Friday 2 October 12:00 - 12:30, Green room
Artturi Lehtiö (F-Secure Corporation)
download slides (PDF)
A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn't an easy task. Coincidentally, malware operators aren't the only ones interested in secure and reliable communication. Popular web services also want to provide their customers with a secure and reliable service. Add to that the fact that popular web services generate large amounts of indistinguishable web traffic to blend into and it starts to sound irresistible. Unsurprisingly then, recent years have seen a growing trend among malware operators of abusing third-party web services such as Twitter, Facebook, and Gmail as command and control channels.
This paper explores the multitude of ways in which modern malware abuses third-party web services as command and control channels. Through real life examples - from common cybercrime to targeted nation-state espionage - the paper provides a comprehensive overview of both the methods employed by malware and the web services most commonly abused. This paper further analyses the benefits and disadvantages that are provided to malware operators when they abuse third-party web services as command and control channels. Finally, this paper also examines the challenges that such methods pose to the detection and prevention of malware.
Artturi Lehtiö, born in Finland, began his computer science studies at Aalto University in 2010 and is currently finishing his Bachelor of Science degree. He has been employed by Finnish security company F-Secure since 2014 where he currently works as a researcher focusing primarily on threat intelligence, threat hunting and reverse engineering. When not at work, he can often be found performing newer French horn music with the Retuperä Voluntary Fire Brigade Band.