Manuel Blatt
Last known affiliation: Fraunhofer FKIE
Bio: Manuel Blatt works as a security researcher at Fraunhofer FKIE. In his master’s thesis, he focused on malware families written in and obfuscation schemes enabled through the .NET framework. Manuel is also a primary contributor of MCRIT.
Daniel Plohmann 🗣 | Daniel Enders | Manuel Blatt
Abstract (click to view)
Ever since launching Malpedia [1] at Botconf 2017, we continuously maintained and expanded our community-driven data set with the vision of exploring new ways to leverage it effectively for the research of and defense against malware. A primary research scope for us was working towards enabling efficient one-to-many code similarity analysis. After almost 4 years of research and development, we now finally want to share our results. With this presentation, we will publicly release MCRIT, the MinHash-based Code Relationship & Investigation Toolkit [2]. After giving a short overview of the underlying techniques and implementation, we will explain in a series of practical examples how to apply MCRIT for the three primary use cases it has been geared towards so far:
- Malware family and library code differentiation to accelerate triage and analysis
- Isolation of unique family code to provide means for hunting towards their characteristics
- Lead generation for discovering potentially unknown links between samples and families
Steffen Enders 🗣 | Daniel Plohmann 🗣 | Manuel Blatt
Abstract (click to view)
The consistently large volume and diversity of malware poses a substantial threat to network security. In response, it is crucial to develop systematic strategies and countermeasures. This involves not only detecting and identifying malware (networking) but also taking appropriate actions to mitigate its impact.
In the first section of our presentation, we present a taxonomy for malware C&C communication. This taxonomy is based on a 2006 Trend Micro report, which was improved to cover new developments of C&C mechanisms, but also to include more specific details about both the communication protocol for message transfer and the malware’s internal C&C protocol. Additionally, we have incorporated elements from other relevant research to create a more thorough and unified taxonomy. Overall, the taxonomy encompasses the following six aspects: C&C Model, Rally Mechanism, Communication Behavior, Carrier Communication Protocol, C&C Protocol, and Evasion Techniques.
In the second section, our focus shifts to evaluating the distribution of C&C mechanisms within the current malware landscape. We undertake a detailed analysis using both the Malpedia dataset, as well as tracking sites such as MalwareBazaar. This part will involve an in-depth discussion of currently prevalent malware families and their C&C communication, as classified by our taxonomy. The findings from this analysis will provide insights into the characteristics for methods presently used by threat actors.