Michał Praszmo
Last known affiliation: CERT Polska / NASK
Bio: Michał Praszmo – security engineer at CERT.PL. Reverse engineer by trade, pwner by heart.
Paweł Srokosz 🗣 | Michał Praszmo 🗣
Abstract (click to view)
Responding to the incidents as a Polish national CERT, we very often come across attackers using proxies and/or VPNs to hide their identity. While distinguishing well-known IP sources such as NordVPN or TOR has become pretty straightforward, residential proxies are often overlooked and due to their nature, they are much harder to be recognized properly. This challenge has been especially important lately when a particular threat actor started utilizing several residential proxy providers to hide behind normal Internet users and conduct false flag operations.
In this talk, we’ll describe how we have approached this problem, what we managed to achieve and what we are still struggling with.
Michał Praszmo 🗣 | Paweł Srokosz 🗣 | Paweł Pawliński 🗣
Abstract (click to view)
During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.
All components are already available on our github page.