Botconf Author Listing

Ever since launching Malpedia [1] at Botconf 2017, we continuously maintained and expanded our community-driven data set with the vision of exploring new ways to leverage it effectively for the research of and defense against malware. A primary research scope for us was working towards enabling efficient one-to-many code similarity analysis. After almost 4 years of research and development, we now finally want to share our results. With this presentation, we will publicly release MCRIT, the MinHash-based Code Relationship & Investigation Toolkit [2]. After giving a short overview of the underlying techniques and implementation, we will explain in a series of practical examples how to apply MCRIT for the three primary use cases it has been geared towards so far:

• Malware family and library code differentiation to accelerate triage and analysis
• Isolation of unique family code to provide means for hunting towards their characteristics
• Lead generation for discovering potentially unknown links between samples and families

Composing YARA rules based on these feats requires a lot of experience and is typically done manually or at best tool-assisted, which still is a tedious and time-consuming process. In this presentation, we introduce YARA-Signator, an approach for the fully automated isolation of these characteristic code regions and the construction of YARA rules targeting them.

At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware. 

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree. 

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them. 

[1] https://malpedia.caad.fkie.fraunhofer.de 
[2] https://github.com/danielplohmann/apiscout 
[3] https://github.com/danielplohmann/smda  

In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.

An observable trend in recent years of malware development is the increased use of Domain Generation Algorithms (DGAs). After having announced the project “DGArchive” in a lightning talk of last year’s Botconf, we would like to follow up with a full talk proposal for this year.
The core idea of DGArchive is to create a high-coverage database of DGA domains. On the one hand, this allows time-independent checks on potential DGA domains, on the other hand, blocklists can be derived for network protection.

Attacks with malicious software are an imminent risk. Malware developers not only unveil constantly new artistries in response to current detection schemes but also manifest a tendency to re-code and modify existing malware versions with regard to their behaviour and functionality. These malware variants may have similar functionality but pose substantial syntactic representation differences. In this regard, the use of calls to the Windows Application Programming Interface (API) can be used as guidance to determine the specimen’s functionality and its interaction with the operating system.
This work proposes an approach to automate the exploration of malicious Windows binaries. A set of semantics is used to match against a program’s control flow graph in order to derive the presence of malicious functionality and behaviour patterns, represented by typically employed Windows API call sequences. The publication is accompanied with the release of an IDA Pro plugin.

We will present a general-purpose laboratory for large-scale botnet experiments. We reveal how several key points have been implemented, e.g., realistic simulation of the Internet or total observability within the laboratory. As a case study, we demonstrate the feasibility of our approach in simulating a large-scale takedown of the Citadel botnet. Additionally, we will show a screencast of the Citadel takedown.

The consistently large volume and diversity of malware poses a substantial threat to network security. In response, it is crucial to develop systematic strategies and countermeasures. This involves not only detecting and identifying malware (networking) but also taking appropriate actions to mitigate its impact.

In the first section of our presentation, we present a taxonomy for malware C&C communication. This taxonomy is based on a 2006 Trend Micro report, which was improved to cover new developments of C&C mechanisms, but also to include more specific details about both the communication protocol for message transfer and the malware’s internal C&C protocol. Additionally, we have incorporated elements from other relevant research to create a more thorough and unified taxonomy. Overall, the taxonomy encompasses the following six aspects: C&C Model, Rally Mechanism, Communication Behavior, Carrier Communication Protocol, C&C Protocol, and Evasion Techniques.

In the second section, our focus shifts to evaluating the distribution of C&C mechanisms within the current malware landscape. We undertake a detailed analysis using both the Malpedia dataset, as well as tracking sites such as MalwareBazaar. This part will involve an in-depth discussion of currently prevalent malware families and their C&C communication, as classified by our taxonomy. The findings from this analysis will provide insights into the characteristics for methods presently used by threat actors.