Friday 6 October 14:30 - 15:00, Red room
Sujit Magar (Symantec)
Prachi Jhanwar (Symantec)
Nitin Shekokar (Symantec)
Deploying a loadpoint entry is an integral part of installation for every malicious payload. It enables the payload to launch and execute every time the system boots. However, the loadpoint entries are not used as standalone detection entities. Instead, they are only cleaned up by anti-virus software, if the associated files are detected, either in a static scan or based on their behaviour.
At Symantec, we researched the possibility of using loadpoint entries, or what we call loadpoint trigrams, as standalone detection entities. By identifying unique loadpoint trigrams from an internal telemetry collected over a predefined period and studying their associations with Ground Truth Good and Bad files, low confidence Good and Bad files and Unknown files, as well as honouring their prevalence and age, we were able to successfully validate the idea. Even in its most restricted form, based on the confidence for the disposition for the trigram, the technology could successfully be used to either block an attack, prompt the user, or silently submit files and associated telemetry for backend validations. As part of this paper, we will present the research performed and the results obtained that helped us validate the idea as well as apply for a patent for this new technique for detecting malware. We also plan to present the results from trials performed on the live telemetry, the TP and FP ratios, and the overall effectiveness of the system.
Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)
Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…