Friday 7 October 10:00 - 10:30, Green roomErdem Aktas (Intel)
Rachit Mathur (Intel)It is well known that most malware (including ransomware families such as CryptoWall) use various tools and techniques to avoid static analysis based detection, thus making it hard to statically detect and categorize their binaries. On the other hand, dynamic analysis can help to identify zero-day malware but it can be costly and time consuming. And in the case of ransomware, detection after infection is not desirable because files would have already been encrypted.In this paper, we will present the results of a study based on the idea that performing static analysis in 'real time' can not only be used to identify zero-day samples but can also be used to categorize and identify the middle actors. By 'real time' we mean a time after the malware starts to execute BUT before it gets to the payload or does any damage / modification to the system. The idea comes from the observation that malware authors usually keep using the same code after a few initial layers of unpacking. And they tend to re-use their favourite tools (middle-level code) to package their payload. This middle-level code can not only help in the identification of malware, but also be used to categorize them based on their actors.Using this approach, our experiments show that we are able to detect and block all the CryptoWall campaign samples using only the analysis from the very first early CryptWall samples. In the paper, we will also suggest how this approach can be automated and extended to detect other attacks.Click here for more details about the conference.