Botnet milking: malware freshly served from the source

Wednesday 30 September 16:00 - 16:30, Green room

Moritz Kroll (Avira)
Philipp Wolf (Avira)
Jan-Eric Herting (Avira)
Ayoub Faouzi (Avira)

Malware authors are constantly updating their creations to avoid file detection and C&C blacklisting. So it's important to have high-quality sources of fresh malware samples to determine whether any manual tweaks to the automatic malware analysis and information extraction systems are required.

In this paper, we will show how we are using an anti-virus cloud to feed a mostly self-sustaining botnet-tracking system, resulting in brand new malicious URLs and samples for blacklisting and detection. We will discuss some challenges of our in-house solutions for automated debugger-based dumping, extraction and decryption of botnet configurations, and the implementation of reverse-engineered protocols to use the gathered knowledge against the botnets.

Click here for more details about the conference.

Moritz Kroll

Moritz Kroll

Moritz Kroll has been a software developer and researcher at Avira since 2009. He mainly works on generic detection of Windows PE malware and botnet tracking. He was awarded a Diploma degree in computer science from the technical university of Karlsruhe in Germany. In his spare time he works on tools to ease analysis of malware samples and searches for the holy grail of x86 deobfuscation.

Philipp Wolf

Philipp Wolf

Philipp Wolf was born in Germany in 1981 and lives near the Lake of Constance. Philipp leads the special department 'Avira Protection Labs' at the EVP Protection Labs, which has more than 100 employees in various locations and time zones. His team's main responsibilities are to keep Avira's customers free from any malware and other unwanted software all around the clock. Philipp has initiated projects in the anti-virus industry including the famous applications MUTE and VIREX. His interests include sports such as snowboarding, sailing and boxing.

Jan-Eric Herting

Jan-Eric Herting

Jan-Eric Herting was born in Germany in 1982. He started to learn computer-architectures and low-level programming with assembly language at the age of 10. He began working as a malware analyst at Avira in 2011. Currently he is working there as a software developer and researcher. His current focus is reverse engineering and unpacking of malware and also designing and building automated analysis systems. When he is not at work, he likes climbing, hiking and swimming, and spends time with his family and friends.

Ayoub Faouzi

Ayoub Faouzi

Ayoub Faouzi was born in Morocco in 1990. He is a software developer and researcher at Avira. His current focus is reverse engineering botnet protocols and banking threats. In his free time he likes to spend time with his family and to travel around the world.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.