Botconf Author Listing

At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware. 

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree. 

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them. 

[1] https://malpedia.caad.fkie.fraunhofer.de 
[2] https://github.com/danielplohmann/apiscout 
[3] https://github.com/danielplohmann/smda  

In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.

The consistently large volume and diversity of malware poses a substantial threat to network security. In response, it is crucial to develop systematic strategies and countermeasures. This involves not only detecting and identifying malware (networking) but also taking appropriate actions to mitigate its impact.

In the first section of our presentation, we present a taxonomy for malware C&C communication. This taxonomy is based on a 2006 Trend Micro report, which was improved to cover new developments of C&C mechanisms, but also to include more specific details about both the communication protocol for message transfer and the malware’s internal C&C protocol. Additionally, we have incorporated elements from other relevant research to create a more thorough and unified taxonomy. Overall, the taxonomy encompasses the following six aspects: C&C Model, Rally Mechanism, Communication Behavior, Carrier Communication Protocol, C&C Protocol, and Evasion Techniques.

In the second section, our focus shifts to evaluating the distribution of C&C mechanisms within the current malware landscape. We undertake a detailed analysis using both the Malpedia dataset, as well as tracking sites such as MalwareBazaar. This part will involve an in-depth discussion of currently prevalent malware families and their C&C communication, as classified by our taxonomy. The findings from this analysis will provide insights into the characteristics for methods presently used by threat actors.