Wednesday 5 October 16:00 - 16:30, Red roomOmer Yair (IBM)
Or Safran (IBM)While malware families frequently change their behaviour – in terms of persistency, malicious code injection techniques, the makeup of the configuration file, and of course, the encryption schemes – malware rarely updates its internal communications method.One of the preferred and most popular methods of internal malware communications is leveraging Named Pipes. In this talk, we will dive into that area to reveal the critical information that fuels malware and keeps its operators in control.Furthermore, we will present a new tool.When it comes to the domain of malware's internal communications, there may be a handful of dynamic analysis tools available for researchers to use, but we were not able to find one that allowed us to reliably sniff communication from Named Pipes. Nonetheless, we achieved our goal by developing our own specialized Named Pipes sniffing tool. We will present this tool to the audience, explain its inner workings, and share it with the research community.What we will share with participants in this technical lecture are applicable, valuable real-world use cases that they will recognize from their own work. For example:This talk will benefit any participant who is tasked with researching malware as part of their daily routine, as well as participants interested in the overall subject of advanced reverse engineering.Click here for more details about the conference.