Anti-Virus Heuristics < Drew >


By implementing moral intelligence and putting heuristics into a new framework, we are able to have an Heuristic Anti-Virus system which can detect classes of attack code and families of malware without false positives.

This talk is a high level but exhaustive look at modern heuristic technology, its' pitfalls, and how a moral intelligence system can automate the process a malware researcher goes through when looking at new malware -- within an Anti-Virus system.

Included are technical examples of how to heuristically detect polymorphic Morphine encrypted files, forged Microsoft malware, and other examples.

About Drew:

Drew Copley is a Senior Research Engineer at eEye Digital Security.

Reconfigurable Synchronization Technique < Cawan >


Secretary of IEEE Computer Society Malaysia, CIW currently is finishing PHD research in developing a new algorithm of digital clock data recovery for signal synchronization

About Cawan:

This is a presentation to show the possibility of a customize system (public addressing, evacuation, fire alarm ...) being hacked. By obtaining the details of communication protocol specification, a versatile transceiver can be built in FPGA to synchronize into the customize system. A demonstration will be given to show the efficiency of customize channel synchronization in FPGA.

The Past, Present and Future of Hacking < Skyper >


At Xcon2005 a selected group of people will be giving a panel discussion where they will be discussing the old/new techniques, the future of IT security and other items of interest to the hacking community.
The panel will answer questions from the audience. Keep asking

About Skyper:

Editor in Chief, Phrack Magazine
The member of THC
The member of TESO

Talking About 0day < Sowhat >


What is 0day ? How to find 0day , 0day related Laws, The Future of the 0day Research ....

About Sowhat:

Security Researcher @
Application Assessment Focused
Have found Multiple vulnerabilities in several popular software

Structural Signature and Signature's Structure < Funnywei >


This presentation will introduce the technique of structural signature in binary diff. The content includes how to carry on ismorphic comparison in three levels--call graph, control flow graph, instruction, and complete this work with our designed intermedia assembly language for getting better cross-platform portability.We must see that this technique has a big flaw which only contains statistical values of structural information and can not reflect the real structural information of function's logic.When meeting compiler optimization, it often mismatches two unmathched functions.Author will give a method about structuring signature's information for handling this problem.

About Funnywei:

XFoucs Member & Security Researcher
Researching Security for 6 years

Java & Secure Programming < Marc Schoenefeld >


Java is not secure by default, you as a programmer can use its built-in features to make your software more secure, but on the other your errors and the flaws in the software stack below (like the JDK) can add a wide range of vulnerabilities to your java software. The talk is about the causes for errors and the techniques to detect them.

About Marc Schoenefeld:

Hacking addict since 1983 (c64,amiga, st, x86) , studied business informatics
and working in security management for large german financial institution.
Presentations about Java Security (PhD Thesis topic) given
at Blackhat, RSA, Bellua, DIMVA and D-A-CH.

03/2005   Bellua Cyber Security, Jakarta ,
Java & Security
02/2005  RSA Conference , San Francicso,
Security Focused Code Audit of Java Applications and Middleware
07/2004   DIMVA 2004, Dortmund, DE (GI e.V.)
JDK Antipatterns and Refactorings
03/2004   D-A-CH Security, Basel , CH (GI e.V.)
Seitenkanalangriffe auf javabasierte Softwaresysteme
10/2003  Informatik 2003, Frankfurt/Main
Service-Infrastruktur der GAD
08/2003   AMCIS 2003, Tampa Bay,
Java Security Anti-Pattern, Secure Access Layer
04/2003  Blackhat Europe, Amsterdam , NL
Hunting Flaws in JDK
03/2003   Whitepaper in Zusammenarbeit mit
Java Distributions and Denial-of-Service Flaws
02/2003  Blackhat Windows Security, Seattle ,
Multiplatform Denial-Of-Service
08/2002  Blackhat Briefings, Las Vegas,
Security Aspects in Java-Bytecode Engineering
04/2002  CSMR, Budapest , Ungarn
An Evolutionary Integration Approach using Dynamic CORBA in a typical Banking Environment (mit Markus Pohlmann)
08/2000   AMCIS , Long Beach,
Enhancing ERP-Efficiency through Workflow-Services (mit Oliver Vering)
04/1989  Atari-Magazin
BLEND.BAS: Ein blendender Effekt in Assembler f¨¹r Atari ST

Hacking Windows CE < San >


The network features of PDAs and mobiles are becoming more and more powerful, so their related security problems are attracting more and more attentions. This paper will show a buffer overflow exploitation example in Windows CE. It will cover knowledges about ARM architecture, memory management and the features of processes and threads of Windows CE. It also shows how to write a shellcode in Windows CE, including knowledges about decoding shellcode of Windows CE with ARM processor.

