How to convince a malware to avoid us?

Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However there has been very little public research about how we could utilize this against the malware itself for our benefits. The idea is very simple, let’s try to show the malware that it’s running on a researcher’s computer in order to hope that it will simply terminate itself and not infect the actual machine. The goal here is not to analyze the malicious code, but to protect computers from it. Of course this is not effective against every malware, but if we can eliminate even 1% of them with this, without developing signatures it’s already a success. In my talk I will briefly go over the most popular techniques used by malware and I will show a couple of real world examples to those. After it I will present two simple proof of concept tools that I created, which will make the client’s computer to look like a malware researcher’s machine. One is a kernel driver, the other is a simple Windows application. These tools will focus on few of the initially presented methods. I will also talk about other ways these ideas could be implemented.

Presented at Security Fest 2017.

Speaker: Csaba Fitzl

About Csaba Fitzl

Csaba Fitzl

Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Currently, he is working as a content developer at Offensive Security. He gave talks/workshops at various international IT security conferences, including Hacktivity, hack.lu, Troopers, SecurityFest, DEFCON, BlackHat and Objective By The Sea. Csaba spends his free time with his family, and runs or hikes in the mountains

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.
Get newsletter →