Speaking Dyreza protocol. Advantages of 'learning' a new language

Presented at VB2015, Oct. 1, 2015, 11 a.m. (30 minutes)

Most malware families are capable of evading detection and ensuring long persistence on the infected machines through their update mechanisms. However, if one is able to reverse engineer such a sample and simulate C&C communication, invaluable information can be obtained. First, this allows damages to be limited by providing near real-time detection, and second the malware's intent can be studied by gathering the configuration files that usually come on the same channel as the other payloads. In this paper, the steps needed to simulate malware traffic are analysed. The paper concentrates on dissecting the network communication, encryption and update mechanisms for one of the most active malware families in 2015, the Dyreza banker. Since the malware distribution is realised across many campaigns, the stages of impersonating various bots with various configurations at the same time, in an efficient and scalable way, are also discussed. Using the method described, important information was extracted, such as campaign ID, addresses of the C&C servers, additional modules that are not always downloaded during an update and, of course, the configuration file that contains all the targeted banks. Besides being ahead of the malware, this information helped us gain an insight into the way the botnet is coordinated and divided across different geographic regions.

Presenters:

• Cristina Vatamanu - Bitdefender
  Cristina Vatamanu Cristina Vatamanu graduated from the Faculty of Computer Science at the University of "Gheorghe Asachi" - Iasi and received a Master's degree in embedded computers from the same University. She has worked at Bitdefender for four years. Some of her responsibilities (and hobbies) are reverse engineering, exploits analysis and automated systems. @_CristinaV
• Alexandru Maximciuc - Bitdefender
  Alexandru Maximciuc Alexandru Maximciuc is passionate about reverse engineering, likes Perl and studied mathematics. He has been working at Bitdefender for eight years and he really likes fighting malware. @amaximciuc

Links:

• https://www.virusbulletin.com/conference/vb2015/abstracts/speaking-dyreza-protocol-advantages-learning-new-language
• https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-speaking-dyreza-protocol-advantages-learning-new-language/

Similar Presentations:

• VB2015 / Breaking the bank(er): automated configuration data extraction for banking malware
• 44CON 2016 / The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!