About San:

XFoucs Member & Security Researcher
Researching Security for 6 years

Windows Kernel Pool Overflow Exploitation < SoBeIt >


The research of user mode buffer overflow in Windows has been a long time, including stack overflow and heap overflow. The exploit has been consummated more reliable, but the protective measure is also become very strict. Most people focus on the vulnerabilities of user program, but ignore the vulnerabilities of the OS itself. The history of kernel exploitation isn't very long, and the protective measure used in user mode doesn't implement in the kernel, so the vulnerability of kernel exploitation will cause more dangrous attack. Of course, the kernel is much more difficult to exploit. Pool take the place of user mode heap in kernel, it also exist the overflow vulnerability as heap. This topic will describe some of my discoveries in the exploitation of pool overflow vulnerabilities.

About SoBeIt:

Undergraduate Student of Beihang University, interest in Operation System kernel and security.

I want to see farther < TombKeeper >


With the simple means,to increases the familiar wireless card and the bluetooth equipment signal distance , enables you to connect a farther wireless equipment ,include How to installs the antenna for the wireless card , How to installs the antenna for the bluetooth adapter, other some method to increase equipment signal distance .

About TombKeeper:

XFoucs Member & Security Researcher
Researching Security for 6 years

New architecture and approach in Network Virus Detction < Seak >


Through analysis of the traditional IDS, we believe that the traditional IDS architecture Based on analysis of traditional IDS architecture, we think that the traditional one is not suitable for inspecting high speed network traffic and monitoring multivariant malcode epidemics. Therefore,we aimed at accurately detecting the transportation ,scanning and attacking behavious of various viruses as well as some unknown viruses in a high speed networking environment.

We present Virus Detection System(VDS) which is based on by-pass listening, normalized methods and algorithm efficiency oriented.We implemented a new detection mechanism which can be applied to backbone network environment, using simple protocol shunting, concurrent large signature set high speed match and concurrent protocol positioning.This paper brings in new technique descripting mechanisms such as AVML and DEML to illuminate the way of data processing used by VDS , moreover, introduced deep processing and basic methods for unknown virus discovery.

About Seak:

Xiao,Xinguang (Seak),one of the Founders of Antiy Labs, he is engaged in anti-virus research many years. He focuses on network virus detecting system, anti-virus engine architecture and virus emergency response mechanism,etc

Advanced trojan in Grub < CoolQ >


With the evolution of trojan techniques, user-mode trojans fade awaygradually, kernel-mode rootkits get more powerful, the combat between justice and evilness continues.This paper focuses its target on the widely-used bootloader, Grub, which is still untouched yet.After analysing how grub loads kernel image, I present a sneaky way to change the image loaded.

About CoolQ:

Gruaduate student of IOS - CAS, his research focuses on rootkit, forensic, and vulnerability auto-discovery

New thoughts in ring3 nt rootkit < Baiyuanfan >


As the development of backdoor and anti-backdoor technology,normal sort of backdoors which are more or less just like remote-control softwares became unproper for complicated environments.Rootkits were born in that case.This paper describes a series of new thoughts of implementing a whole ring3 nt rootkit,in order to deal with questions unsolved by rootkit predecessors.

About Baiyuanfan:

Yuanfang Bai,student of 2004 of Software Engineering Academic,East China Normal University,interest in system/ kernel develop and security.

Security in development environment < ICBM >


This speech is discussing about the linker vulnerability in development environment. We found many security problems in development environment, but we didn¡¯t focus on this problem seriously. The software which offer its source code are considered as security ones, no one have thought that he will be attacked by the compiling or linking process before they do it. There¡¯s also some introduction about a BFD Lib vulnerability in Linux system and an unpublished linker vulnerability in Windows Visual studio 6.

About ICBM:

Zhao,Wei(ICBM) is working for Vesnustech ADLab since 2003 who had found several system security vulnerabilities and a member of CNCERT/CC. Zhao Wei mainly focus on Unix/Linux/Windows vulnerability digging, Unix/Linux system security, Linux kernel vulnerability digging, Linux HIDS development and HIDS signature research, worm analysis and research and XML related security problems. Zhao Wei¡¯s incident response experience includes both front-line and management roles, many cases of computer crime forensics, computer disaster backup system. Zhao Wei also participate in some network security projects and ¡°863¡± project.

Research on Same Source Feature Measuring Technology of Software < Liu,Xin >


The current copyright protection mechanism emphasizes preventing the intellectual property right from being violated beforehand, which can not satisfy the demand lying in law practice that the same source feature of software should be determined. In this presentation feature of executable code is analyzed from static and dynamic state and a same source feature measuring method is put forward. The running result of demo system supports the method well. The same source feature measuring problem of executable code is resolved primarily in this paper.

About Liu,Xin :

Liu,Xin is currently a Ph.D candidate in network and information security research lab., School of Electronic Engineering and Computer Science, Peking University. Her research interest focuses at network and information security and computer forensics.

Profiling Malware and Rootkits from Kernel-Mode < Matt Conover(Shok) >


The presentation will speak about methods to profile rootkits and malware from kernel-mode. It will focus on some methods that are currently not being used by rootkit detectors (and likewise not evaded). The presentation will also discuss some of the issues around keeping a rootkit detector stealth or attempting to prevent the detector from being removed.

About Matt Conover (Shok) :

the member of w00w00 Security Team
Researching Security for 6 years

< Past Conferences Speakers >