Botconf Author Listing

Daniel Plohmann


Last known affiliation: Fraunhofer FKIE
Bio: Daniel Plohmann works as a senior researcher for Fraunhofer FKIE, taking apart malware families and botnet instances. In his PhD research, he focused on automation and improving the efficiency of reverse engineering as an instrument for in-depth analysis. Apart from being a mentor and thesis advisor for computer security related topics at University of Bonn, he regularly gives presentations and workshops on malware analysis and botnet infiltration. He also loves to put his experience to good use by supporting law enforcement as a subject matter expert.
Date: 2023-04-13
MCRIT: The MinHash-based Code Relationship & Investigation Toolkit
Daniel Plohmann 🗣 | Daniel Enders | Manuel Blatt

Abstract (click to view)

Ever since launching Malpedia [1] at Botconf 2017, we continuously maintained and expanded our community-driven data set with the vision of exploring new ways to leverage it effectively for the research of and defense against malware. A primary research scope for us was working towards enabling efficient one-to-many code similarity analysis. After almost 4 years of research and development, we now finally want to share our results. With this presentation, we will publicly release MCRIT, the MinHash-based Code Relationship & Investigation Toolkit [2]. After giving a short overview of the underlying techniques and implementation, we will explain in a series of practical examples how to apply MCRIT for the three primary use cases it has been geared towards so far:

  • Malware family and library code differentiation to accelerate triage and analysis
  • Isolation of unique family code to provide means for hunting towards their characteristics
  • Lead generation for discovering potentially unknown links between samples and families

External links: Project website | Github
Slides Icon
PDF
Video
Paper Link Icon
Article
Date: 2019-12-06
YARA-Signator: Automated Generation of Code-based YARA Rules
Felix Bilstein 🗣 | Daniel Plohmann 🗣

Abstract (click to view)

Composing YARA rules based on these feats requires a lot of experience and is typically done manually or at best tool-assisted, which still is a tedious and time-consuming process. In this presentation, we introduce YARA-Signator, an approach for the fully automated isolation of these characteristic code regions and the construction of YARA rules targeting them.

Slides Icon
PDF
Paper Link Icon
Article
Date: 2018-12-05
Code Cartographer’s Diary
Daniel Plohmann 🗣 | Steffen Enders | Elmar Padilla

Abstract (click to view)

At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware. 

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree. 

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them. 

[1] https://malpedia.caad.fkie.fraunhofer.de 
[2] https://github.com/danielplohmann/apiscout 
[3] https://github.com/danielplohmann/smda  

Slides Icon
PDF
Paper Link Icon
Article
Date: 2017-12-07
Malpedia: A Collaborative Effort to Inventorize the Malware Landscape
Daniel Plohmann 🗣 | Martin Clauß | Steffen Enders | Elmar Padilla

Abstract (click to view)

In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.

External link: Project website
Slides Icon
PDF
Video
Paper Link Icon
Article
Date: 2015-12-03
DGArchive – A deep dive into domain generating malware
Daniel Plohmann 🗣

Abstract (click to view)

An observable trend in recent years of malware development is the increased use of Domain Generation Algorithms (DGAs). After having announced the project “DGArchive” in a lightning talk of last year’s Botconf, we would like to follow up with a full talk proposal for this year.
The core idea of DGArchive is to create a high-coverage database of DGA domains. On the one hand, this allows time-independent checks on potential DGA domains, on the other hand, blocklists can be derived for network protection.

Slides Icon
PDF
Video
Date: 2014-12-03
Semantic Exploration of Binaries
Laura Guevara 🗣 | Daniel Plohmann 🗣

Abstract (click to view)

Attacks with malicious software are an imminent risk. Malware developers not only unveil constantly new artistries in response to current detection schemes but also manifest a tendency to re-code and modify existing malware versions with regard to their behaviour and functionality. These malware variants may have similar functionality but pose substantial syntactic representation differences. In this regard, the use of calls to the Windows Application Programming Interface (API) can be used as guidance to determine the specimen’s functionality and its interaction with the operating system.
This work proposes an approach to automate the exploration of malicious Windows binaries. A set of semantics is used to match against a program’s control flow graph in order to derive the presence of malicious functionality and behaviour patterns, represented by typically employed Windows API call sequences. The publication is accompanied with the release of an IDA Pro plugin.

Slides Icon
PDF
Video
Date: 2014-04-12
Date: 2013-12-06
A General-purpose Laboratory for Large-scale Botnet Experiments
Thomas Barabosch 🗣 | Sebastian Eschweiler 🗣 | Mohammad Qasem | Daniel Panteleit | Daniel Plohmann | Elmar Padilla

Abstract (click to view)

We will present a general-purpose laboratory for large-scale botnet experiments. We reveal how several key points have been implemented, e.g., realistic simulation of the Internet or total observability within the laboratory. As a case study, we demonstrate the feasibility of our approach in simulating a large-scale takedown of the Citadel botnet. Additionally, we will show a screencast of the Citadel takedown.

Slides Icon
PDF
TLP:CLEAR
Date: 2024-04-26
A Taxonomic Overview of Prevalent Malware Communication Strategies
Steffen Enders 🗣 | Daniel Plohmann 🗣 | Manuel Blatt

Abstract (click to view)

The consistently large volume and diversity of malware poses a substantial threat to network security. In response, it is crucial to develop systematic strategies and countermeasures. This involves not only detecting and identifying malware (networking) but also taking appropriate actions to mitigate its impact.

In the first section of our presentation, we present a taxonomy for malware C&C communication. This taxonomy is based on a 2006 Trend Micro report, which was improved to cover new developments of C&C mechanisms, but also to include more specific details about both the communication protocol for message transfer and the malware’s internal C&C protocol. Additionally, we have incorporated elements from other relevant research to create a more thorough and unified taxonomy. Overall, the taxonomy encompasses the following six aspects: C&C Model, Rally Mechanism, Communication Behavior, Carrier Communication Protocol, C&C Protocol, and Evasion Techniques.

In the second section, our focus shifts to evaluating the distribution of C&C mechanisms within the current malware landscape. We undertake a detailed analysis using both the Malpedia dataset, as well as tracking sites such as MalwareBazaar. This part will involve an in-depth discussion of currently prevalent malware families and their C&C communication, as classified by our taxonomy. The findings from this analysis will provide insights into the characteristics for methods presently used by threat actors.

Slides Icon
PDF
Video
Scroll to Top