Blackhat Europe, State Of Malware: Family Ties
Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families. We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
Ero and I wonder about a few things:
- Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
- Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
But we didn’t stop there. We also wondered:
- Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
- Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.