How to convince a malware to avoid us?

Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However there has been very little public research about how we could utilize this against the malware itself for our benefits.

The idea is very simple, let’s try to show the malware that it’s running on a researcher’s computer in order to hope that it will simply terminate itself and not infect the actual machine. The goal here is not to analyze the malicious code, but to protect computers from it. Of course this is not effective against every malware, but if we can eliminate even 1% of them with this, without developing signatures it’s already a success.

In my talk I will briefly go over the most popular techniques used by malware and I will show a couple of real world examples to those. After it I will present two simple proof of concept tools that I created, which will make the client’s computer to look like a malware researcher’s machine. One is a kernel driver, the other is a simple Windows application. These tools will focus on few of the initially presented methods. I will also talk about other ways these ideas could be implemented.

This was presented at Security Fest 2017.

Speakers: Czaba Fitzl

About Czaba Fitzl

Czaba Fitzl

Csaba graduated in 2006, at the Budapest University of Technology and Economics as a computer engineer. He worked at Getronics as a Cisco support engineer for two years, and in 2008 he joined ExxonMobil, where he spent his time with designing and supporting global networks for 4 years. In the past four years, he is looking for information security breaches in the company’s network, and his area of focus is network forensics and malware analysis. He currently holds several security certifications (OSWP, OSCP, OSCE, OSEE, GREM, GMOB, SISE).

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.