Hiding in Plain Sight - Advances in Malware Covert Communication Channels

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

Steganography, the art of concealing information in different types of medias, is a very old practice. Yet, it only recently started being used by malware operators on a large scale. Malware programmers and operators are increasing their efforts in developing covert communication channels between infected computers and their command and control servers. In addition to steganography, recent examples include hiding communication in inconspicuous network traffic such as DNS queries or HTTP 404 error messages. When used properly, these covert communication channels can bypass many automated detection mechanisms and render malware communication difficult to detect and block. From an attacker's perspective, covert communication channels are a valuable addition because they allow messages to blend in with legitimate traffic and thus significantly lower the chance of being detected even when inspected by a human analyst. This presentation studies recent advances in covert communication channels used by real-world malware. First, we will show how steganography has recently been used in three different malware families (Stegoloader, Vawtrak, and Lurk). We will dive into the implementation details on how steganography is implemented and discuss the strengths and weaknesses of each approach. Furthermore, we will detail and compare the usage of inconspicuous carrier protocols for covert communication channels in malware. Examples will span commodity cybercrime as well as targeted attack malware. The cases that are discussed in this presentation are based on real life incidents. While it is easy to speculate how covert communication channels might be used by malicious actors, documentation of real-world cases is sparse. Yet, covert communication channels have arrived in both, the commodity cybercrime and targeted attack world. It is thus vital to understand the status-quo and identify current trends in cybercriminal and targeted attack malware. As such, we believe that it is mandatory to highlight what is currently being used in the wild.


Presenters:

  • Pierre-Marc Bureau - Dell SecureWorks
    Pierre-Marc Bureau is Senior Security Researcher at Dell SecureWorks. In his position, he analyzes and investigates malware in order to identify effective techniques to counter these threats. Prior to joining Dell SecureWorks, Pierre-Marc Bureau worked for more than eight years with ESET, as Security Intelligence Program Manager. Pierre-Marc Bureau finished his masters degree in computer engineering at Ecole Polytechnique of Montreal. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including Recon, Hack.lu, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.
  • Christian Dietrich - CrowdStrike
    Dr. Chris Dietrich is a Senior Researcher at CrowdStrike with a focus on targeted attack and cybercrime analysis. While pursuing his PhD, he developed techniques for the network- and host-based detection of malware. His research contributed to the understanding and disruption of some of the largest botnets. Chris enjoys reverse engineering and tracking botnets and has presented at several international conferences.

Links:

Similar Presentations: