Friday 6 October 14:30 - 15:00, Red room
Sujit Magar (Symantec)
Prachi Jhanwar (Symantec)
Nitin Shekokar (Symantec)
Deploying a loadpoint entry is an integral part of installation for every malicious payload. It enables the payload to launch and execute every time the system boots. However, the loadpoint entries are not used as standalone detection entities. Instead, they are only cleaned up by anti-virus software, if the associated files are detected, either in a static scan or based on their behaviour.
At Symantec, we researched the possibility of using loadpoint entries, or what we call loadpoint trigrams, as standalone detection entities. By identifying unique loadpoint trigrams from an internal telemetry collected over a predefined period and studying their associations with Ground Truth Good and Bad files, low confidence Good and Bad files and Unknown files, as well as honouring their prevalence and age, we were able to successfully validate the idea. Even in its most restricted form, based on the confidence for the disposition for the trigram, the technology could successfully be used to either block an attack, prompt the user, or silently submit files and associated telemetry for backend validations. As part of this paper, we will present the research performed and the results obtained that helped us validate the idea as well as apply for a patent for this new technique for detecting malware. We also plan to present the results from trials performed on the live telemetry, the TP and FP ratios, and the overall effectiveness of the system.
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Tyrus Kamau (Euclid Consultancy)
The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…