Welcoming of the Guests
Matt Suiche, (Founder at Comae & OPCDE)
A Journey into Malware HTTP Communication Channels Spectacles
Over the years, malware have used different communication protocols that sit at various layers in the OSI model to establish an exchange link with its C&C server(s). In particular, as malware C&C communications shifted its focus to HTTP, certain peculiarities, intentional or unintentional, blunders, and obvious errors in the usage of the protocol were spotted. For example, using specific headers in a GET request that only make sense in a POST request, or using wrong Content-Length value that doesn’t match the actual payload size, and the use of a unique non-standard header in a non-standard compliant way among others. This talk will go through various use-cases of different malware families that have committed several interesting mistakes, deliberate or non-deliberate in their HTTP C&C communication protocols. The ultimate goal is to figure out those mistakes, understand the reason(s) behind them (e.g., bypass security solutions, trick automated systems…), and provide detection guidance. More importantly, how to look for such anomalies and others, synthetically, on the network, be it for threat hunting or data mining of traffic captures. To our knowledge, this is the first paper that attempts to survey, document and perform root-cause analysis on such cases.
Mohamad Mokbel, Security Researcher @ TrendMicro Inc.
Mohamad Mokbel (@MFMokbel) is a senior security researcher at Trend Micro, member of the Digital Vaccine Lab. He’s responsible for reverse engineering vulnerabilities and malware C&C communication protocols, among others, for the purpose of writing custom filters for TippingPoint NGIPS. Prior to joining Trend Micro, Mohamad worked for CIBC in the security operation center, one of the top five banks in Canada as a senior information security consultant - investigator (L3) where he realized that experience in the operation field is extremely important to understand the real sides of offense and defense. Prior to CIBC, Mohamad worked for Telus Security Lab as a reverse engineer/malware researcher for about 5 years. He’s been doing reverse code engineering for the last 14 years. His research interests lie in the areas of reverse code engineering, malware research, intrusion detection/prevention systems, C++, compiler and software performance analysis, and exotic communication protocols. Mohamad holds a MSc. in Computer Science from the University of Windsor and BSc. in Computer Engineering from the Lebanese International University. Some of his work can be found at https://www.mfmokbel.com.
macOS Ransomware: OSX.EvilQuest Uncovered
Though initially though to be a rather mundane piece of ransomware, further analysis revealed something far more powerful and insidious. In this post, we detail the malware’s viral actions, as well as detail its full capabilities (ransomware logic included).
Patrick Wardle, (Principal Security Researcher @ Jamf)
Patrick Wardle is a Principal Security Researcher at Jamf and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.