Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively

Presented at DEF CON 22 (2014), Aug. 9, 2014, 1 p.m. (60 minutes)

The purpose of this talk is to promote the adoption of better practices in the publication and demonstration of malware analyses. For various reasons, many popular analyses of malware do not contain information required for a peer analyst to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others. As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. A captured command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself.

Presenters:

• Wesley McGrew - Assistant Research Professor, Mississippi State University
  Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University's Department of Computer Science and Engineering, where he works with the newly formed Distributed Analytics and Security Institute. He recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website, McGrewSecurity.com. Twitter: @McGrewSecurity Web: http://mcgrewsecurity.com

Links:

• https://defcon.org/html/defcon-22/dc-22-speakers.html#McGrew
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Wesley McGrew - Instrumenting Point - of - Sale Malware - A Case Study in Communicating Malware Analysis More Effectively - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Wesley McGrew - Instrumenting Point - of - Sale Malware - A Case Study in Communicating Malware Analysis More Effectively - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Wesley McGrew - Instrumenting Point - of - Sale Malware - A Case Study in Communicating Malware Analysis More Effectively - Slides.srt (subtitles)

Similar Presentations:

• Black Hat USA 2014 / Prevalent Characteristics in Modern Malware
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• Black Hat USA 2012 / Flowers for Automated Malware Analysis