A Thorny Piece Of Malware (And Me): The Nastiness of SEH, VFTables & Multi-Threading

DEF CON 21

Presented by: Marion Marschalek
Date: Sunday August 04, 2013
Time: 12:30 - 12:50
Location: Track 2
Track: Track 2

Reverse Engineering is the supreme discipline in analyzing malware, how else would you find out all capabilities of a malicious sample? But this task gets trickier nearly every day, as malware authors apply new techniques to evade analysis. Even worse, documentation of said techniques is barely existent, which makes our job even harder.

This talk will focus on the challenges of a specifically thorny piece of malware, detected as Backdoor.Win32.Banito. It will discuss the palette of anti-analysis measures found and show a path through a multi-threaded file-infecting spy bot. The talk will try to shed some light on the merely shallow documentation of the binary layout of Windows Structured Exception Handling (SEH), point out complications in analyzing object oriented C++ binaries and give an insight on how to tackle multi-threaded executables.

Marion Marschalek

Marion Marschalek (@pinkflawd) is currently employed at IKARUS Security Software GmbH based in Vienna, Austria. She is working as Malware Analyst and in Incident Response for two years now. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St. Pölten. She has a technical degree, achieved through three different universities on three different continents. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats