Laura Guevara
Last known affiliation: Deutsche Telekom Security
Jens Frieß 🗣 | Laura Guevara 🗣
Abstract (click to view)
The expansion and specifically the sophistication of botnets has brought with it an increased use of cryptography for safe-guarding communication channels between bots and their command-and-control instances. Asymmetric encryption (or public-key cryptography) currently poses a major challenge for malware analysts. In this regard, understanding the communication protocol is a critical requirement in the analysis of botnets.
The goal of this short-talk is to present a generic, fully automated method for tracking botnet communication protocols and a prototype implementation for recovering obfuscated network traffic. Our method arises from the need of constantly analyzing highly active botnet families while sparing significant reverse engineering effort. The results show that our approach successfully obtains changes in message structures by circumventing encryption and interacting directly with the bots.
Laura Guevara 🗣 | Daniel Plohmann 🗣
Abstract (click to view)
Attacks with malicious software are an imminent risk. Malware developers not only unveil constantly new artistries in response to current detection schemes but also manifest a tendency to re-code and modify existing malware versions with regard to their behaviour and functionality. These malware variants may have similar functionality but pose substantial syntactic representation differences. In this regard, the use of calls to the Windows Application Programming Interface (API) can be used as guidance to determine the specimen’s functionality and its interaction with the operating system.
This work proposes an approach to automate the exploration of malicious Windows binaries. A set of semantics is used to match against a program’s control flow graph in order to derive the presence of malicious functionality and behaviour patterns, represented by typically employed Windows API call sequences. The publication is accompanied with the release of an IDA Pro plugin.