High Confidence Malware Attribution using the Rich Header

Presented at ShmooCon XV (2019), Jan. 19, 2019, 10 a.m. (60 minutes).

Attribution of malware is a complicated problem as there are many ways to mislead and misdirect attempts to tie back malware to its authors. The Rich header, undocumented by Microsoft, can be a powerful tool in the analyst’s toolbox. It provides a wealth of information about the build environment of software samples, which can be used to uniquely identify the environment a piece of malware was created in, as well as to tie other unknown samples to that environment. We will present our research into how the header is generated, how it can be used to fingerprint build environments, and the metadata hash we developed to scale across large datasets to detect similar samples.


Presenters:

  • Kevin Bilzer
    RJ, Kevin, and Seamus are students at UMBC. All of them are highly involved in the computer security world, participating in a variety of competitions and conferences. All three are members of their school’s national champion Collegiate Cyber Defense Competition team. Kevin is the president of the CyberDawg’s, the school’s security club; Seamus has spoken at DEF CON on his previous baseband research; RJ is a master’s student whose focus is in malware analysis and machine learning as well as being a two-time Shmooze-A-Student recipient.
  • RJ Joyce
    RJ, Kevin, and Seamus are students at UMBC. All of them are highly involved in the computer security world, participating in a variety of competitions and conferences. All three are members of their school’s national champion Collegiate Cyber Defense Competition team. Kevin is the president of the CyberDawg’s, the school’s security club; Seamus has spoken at DEF CON on his previous baseband research; RJ is a master’s student whose focus is in malware analysis and machine learning as well as being a two-time Shmooze-A-Student recipient.
  • Seamus Burke
    RJ, Kevin, and Seamus are students at UMBC. All of them are highly involved in the computer security world, participating in a variety of competitions and conferences. All three are members of their school’s national champion Collegiate Cyber Defense Competition team. Kevin is the president of the CyberDawg’s, the school’s security club; Seamus has spoken at DEF CON on his previous baseband research; RJ is a master’s student whose focus is in malware analysis and machine learning as well as being a two-time Shmooze-A-Student recipient.

Links:

Similar Presentations: