Malware Repository Requirements

Presented at DEF CON 14 (2006), Aug. 6, 2006, 3 p.m. (50 minutes).

We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house. We discuss how malware authors are aware of, and actively exploit inherent inefficiencies in the current generation of competitive, closed malware collections. We demonstrate how, by illuminating AV sensors, and by using frequent updates, malware authors can keep their victims within a perpetual zero-day window. The are numerous cooperative malware repositories created to address problems in private collections. After exploring the policy trade-offs, we describe our own solution. Features include automated unpacking of samples, data mining of packed samples, static and dynamic analysis, and selected network trace files.

Presenters:

  • Paul Vixie - President
    Paul Vixie holds the record for "most CERT advisories due to a single author" which came primarily from his years hacking on BIND4 and BIND8. Later on he cut off the oxygen supply to his brain by wearing a necktie for AboveNet, MFN, and PAIX. At the moment he is President at ISC where his primary duty is to sign paychecks for the people who bring you BIND9 and F.ROOT-SERVERS.NET. He is also an occasional critic of just about everything (the blog: FM.VIX.COM).
  • David Dagon - PhD Student
    David Dagon is a PhD student in the College of Computing at Georgia Institute of Technology. His area of research includes network security, BSD kernel hacking, honeynets, and malware analysis. He has written extensively about malware, including modelling botnet propagation using time zones and the KarstNet active sinkhole. We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house.

Links:

Similar Presentations: