Diving into Malware’s Furtive Plumbing

Wednesday 5 October 16:00 - 16:30, Red room

Omer Yair (IBM)
Or Safran (IBM)

While malware families frequently change their behaviour – in terms of persistency, malicious code injection techniques, the makeup of the configuration file, and of course, the encryption schemes  malware rarely updates its internal communications method.

One of the preferred and most popular methods of internal malware communications is leveraging Named Pipes. In this talk, we will dive into that area to reveal the critical information that fuels malware and keeps its operators in control.

Furthermore, we will present a new tool.

When it comes to the domain of malware's internal communications, there may be a handful of dynamic analysis tools available for researchers to use, but we were not able to find one that allowed us to reliably sniff communication from Named Pipes. Nonetheless, we achieved our goal by developing our own specialized Named Pipes sniffing tool. We will present this tool to the audience, explain its inner workings, and share it with the research community.

What we will share with participants in this technical lecture are applicable, valuable real-world use cases that they will recognize from their own work. For example:

  • How we obtained decrypted configuration from Dyre's encrypted files. The method worked from the early days of Dyre all the way until it vanished.
  • The mechanism used by Gozi to remove itself from compromised machines (to hide evidence), which can now be used to safely remove Gozi using a single pipe command!
  • How to find Shylock's executable location and run key by asking for it over its Named Pipe. The same Pipe can also be used to fetch its web-injections.
  • How Ramnit uses various modules for specific tasks (web-injections, VNC, etc.). We were able to get the list of currently running modules by sniffing Ramnit's Named Pipe communication.
  • We'll also show a buffer overflow in Dyre's pipe communication mechanism, which allowed us to remove Dyre from the memory of infected processes without rebooting the machine.

This talk will benefit any participant who is tasked with researching malware as part of their daily routine, as well as participants interested in the overall subject of advanced reverse engineering.

Click here for more details about the conference.


Omer Yair

Omer Yair has been malware researcher at IBM Trusteer for the past two years, focusing on financial malware families. In the past he has worked for six years at Algotec, developing medical imaging software, and at IDF's technology unit for three years as dev team lead. In his free time he revives historical photographic processes.


Or Safran

Or Safran has been a malware researcher at IBM Trusteer for two years and holds a Bachelor of Science degree in computer software engineering.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.