Presented at
BSidesSF 2019,
March 3, 2019, 1:30 p.m.
(30 minutes).
Go is a programming language created at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Their vision was a statically typed, productive, and readable language with good networking and multiprocessing support. By default, Go binaries are statically linked, and it is very easy to cross-compile binaries for different operating systems or CPU architectures. This makes it easy to produce an executable that can be copied to any machine and run without runtime errors due to missing libraries, something that should be appealing to malware authors.
While Go has exploded in popularity, the same cannot be said for malware written in it. This presentation will take a look at a few pieces of malware written in Go and how they differ from other malware written in, for example, C and try to answer why we don't see more. Also, this presentation will show how metadata in stripped Go binaries can be used to recover everything from function names to source code tree structure and functions’ number of lines of code, which hopefully can give us an insight to the author behind the malware.
Presenters:
-
Joakim Kennedy
Joakim Kennedy is the Senior Principal Security Researcher for Anomali Labs. His job involves playing with malware, tracking threat actors, and everything else around threat intelligence.
Links:
Similar Presentations: