In early 2014 Kaspersky Labs reported on an extremely advanced malware sample that was used in a sophisticated espionage campaign (http://bit.ly/1bl4L0e). As with many samples seen in these types of campaigns (Stuxnet, Duqu, etc.), Careto went undetected for a long period of time, even on systems with updated AV and HIPs products installed. In this presentation I will show how memory forensics, which analyzes the state of a system without relying on any built-in APIs, can be used to detect such malware either on the running system or during offline analysis. During the presentation, the open-source Volatility memory forensics framework will be used to demonstrate how to detect Careto’s most advanced techniques, including stealthy DLL injection, process hollowing, and kernel hooking. The presentation will also briefly touch on how enterprises can use memory forensics in proactive detection of unknown malware samples.
October 22, 2014 | Tech 2 (801a) | 10:15 – 11:15