Presented at
Black Hat USA 2013,
July 31, 2013, 2:15 p.m.
(60 minutes).
Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts' abilities to predict attackers' control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware's author and accomplices.
The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. This presentation will bring to light how this malware is tied to an underground campaign that has been active for at least the past six years.
Presenters:
-
Jason Geffner
- CrowdStrike, Inc.
Jason Geffner joined CrowdStrike in 2012 as a Sr. Security Researcher, where he performs in-depth reverse engineering of highly complex malware and exploits developed by nation-states and organized crime groups. His intelligence research attributes malware, exploits, lateral movement tools, and command-and-control protocols to unique actors. Jason authors comprehensive reports for the technology, industrial, financial, energy, and government sectors to provide actionable intelligence for customers to understand who is attacking them, how they're being attacked, what information is being stolen, and how to defend their systems and raise the bar against the attackers.
Before joining CrowdStrike, Jason worked for NGS Secure from 2007-2012 as a Principal Security Consultant. He focused on performing security reviews of source code and designs, reverse engineering software protection methods and DRM protection methods, penetration testing web applications and network infrastructures, and developing automated security analysis tools.
Prior to joining NGS, Jason spent three years as a Reverse Engineer on Microsoft Corporation's Anti-Malware Team, where his work involved analyzing malware samples, de-obfuscating binaries, and writing tools for analysis and automation. He was the Security Research & Response Team owner of the Windows Malicious Software Removal Tool (MSRT). During his stewardship of this tool, which was and continues to be deployed to all Windows users around the world every month, Jason chose which new malware families the MSRT was to detect and clean each month based on his analysis of the telemetry and trends of the underground malware community. Jason has authored tens of thousands of malware signatures and dozens of malware analyses based on static and dynamic analyses of obfuscated binaries. His work on the MSRT helped hundreds of millions of Windows users each month keep their computers safe and secure.
While at Microsoft, Jason was recognized for his reverse engineering skills and for his efforts to drive awareness of reverse engineering practices throughout the company by being given the formal job title ""Reverse Engineer."" He was the only Microsoft employee with this title.
Jason holds several patents in the fields of reverse engineering and network security. He has a been a Program Committee member of the Reverse Engineering Conference (REcon) and of the International Conference on Malicious and Unwanted Software. He's a regular trainer at Black Hat and other industry conferences, is often credited in industry talks and publications, and has been actively reverse engineering and analyzing software protection methods since 1995.
Links:
Similar Presentations: