Скачать или смотреть Timing is Everything: Generic Trigger Events for Malware Memory Dumping

Timing is Everything: Generic Trigger Events for Malware Memory Dumping
Speakers: Mateusz Lukaszewski (VMRay, DE), Patrick Staubmann (VMRay, AT)

About speakers:
Mateusz is part of the Threat Analysis team at VMRay and is responsible for investigating the threat landscape, improving detection capabilities and implementing configuration extractors. He is especially interested in reverse-engineering, low-level system security and exploitation.

Patrick Staubmann joined VMRay as a threat researcher back in 2019. As part of the Threat Analysis team, he continuously researches the threat landscape and conducts analyses of malware samples in depth. To further improve the companies’ product, he also extends its detection capabilities in form of behaviour-based rules, YARA rules, and configuration extractors.

----

During malware analysis, we typically deal with packed, or otherwise obfuscated malware. To identify malware families, extract malware configurations and understand the inner workings of malware without manual unpacking, we need to dump its unpacked code and data from memory.Though the idea of memory dumping is simple, it's challenging to find exactly what events should trigger memory dumping in a way that is generic, covers most malware families, but does not cause too many unnecessary memory dumps.We have researched many malware families and arrived at a minimal set of memory dump trigger events that achieve good coverage of common malware. In this talk we share these memory dump trigger events, the pitfalls we found when trying to define them, and show some examples of the malware families they work against.