DDoS trojan: a malicious concept that conquered the ELF format

Wednesday 30 September 11:30 - 12:00, Green room

Peter Kalnai (Avast Software)
Jaromir Horejsi (Avast Software)

  download slides (PDF)

DDoS threats have been out there since the Internet took over half of global communication, posing the real problem of denial of access to online service providers. Recently, a new trend emerged in non-Windows DDoS attacks that was induced by code availability, lack of security, and an abundance of resources. The attack infrastructure has undergone significant structural, functional and complexity changes. Malicious aspects have evolved into complex and relatively sophisticated pieces of code, employing compression, advanced encryption and even rootkit capabilities. Targeted machines run systems supporting the ELF format - anything from desktops and servers to IoT devices like routers or digital video recorders (DVRs) could be at risk.

In this session, we will look at the current state of DDoS trojans forming covert botnets on unsuspecting systems. A technical analysis of the most important malware families will be provided, with a specific focus on infection methods, dynamic behaviour, C&C communication, obfuscation techniques, advanced methods of persistence and stealth, and elimination of rivals. We will be studying cybercriminals' behaviour and introducing their operation tools, including vulnerability scanners, brute-forcers, bot builders and C&C panels. In many cases, it's unnecessary to apply reverse engineering within the analysis - the original source codes are indexed in public search engines and their customization is a subject of monetization. Finally, we will introduce tracking methods and techniques and will reveal the targets of these attacks.

Click here for more details about the conference.

Peter Kalnai

Peter Kalnai

Peter Kalnai is a malware researcher and analyst at the Virus Lab of Avast Software. His main responsibilities are reverse engineering of Windows, Linux and OS X executables especially connected with mainstream cyber threats. He has experience with developing weak automated anti-malware heuristics for Windows PEs and Android packages. As a speaker he has attended international conferences like Virus Bulletin, RSA Conference, CARO Workshop and Botconf. Currently, he is a Ph.D. student in mathematics at Charles University in Prague. In his free time he enjoys playing table football and watching stand-up comedians.


Jaromir Horejsi

Jaromir Horejsi

Jaromir Horejsi is a malware researcher and analyst at anti-virus company AVAST Software. His main specialization is reverse engineering and analysis of malicious PE files under the Windows platform. He is interested in malware internals - how it is packed/crypted, how it is installed into computer, how it protects itself from being analysed, etc. With the growth of mobile malware, his interest also focuses on reverse engineering of mobile applications. He is a prolific blogger and in the past he has presented his research at several IT security conferences, including RSAC, Virus Bulletin, AVAR and Botconf.



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.