Catching the silent whisper: understanding the Derusbi family tree

Presented at VB2015, Oct. 2, 2015, 11:30 a.m. (30 minutes)

From stealing sensitive information from *Mitsubishi Heavy Industries* in 2011 to the *Anthem* data breach revealed in February 2015, the complexity of the Derusbi malware family has been the real driving force behind these espionage campaigns. Upon entering a targeted company through an exploit of a newly discovered vulnerability, a Derusbi sample would be dropped onto the compromised computer with the purpose of setting up a well hidden 'gateway' to the targeted organization. Its sophistication, along with its uncommon malicious activity added to its covert presence and led to its hiding from the sight of many AV companies. As an illustration, our records reveal that many vendors did not start to detect a certain Derusbi variant until after it has been circulating among vendors for about half a year. In this presentation, instead of profiling the malware authors, we will mainly focus on the technical aspect of analysing the Derusbi malware family as well as how it has evolved through the years in order to stay under the radar of most AV vendors.

Presenters:

• Eric Leung - Fortinet
  Neo Tan Neo Tan is the Manager in the MVRT team at Fortinet Inc. He is not only an experienced software developer but also a senior malware reverse-engineer. His research interests include exploits, custom packers, botnets, cryptography and machine learning.
• Micky Pun - Fortinet
  Eric Leung Eric Leung is an anti-virus analyst and is a member in the Malware and Vulnerability Research Team (MVRT) at Fortinet Inc. He holds a Bachelor's degree in electronics engineering and applied mathematics. His research interests include botnets, exploits and vulnerabilities.
• Neo Tan - Fortinet
  Micky Pun Micky Pun is a Security Researcher at Fortinet Canada. She received her Bachelor's degree in computer engineering from Simon Fraser University in 2010. After graduation, she worked as a malware analyst at Fortinet for three years. She later took on the role of Malware Researcher in the Malware and Vulnerability Research Team (MVRT) and focuses on software development related to threat detection. Micky has on several occasions presented research papers at Virus Bulletin (VB) Conferences and published articles in VB Magazine. Her research interests include generic malicious characteristic extraction, botnet, APT and vulnerability research.

Links:

• https://www.virusbulletin.com/conference/vb2015/abstracts/catching-silent-whisper-understanding-derusbi-family-tree
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf
• https://www.virusbulletin.com/uploads/pdf/conference/vb2015/Tanetal-VB2015.pdf

Similar Presentations:

• VB2017 / Last-minute paper: FinFisher: New techniques and infection vectors revealed
• VB2017 / Inside Netrepser - a JavaScript-based targeted attack
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab