Presented at ToorCon San Diego 20 (2018)
Sept. 15, 2018, noon
Modern malware uses a wide variety of code obfuscation techniques to hide it’s true intentions and to avoid detection. In this talk, we’ll explore the latest in native code obfuscation techniques as well as a few techniques commonly used with interpreted languages. We will spend time discussing such methods as dynamically constructing import tables, hiding and using shellcode, packing, string obfuscation, use of virtual machines and other anti-analysis techniques. We’ll dig deep into the techniques by examining a wide variety of malware, including those used by nation-states. By the end of this talk you’ll have a technical understanding of how they work and how to defeat them!
- This talk will discuss modern code obfuscation techniques, which affects anyone involved with the analysis of malware
- We will explore a variety of prevalent techniques in both native code and interpreted languages
- Detailed technical analysis will be provided for each technique, along with effective strategies for defeating that particular technique
- Real world malware along with malware used by nation-states will be used for demonstrative purposes
- String obfuscation, dynamic import table construction, use of shellcode, packing, use of virtual machines (i.e. bytecode) and other anti-analysis techniques will be discussed
- The goal is to shed light on these techniques and contribute to the body of knowledge, making detection, analysis and mitigation easier for security researchers
Josh Stroschein is an Assistant Professor in Cyber Operations in the Beacom college. He holds a DSc in Cyber Security from Dakota State University. Josh has spoken about reverse engineering/malware analysis at top security conferences and has also been a trainer in application security, malware analysis and software exploitation at Black Hat USA, DerbyCon and Hack-in-the-Box.