'Last-minute' presentations
16:20 - 16:40 Roel Schouwenberg Kaspersky Lab
16:40 - 17:00 Kurt Baumgartner PC Tools
16:20 - 16:40 Roel Schouwenberg. Targeted Banker malware on demand
Recently I had to do some research into a specific piece of banker malware.
These days banker malware is extremely common. However, as the research progressed this targeted attack became more
and more interesting.
In my presentation I will give an analysis of the malware package.
It concerns a trojan which has functionality such as spying on the URLs the user is visiting and downloading files
on command.
When visiting HTTPS sites the trojan will download an HTTPS traffic logger to capture and send the captured traffic
to a specific server.
The Trojan does this for a very specific reason.
It allows the authors of the malicious code to more easily create a malware dedicated to a single bank - the bank
the infected machine visits. Truly 'malware on demand'.
By using this approach it also becomes a lot easier for the malware authors to create banker trojans that aren't
stopped by two-factor authentication.
To top it all off the trojan also includes file infection functionality that is becoming popular again these days.
Note: Certain details may be obfuscated due to confidentiality concerns.
16:40 - 17:00 Kurt Baumgartner. Storm - Malware 2.0 has arrived
download slides (PDF)
The evidence of a major shift in the world of malware continues to build with the ongoing Storm threat. The
distribution and development activity and underlying behaviours displayed by this multi-layered threat lead us
to declare 'Malware 2.0' has arrived indeed. This threat and the characteristics that it embodies are significant
because it arguably has eclipsed any other threat in terms of volume, distribution activity, and its constant
state of change. The code is interesting, and the effort behind the malware currently is alive and kicking.
The best brief description for the Storm threat is 'constantly changing'. The social engineering in its messages,
the sophisticated kernel level code containing its code injection techniques and AV kill methods, its browser
exploits and various shellcode have all changed for this threat in multiple ways since its inception. Even the
binaries downloaded from its malicious web sites change with each and every victim's download - they are always
repacked.
Also characterizing this threat is its use of 'the network as platform', appropriation and sharing of exploit code
and shellcode, its parisitic use of the user as contributor, its own perpetual beta, and a highly interactive
and rich set of malicious deliverables.
In our presentation, we will examine how this threat embodies these characteristics by reversing multiple
generations of its always changing binaries and web content, examining disassembly listings and monitored behaviour
of both its kernel level code and user level threads, its old and new exploits served up in web content, its
changing shellcode, and its social engineering. We'll provide details of its drivers' KeInsertQueueAPC injection
technique alongside its placement of system hooks and memory writes from the kernel. We'll reverse its
kernel-injected p2p threads, make note of its system component lockdown to neutralize specific security tools
and describe its effective kernel level AV termination techniques. We'll walk through the threat's web
server-side browser decision tree and how we created it. Finally, we'll decode its obfuscated web content
and examine a couple of browser and plug-in vulnerabilites it targets based on its serverside decisions.
We'll describe the shellcode's format and decode the newest 'proactive solution'-evading download and exec
shellcode within, compile it and step through it in order to explain and display its stack manipulation and
camouflaged return location techniques and their purpose. We'll compare it with the original Storm threat
shellcode.
When compared to the older techniques of Malware 1.0, we see a whole new attitude behind the malware effort,
and the crystallization of an ongoing major shift for malware in the wild.
