A Thorny Piece Of Malware (And Me): The Nastiness of SEH, VFTables & Multi-Threading

Presented at DEF CON 21 (2013), Aug. 4, 2013, 12:30 p.m. (20 minutes).

Reverse Engineering is the supreme discipline in analyzing malware, how else would you find out all capabilities of a malicious sample? But this task gets trickier nearly every day, as malware authors apply new techniques to evade analysis. Even worse, documentation of said techniques is barely existent, which makes our job even harder.

This talk will focus on the challenges of a specifically thorny piece of malware, detected as Backdoor.Win32.Banito. It will discuss the palette of anti-analysis measures found and show a path through a multi-threaded file-infecting spy bot. The talk will try to shed some light on the merely shallow documentation of the binary layout of Windows Structured Exception Handling (SEH), point out complications in analyzing object oriented C++ binaries and give an insight on how to tackle multi-threaded executables.


Presenters:

  • Marion Marschalek - Analyst, IKARUS Security Software GmbH
    Marion Marschalek (@pinkflawd) is currently employed at IKARUS Security Software GmbH based in Vienna, Austria. She is working as Malware Analyst and in Incident Response for two years now. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St. Pölten. She has a technical degree, achieved through three different universities on three different continents. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.

Links:

Similar Presentations: