Malware RCE: Debuggers and Decryptor Development

Presented at DEF CON 16 (2008), Aug. 10, 2008, 2 p.m. (50 minutes)

This talk will focus on using a debugger to reverse engineer malware, with an emphasis on building decryption tools for credential recovery and command/control (c&c) inspection. Most modern-day trojans exhibit cryptography, or just home-grown obfuscation techniques, to prevent analysis of the stolen data or c&c protocol. This presentation will show how to script the debugger such that it leverages the trojan's own internal functions to decrypt information of the researcher's choice. The concepts will be demonstrated using current threats such as Feebs, Silent Banker, CoreFlood, Torpig/MBR, Kraken, Prg/Zues, and Laqma.

Presenters:

• Greg Sinclair - Rapid Response Engineer, VeriSign iDefense Rapid Response
  Greg Sinclair is a member of the Rapid Response Team that provides quick analysis and remediation techniques for malcode threats. Before joining Verisign, he worked for two years as a risk assessment security engineer for Healthcare Services Corporation (HCSC) in Chicago. At HCSC, Mr. Sinclair was responsible for analyzing production systems to find, and report on, unknown vulnerabilities before the vulnerabilities could be exploited by attackers. Mr. Sinclair specializes in reverse engineering applications to identify weaknesses and functionality. Prior to HCSC, he was the Head of IT Security for Strayer University for 3 years where he was responsible for developing and implementing IT security policies and protection mechanisms for Strayer's 45 campuses and corporate offices. Mr. Sinclair graduated from the University of North Carolina at Charlotte in 2001 with a BS in Computer Science.
• Michael Ligh - Security Intelligence Engineer, iDEFENSE
  Michael Hale Ligh is currently a security intelligence engineer at Verisign iDefense. He specializes in reverse engineering malware to provide in-depth analysis on capabilities, techniques, and decryption services. In the past, Michael obtained his masters in forensic computer investigation in 2004 and began providing Internet security services to financial institutions. He then gained interest in vulnerability research and has been credited with locating critical flaws in products such as Tumbleweed MailGate, Novell iMonitor/eDirectory, Symark PowerBroker, and F5 FirePass SSL VPN. Michael is a member of ZERT and has submitted winning entries in several malware related contests/challenges (SANS malware analysis, honeynet.org scan-of-the-month, and hacker challenge 2007). More of Michael's research is available online at www.mnin.org.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Ligh
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Ligh and Sinclair - Malware RCE - Video.mp4
• https://www.youtube.com/watch?v=zm7CLH4qrWE

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Android Patchwork: Convincing Apps to Do What You Want Them To
• Black Hat USA 2010 / Virt-ICE: Next Generation Debugger for Malware Analysis