Over the past year, Trustwave’s SpiderLabs malware team has been continually reminded why we love our jobs – we get to play with malware. But not just any malware, no, we get to reverse engineer and analyze malware from targeted incident response cases. This opportunity allows us to see what criminals are doing at a very intimate level. I’m not saying we call them up and take them out to a romantic dinner. What I mean is that we get to see what actual criminals are doing at real businesses that have been compromised. In addition, these samples are often quite unknown, and in almost all cases, undetected by most antivirus solutions.
This presentation hopes to inform others about some of the more interesting malware samples we’ve seen in the past year. Techniques regarding what data is being targeted, how this data is extracted, exfiltrated, and in many cases, encrypted will be discussed. Overall trends regarding digital criminals will also be discussed, as it’s important to know how the ‘industry’ has evolved, and where it is heading in the foreseeable future.
In addition to taking an in-depth look at a number of malware samples, we’ll also discuss some of the pain-points we face on a daily basis. Unlike many other malicious samples, when you are dealing with a sample that was identified at a client, you often face a number of …restrictions. Many times a piece of malware may contain client-related data; whether that is aString of the clients’ name embedded, or an IP range that it is targeting. Often, simply releasing the sample to a third-party service such as VirusTotal will land you in a world of hurt, as you are essentially alerting the attackers that they’ve been caught. As such, our jobs are made slightly harder due to our isolated nature.
It is our hope to get around these nuances by ‘anonymizing’ the samples discussed. Client names will not be discussed, and the samples themselves may have things added, modified, or removed to “protect the innocent”. While this is a necessary evil, the overall core concepts to the samples will remain intact.