Paweł Srokosz
Last known affiliation: CERT Polska / NASK
Bio: Paweł Srokosz – security researcher at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Core developer of MWDB Core and Karton projects. Free-time spends on playing CTFs as a p4 team member.
Paweł Srokosz 🗣 | Michał Praszmo 🗣
Abstract (click to view)
Responding to the incidents as a Polish national CERT, we very often come across attackers using proxies and/or VPNs to hide their identity. While distinguishing well-known IP sources such as NordVPN or TOR has become pretty straightforward, residential proxies are often overlooked and due to their nature, they are much harder to be recognized properly. This challenge has been especially important lately when a particular threat actor started utilizing several residential proxy providers to hide behind normal Internet users and conduct false flag operations.
In this talk, we’ll describe how we have approached this problem, what we managed to achieve and what we are still struggling with.
Michał Praszmo 🗣 | Paweł Srokosz 🗣 | Paweł Pawliński 🗣
Abstract (click to view)
During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.
All components are already available on our github page.
Jarosław Jedynak 🗣 | Paweł Srokosz 🗣
Abstract (click to view)
Botnets are a curious thing for malware researchers. Although we’re constantly trying to shut them down and stop the responsible people, we’re also focusing a lot of attention on studying and analysing their inner workings in order to learn more about how they operate.
And the best strategy of getting information from a botnet is tricking it into sending everything to us on its own. In this talk we’ll describe our latest project, which does exactly that. We are reverse-engineering communication protocols, re-implementing them in python and impersonating real bots. This way, we can get fresh information/malware/spam/urls directly from a C&C, process it automatically, and react appropriately.
We want to share our insights from a year of tracking, compare our approach with more blackbox solutions (hint: there are advantages and disadvantages), and discuss some challenges and our solutions to them. Although we won’t focus on specific malware protocols, we’ll mention them in the passing.