DDoS trojan: a malicious concept that conquered the ELF format

Presented at VB2015, Sept. 30, 2015, 11:30 a.m. (30 minutes).

DDoS threats have been out there since the Internet took over half of global communication, posing the real problem of denial of access to online service providers. Recently, a new trend emerged in non-*Windows* DDoS attacks that was induced by code availability, lack of security, and an abundance of resources. The attack infrastructure has undergone significant structural, functional and complexity changes. Malicious aspects have evolved into complex and relatively sophisticated pieces of code, employing compression, advanced encryption and even rootkit capabilities. Targeted machines run systems supporting the ELF format - anything from desktops and servers to IoT devices like routers or digital video recorders (DVRs) could be at risk. In this session, we will look at the current state of DDoS trojans forming covert botnets on unsuspecting systems. A technical analysis of the most important malware families will be provided, with a specific focus on infection methods, dynamic behaviour, C&C communication, obfuscation techniques, advanced methods of persistence and stealth, and elimination of rivals. We will be studying cybercriminals' behaviour and introducing their operation tools, including vulnerability scanners, brute-forcers, bot builders and C&C panels. In many cases, it's unnecessary to apply reverse engineering within the analysis - the original source codes are indexed in public search engines and their customization is a subject of monetization. Finally, we will introduce tracking methods and techniques and will reveal the targets of these attacks.

Presenters:

  • Peter Kálnai - Avast Software   as Peter Kalnai
    Peter Kalnai Peter Kalnai is a malware researcher and analyst at the Virus Lab of Avast Software. His main responsibilities are reverse engineering of Windows, Linux and OS X executables especially connected with mainstream cyber threats. He has experience with developing weak automated anti-malware heuristics for Windows PEs and Android packages. As a speaker he has attended international conferences like Virus Bulletin, RSA Conference, CARO Workshop and Botconf. Currently, he is a Ph.D. student in mathematics at Charles University in Prague. In his free time he enjoys playing table football and watching stand-up comedians. @pkalnai
  • Jaromir Horejsi - Avast Software
    Jaromir Horejsi Jaromir Horejsi is a malware researcher and analyst at anti-virus company AVAST Software. His main specialization is reverse engineering and analysis of malicious PE files under the Windows platform. He is interested in malware internals - how it is packed/crypted, how it is installed into computer, how it protects itself from being analysed, etc. With the growth of mobile malware, his interest also focuses on reverse engineering of mobile applications. He is a prolific blogger and in the past he has presented his research at several IT security conferences, including RSAC, Virus Bulletin, AVAR and Botconf. @JaromirHorejsi

Links:

Similar Presentations: