Botconf Author Listing

Werner Haas

Last known affiliation: Cyberus Technology GmbH
Bio: Werner Haas spent 15+ years of his professional career as digital design engineer. After leaving Intel he co-founded Cyberus Technology where he is responsible for its research activities, in particular with respect to VMI technology. He was also involved in research around transient execution vulnerabilities that led to the Meltdown/Spectre discovery.
Date: 2022-04-27
How to Eavesdrop on Winnti in a Live Environment Using Virtual Machine Introspection (VMI)
Philipp Barthel 🗣 | Sebastian Eydam 🗣 | Werner Haas | Sebastian Manns

Abstract (click to view)

This paper explains how we used VMI to detect an infection with the remote access trojan Winnti, specifically version 3.0, and how to extract and decrypt its communication data with its C&C servers. It should be seen as proof of concept work as we did not use an actual attacker-controlled machine for our experiments. Instead, we simulated real traffic, thus making the malware believe it was connected to a genuine C&C server. We used Virtual Machine Introspection accessed physical memory through the hypervisor. This allowed us to spy on the malware in a manner where even the operating system is unaware about the fact that it is being virtualized. Therefore an attacker would not know that an analyst is monitoring every step. The centerpiece of our approach is a method to extract and decrypt the communication data from in- and output parameters of systemcalls used by the malware, which is explained in detail along the way.

Slides Icon
Scroll to Top