A follower sent me a suspicious looking file recently to get my opinion on its behavior and to see if I could pull out a little detail on how it’s working. “Suspicious looking” because at the time, it was getting a zero score on VirusTotal but it appeared to be doing something just a little dodgy in the background. I wanted to post some notes around my quick tear down of the malware show that since so much malware is poorly written and obfuscated you can often do a large amount of analysis of a file’s behaviour in a short period of time.
Brief: A talk about options advanced attackers can deploy to beat behavioural malware analysis through the detection (and subversion!) of the behaviour engines themselves. Including a demonstration of how to beat modern engines through a working tool (demos!).This talk should be interesting to malware writers and analysts alike as it shows implementations of beating analysis, but also includes enough inline explanation to make it accessible to beginners.