Friday 2 October 09:30 - 10:00, Red room
Martin Korman (IBM Trusteer)
download slides (PDF)
The Volatility Bot-Excavator: effective automation for executable file extraction. Made by and for security researchers.
Part of the work security researchers have to go through when they have to study new malware or wish to analyse suspicious executables, is to extract the binary file and all the different satellite injections and strings decrypted during the malware's execution. This initial process is mostly manual, which can make it long and incomprehensive.
Enter the Volatility Bot-Excavator. This is a tool developed by and for malware researchers, leveraging the Volatility Framework. This new automation tool cuts out all the guesswork and manual extraction from the binary extraction phase. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses and so on.
Beyond the obvious value of having a complete extraction automated and produced in under one minute, the Bot-Excavator is highly effective against a large variety of malware codes and their respective load techniques. It can take on complex malware including banking trojans such as ZeuS, Cridex, and Dyre, just as easily as it extracts from simpler downloaders of the like of Upatre, Pony or even from targeted malware like Havex.
After the Bot-Excavator finishes the extraction, it can further automate repair or prepare the extracted elements for the next step in analysis. For example, it can the Portable Executable (PE) header, prepare for static analysis via tools like IDA, go to a YARA scan, etc.
This session will be led by the sole developer of the Volatility Bot-Excavator tool.
Martin Korman is one of the top information security malware researchers at IBM Trusteer's Threats Group. Korman joined IBM Trusteer as part of the research team to investigate and reverse engineer new threats. He is a talented young developer who enjoys creating research tools and contributing to the information security community by sharing his methods and findings. Prior to joining IBM Trusteer, Korman spent five years of service in the IDF, for most of which he served as a NOC manager. He also worked as an incident response officer for the Israeli Air Force's SOC, focusing on malware and forensic analysis. In his free time, you will find Martin reading technical information security literature or playing electric guitar. Martin speaks Spanish, English and Hebrew.