Fuzzing Malware for Fun & Profit: Applying Coverage-Guided Fuzzing to Find and Exploit Bugs in Modern Malware

Presented at BSidesSF 2019, March 4, 2019, 1:30 p.m. (30 minutes)

Practice shows that even the most secure software written by the best engineers contains bugs. Malware is not an exception. In most cases their authors do not follow the best secure software development practices thereby introducing an interesting attack scenario which can be used to stop or slow-down malware spreading, defend against DDoS attacks, and take control over C&Cs and botnets. Several previous researches done by the security community have demonstrated that such bugs exist and can be easily exploited. To find those bugs it would be reasonable to use coverage-guided fuzzing. Numerous studies have shown that this is the most effective technique to automatically find bugs in closed source software. This talk aims to answer the following two questions: Can we defend against malware by exploiting bugs in them ? How can we use fuzzing to find those bugs automatically ? The speaker will show how we can apply coverage-guided fuzzing to automatically find bugs in sophisticated malicious samples such as botnet Mirai which was used to conduct one of the most destructive DDoS in history and various banking trojans. A new cross-platform tool implemented on top of WinAFL (called netAFL) will be released and a set of 0day vulnerabilities will be presented along with several exploitation demos. Do you want to see how a small addition to HTTP-response can stop a large-scale DDoS attack or how a smart bitflipping can cause RCE in a sophisticated banking trojan? If the answer is yes, this is definitely your talk.

Presenters:

  • Maksim Shudrak
    Maksim Shudrak is an Offensive Security Researcher, PhD focusing on vulnerabilities hunting in open source and proprietary software. Prior to this, Maksim worked on malware analysis and developing advanced solutions for highly-evasive malware detection. Maksim had a chance to present his work at DEF CON, Virus Bulletin, Positive Hack Days, and BSides. His research interests include fuzzing, vulnerabilities hunting, reverse-engineering, and malware analysis. Maksim is an author of several useful security tools such as drltrace and drAFL. He is a contributor to DynamoRIO and winAFL projects.

Links:

Similar Presentations: