How to convince a malware to avoid us?

Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However there has been very little public research about how we could utilize this against the malware itself for our benefits.

The idea is very simple, let’s try to show the malware that it’s running on a researcher’s computer in order to hope that it will simply terminate itself and not infect the actual machine. The goal here is not to analyze the malicious code, but to protect computers from it. Of course this is not effective against every malware, but if we can eliminate even 1% of them with this, without developing signatures it’s already a success.

In my talk I will briefly go over the most popular techniques used by malware and I will show a couple of real world examples to those. After it I will present two simple proof of concept tools that I created, which will make the client’s computer to look like a malware researcher’s machine. One is a kernel driver, the other is a simple Windows application. These tools will focus on few of the initially presented methods. I will also talk about other ways these ideas could be implemented.

This was presented at Security Fest 2017.

Speakers: Csaba Fitzl

About Csaba Fitzl

Csaba Fitzl

Csaba graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big Cisco networks. After that he started to work as a blue teamer, focusing on network forensics, malware analysis and kernel exploitation. Currentl he works in a red team, where he spends most of his time simulating adversary techniques and doing pentents. He gave talks / workshops on various international IT security conferences, including Hacktivity, hack.lu, hek.si, SecurityFest, DEFCON and BSidesBUD. He currently holds OSWP / OSCP / OSCE / OSEE certifications. He is the author of the 'kex' kernel exploitation Python toolkit.

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.