How to develop and inject an x64 DLL
  • How to develop x64 shellcode
  • How to develop and sign an x64 kernel driver
  • How does WoW64 allow us to run 32-bit applications on a 64-bit system?
  • How do we "break" out of WoW64?

Attendees will have to bring a laptop with Windows x64 (native of VM).

Bio: Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCITP, MCSE/Security, RHCT, CCNA Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation. In 2012, Didier founded his own company Didier Stevens Labs. You can find his open source security tools on his IT security related blog at

Walter Belgers - Lock-picking workshop

Bio: Walter Belgers

Walter Belgers is an ethical computer hacker by profession and by way of life. During his working hours, he tests the security of IT systems using both technical and social means. In his spare time, he is president of The Open Organisation of Lockpickers (TOOOL) and the fastest Dutch lockpicker. When he has time, he likes to read, sail, collect old Sun computers and drift in an old BMW car.

Aseem Jakhar - ARM Android Xploitation Primer


Smart-phones, tablets and portable gadgets have become a must-have for everyone for personal as well as official use. As people have started utilizing these devices to frequently access the Internet, read important documents, carry out financial transactions and so on and so forth, the bad guys have realized the shift and have started to focus on exploiting these platforms for their gains. There has been a lot of advancement in mobile malware and exploitation research. These devices are computers running various operating systems on ARM processors with hardware for telephony, wifi etc. ARM Android Xploitation Primer takes up one of the finest operating system used for these devices I.e. Android as the ARM based platform for the training and takes a deep dive into ARM assembly, Android Native development components, buffer overflows and shellcoding. The training introduces the attendees to the ARM Android platform including the intrinsic technical details and security issues using a balanced proportion of theory and extensive hands-on and exercises. It provides a base for the attendees to develop security research expertise on the ARM based platforms beyond the conventional Android application security testing skills.

Bio: Aseem Jakhar

Aseem Jakhar is the Director, research at Payatu Technologies Pvt Ltd a boutique security testing company. He has extensive experience in system programming, security research, consulting and managing security software development projects. He has worked on various security software including IBM ISS Proventia UTM appliance, Mirapoint messaging/security appliance, anti-spam engine, anti-virus software, multicast packet reflector, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He is an active speaker at security and open source conferences; some of the conferences he has spoken at include AusCERT, Defcon,, Blackhat, Xcon, Cyber security summit, Cocon, OSI Days, Clubhack, Gnunify. His research includes Linux remote thread injection, automated web application detection and dynamic web filter. He is the author of open source Linux thread injection kit - Jugaad and Indroid which demonstrate a stealthy malware infection technique.

Guillaume Prigent and Jean-Baptiste Rouault hynesim : hybrid network simulation for security training and SCADA lab.

The hynesim project's goal is to provide the open source community with an information systems hybrid simulation platform. The purpose of this network oriented project is to integrate low and high interaction hosts in complex topologies, based on a massively distributed simulation. The major advantage of this system is the interconnection between real and virtual machines. The aims of this platform are to offer an all-in-one solution allowing preparation, construction, simulation and operation of a virtual information system, so as to observe the evolution of its security. Based as much as possible on pre-existing Open Source components (COTS), the hynesim project will provide the ISS community with a way of deploying large virtual information systems at a low cost. The foundations of the hynesim project are based on 10 years of thinking on the subject, and on the lessons learned from a first approach through the BridNet project ( Beyond the technological and conceptual framework of the project, the members of the Hynesim project wish to bring a genuine expertise on tools such as VirtualBox, KVM/Qemu, Dynamips, OpenVZ, vde, libvirt.... by sharing the experience gained through their usage and development in the field of hybrid network simulation.

This workshop aims to introduce this framework (architecture, internal details) in order to apprehend its use (simple, advanced, specific features) and to show how to install & deploy it. Virtual machines and specific use cases (network/topology) will be available for participants to perform their own tests.

The workshop is a mix of explanations, tutorials, hands-ons & demos in both fields of IT and ICS/SCADA system with virtual and real harware PLC (Siemens and Schneider) in turn key platform.


  • Computer able to boot a virtual OVF appliance (VirtualBox, VMWare,...).

Bio: Guillaume Prigent

Guillaume PRIGENT, founder and CTO of diateam, is a computer security research engineer, and has worked in the field of security simulation for the last 10 years. He began as a research engineer in 1999 at CERV, the European Centre for Virtual Reality in Brest, where he developed the concepts of hybrid simulation for the French Department of Defense. Guillaume Prigent is the Project leader and architect of the open source Hynesim project. He has developed many "proofs of concept" and some tools like netglub and also gives talks and classes in many engineering schools (ENIB, ENSIETA, ESM Saint-Cyr, ...). Guillaume is the author of several papers on security, and is a frequent speaker and/or attendee at security and testing conferences such as SSTIC, HITB, HACK.LU, FRHACK, ...

Bio: Jean-Baptiste Rouault

Jean-Baptiste ROUAULT is the lead developper of the hynesim project. He's member of the hynesim core development team. Research & Development software engineer, he's currently in charge of core features such as the distributed computing framework and virtual machines hypervision. Jean-Baptiste give also classes and training sessions in the hynesim training center.

Scapy: protocol exploration workshop

This is a workshop/challenge born over a beer wager between two such gentleman of networks. Chaps with finely groomed facial hair and an understanding of Braess' paradox applied to routing tables.

The challenge was simple, yet worthy: Can you get an IP address, set your DNS server, resolve a URL, and do an HTTP request using only SCAPY? In other words, BE THE OS at the network layer.

They didn't do it because it was cool, and they didn't do it because it was sexy (cause let's face it, it's neither). They did it to re-learn the foundations of networking and packetry. They did it to embrace the task that gives birth to deep understanding. They did it because they admire the people of the IETF who bootstrapped the internet primarily by writing and responding to text files.

Now you too, can quote RFCs. You too, can improve your SCAPY skills in a single day. You too, can make obscure packet jokes.

More importantly, this workshop will test you on things you *think* you know. The gentleman in question thought they were pen-test badasses, until they humbled themselves on the foundations of networking.

Are you ready to school these two gentleman on what they think they already know?

This will be half workshop, half personal challenge. The two hosts were born out the hacker spaces, where everyone is a teacher and everyone is a student. This is simply a continuation of that ethos.


  • A desire to learn and participate and share.
  • A laptop with SCAPY installed.
  • Basic python knowledge.

Bio: Matt

Matt isn't very good at writing bios. He dabbles in packets, malware and other such shenanigans when the urge strikes him. Mostly during winter, when it's colder than a penguins nipple outside.

Bio: Kacper Why

When Kacper isn't solving problems others don't want to solve and handling incidents others don't know what to do with, he's at the hackerspace Hackeriet, where he encourages the responsible albeit creative use of dangerous techniques and continually changes merge strategies. Kacper is also a person that knows his way around nibbels and bits and is very social and a good communicator of new and exciting ideas. Kacper maintains a very simple site where you can find strange things at