Thursday 1 October 11:00 - 11:30, Red room
Alexandru Maximciuc (Bitdefender)
Cristina Vatamanu (Bitdefender)
Most malware families are capable of evading detection and ensuring long persistence on the infected machines through their update mechanisms. However, if one is able to reverse engineer such a sample and simulate C&C communication, invaluable information can be obtained. First, this allows damages to be limited by providing near real-time detection, and second the malware's intent can be studied by gathering the configuration files that usually come on the same channel as the other payloads.
In this paper, the steps needed to simulate malware traffic are analysed. The paper concentrates on dissecting the network communication, encryption and update mechanisms for one of the most active malware families in 2015, the Dyreza banker. Since the malware distribution is realised across many campaigns, the stages of impersonating various bots with various configurations at the same time, in an efficient and scalable way, are also discussed. Using the method described, important information was extracted, such as campaign ID, addresses of the C&C servers, additional modules that are not always downloaded during an update and, of course, the configuration file that contains all the targeted banks. Besides being ahead of the malware, this information helped us gain an insight into the way the botnet is coordinated and divided across different geographic regions.
Alexandru Maximciuc is passionate about reverse engineering, likes Perl and studied mathematics. He has been working at Bitdefender for eight years and he really likes fighting malware.
Cristina Vatamanu graduated from the Faculty of Computer Science at the University of "Gheorghe Asachi" - Iasi and received a Master's degree in embedded computers from the same University. She has worked at Bitdefender for four years. Some of her responsibilities (and hobbies) are reverse engineering, exploits analysis and automated systems.