Wednesday 24 September 17:00 - 17:30, Green room.
Matias Porolli ESET
Pablo Ramos ESET
Throughout 2013, we saw a large number of malware samples in the CPL (Control Panel) file format in Latin America. Simplistically described, CPL files are DLL files that can be added as Control Panel Applets to Microsoft Windows operating systems. But what really makes them so attractive to cybercriminals is the fact that, unlike DLLs, CPL files can be executed simply by double-clicking on them. And it seems that this fact has been noticed by Brazilian bad guys, as 92 per cent of CPL malware in Latin America comes from Brazil. Also, if we consider that 81 per cent of the samples we have received are some variant of the TrojanDownloader.Banload family, this family being the second most prevalent threat in Brazil, we know that CPL malware is becoming a big deal.
Firstly, this paper will introduce the structural aspects of CPL files and, specifically, CPL malware: how it works and how it is loaded into memory, the functions implemented, arguments and return values. Then it will show what we have learned from reverse engineering CPL malware in Brazil, Latin America and the rest of the world, regarding both the malware families and malware variants used.
Next, an analysis of particular samples is used to demonstrate the different attack vectors and to understand how easy and convenient it is for cybercriminals to use CPL malware. For this purpose, we analyse the difference between malicious DLL files and their CPL counterparts.
Finally, given that CPL files are not a new thing, we ask: Why is CPL malware so active right now? And why Brazil? A few theories will be discussed.