In this presentation we will show a new approach to perform on-the-fly malware analysis (even of previously unknown malware), without the need of deploying any instrumentation at the end host before hand.
Our approach leverages the fact that malware quite often comes as a small (in size) "spore", which is then responsible for making the malware persistent on the targeted host and download additional components ("eggs"). Eggs usually come in the shape of executables or DLLs, and extend the capabilities of the spore (password grabbing, URL redirection, etc.)
Our system, we call it Avatar, detect failed attempts to download eggs, and ships back to the suspected malware what we call a "red pill". When the malware executes the red pill, this performs some preliminary checks and can send to an instrumented host a copy of the parent process' executable. In this instrumented (i.e., sand-boxed) environment it is possible to perform real-time analysis of the suspicious program. The red pill can be then remotely instrumented to terminate the monitored process, in case it appears to be a real threat. By doing so, it is possible to effectively contain a large infection.
Damiano Bolzoni holds a PhD in Computer Security from the University of Twente. He was a member of the IPID project, where he dealt with technical aspects of Intrusion Detection Systems to support high-level policies. Before joining the University of Twente, he has been working for the Italian branch of KPMG, in the Information Risk Management group. The main activities carried out by Bolzoni while in KPMG were security risk/vulnerability assessments, (security-oriented) software developing and digital forensics analysis.
Christiaan Schade is a Mechanical Engineering (ME) Bachelor student at the University of Twente (Netherlands). After starting his ME studies he was asked to help out with a coding project:ever since writing 'int main()' he was hooked... He has been involved in Multiplayer gaming Anti-Cheat development for several years, this experience has lead him to reverse engineering and Windows driver development. Whilst becoming more interested in security and IT in general he decided to take a course on Operating System Concept at his university, this is where he came into contact with the Distributed and Embedded Security group and started working with them. Together with finishing his ME Bachelor next year he is going to enroll in a 'Computer Security' master.