Botnet milking: malware freshly served from the source

Presented at VB2015, Sept. 30, 2015, 4 p.m. (30 minutes).

Malware authors are constantly updating their creations to avoid file detection and C&C blacklisting. So it's important to have high-quality sources of fresh malware samples to determine whether any manual tweaks to the automatic malware analysis and information extraction systems are required. In this paper, we will show how we are using an anti-virus cloud to feed a mostly self-sustaining botnet-tracking system, resulting in brand new malicious URLs and samples for blacklisting and detection. We will discuss some challenges of our in-house solutions for automated debugger-based dumping, extraction and decryption of botnet configurations, and the implementation of reverse-engineered protocols to use the gathered knowledge against the botnets.

Presenters:

  • Moritz Kroll - Avira
    Moritz Kroll Moritz Kroll has been a software developer and researcher at Avira since 2009. He mainly works on generic detection of Windows PE malware and botnet tracking. He was awarded a Diploma degree in computer science from the technical university of Karlsruhe in Germany. In his spare time he works on tools to ease analysis of malware samples and searches for the holy grail of x86 deobfuscation.
  • Philipp Wolf - Avira
    Philipp Wolf Philipp Wolf was born in Germany in 1981 and lives near the Lake of Constance. Philipp leads the special department 'Avira Protection Labs' at the EVP Protection Labs, which has more than 100 employees in various locations and time zones. His team's main responsibilities are to keep Avira's customers free from any malware and other unwanted software all around the clock. Philipp has initiated projects in the anti-virus industry including the famous applications MUTE and VIREX. His interests include sports such as snowboarding, sailing and boxing.
  • Jan-Eric Herting - Avira
    Jan-Eric Herting Jan-Eric Herting was born in Germany in 1982. He started to learn computer-architectures and low-level programming with assembly language at the age of 10. He began working as a malware analyst at Avira in 2011. Currently he is working there as a software developer and researcher. His current focus is reverse engineering and unpacking of malware and also designing and building automated analysis systems. When he is not at work, he likes climbing, hiking and swimming, and spends time with his family and friends.
  • Ayoub Faouzi - Avira
    Ayoub Faouzi Ayoub Faouzi was born in Morocco in 1990. He is a software developer and researcher at Avira. His current focus is reverse engineering botnet protocols and banking threats. In his free time he likes to spend time with his family and to travel around the world.

Links:

Similar Presentations: