Joseph Bingham Symantec
download slides (PDF)
This talk will be an overview of a recent investigation into a Russian malware author that took place over the course of the last three months. The investigation began with reverse engineering the attacker's malware and profiling the command and control servers. We used this data to gather information on other active projects the attacker is operating and to learn about his income-generating operations. Finally, we collected information which may assist in identifying the malware author. We will present the results of our investigation as well as a technical overview of the malware itself, which implements a novel method of kernel-level detection evasion.
We have observed the attacker actively advertising access to his botnet in underground forums and have linked his malicious payload with a front-end website reselling access to infected machines. The front-end website makes an attempt to appear legitimate and has been in unfettered operation for more than two years. The attacker's backend command and control servers were not properly secured, allowing us to collect interesting information including the size of the botnet and infection statistics from which we were able to estimate the income potential of this botnet.
The malware is bundled with a filesystem filter driver using an interesting method of protection from intermediate anti-virus file system drivers that we haven't seen before. We will briefly discuss the low-level file system filter driver bundled with the malware to protect the payload. This will include technical details describing the device stack and the driver's role in denying file contents to intermediate file system drivers.