Wednesday 5 October 16:00 - 16:30, Red room
Omer Yair (IBM)
Or Safran (IBM)
While malware families frequently change their behaviour – in terms of persistency, malicious code injection techniques, the makeup of the configuration file, and of course, the encryption schemes – malware rarely updates its internal communications method.
One of the preferred and most popular methods of internal malware communications is leveraging Named Pipes. In this talk, we will dive into that area to reveal the critical information that fuels malware and keeps its operators in control.
Furthermore, we will present a new tool.
When it comes to the domain of malware's internal communications, there may be a handful of dynamic analysis tools available for researchers to use, but we were not able to find one that allowed us to reliably sniff communication from Named Pipes. Nonetheless, we achieved our goal by developing our own specialized Named Pipes sniffing tool. We will present this tool to the audience, explain its inner workings, and share it with the research community.
What we will share with participants in this technical lecture are applicable, valuable real-world use cases that they will recognize from their own work. For example:
This talk will benefit any participant who is tasked with researching malware as part of their daily routine, as well as participants interested in the overall subject of advanced reverse engineering.
Omer Yair has been malware researcher at IBM Trusteer for the past two years, focusing on financial malware families. In the past he has worked for six years at Algotec, developing medical imaging software, and at IDF's technology unit for three years as dev team lead. In his free time he revives historical photographic processes.
Or Safran has been a malware researcher at IBM Trusteer for two years and holds a Bachelor of Science degree in computer software engineering.