Threat Research

Malware Analysis at BSides Vancouver

By Raul Alvarez | March 26, 2015

BSides held its third annual conference in Vancouver, Canada. A successful event attended by local security researchers and whitehat hackers alike. A few delegates from other countries can also be seen hanging around. With lots of nice presentations loaded with mix topics as you will normally can see from other big conferences.

Reversing Malware

I personally have presented a talk about reverse engineering titled: “Malware Analysis in a Straightjacket”. I talked about some of varying techniques that the malware use in order to avoid detection, to harden analysis, and to stay persistent.

I initially discussed some tools and listed some debuggers that we used in doing malware analysis. Followed by stating some common tricks that malware use such as code injection, obfuscation, garbage collection, and different ‘anti’ techniques.

The main focus of the presentation is to look into a modern approach on malware’s layering methodology.

Matryoshka Doll Effect

Layers in malware is similar to a matryoshka doll: wherein, when you open the main doll, you will get another doll. When you open the second doll, you will then again get another, and so on, until you get the last doll.

When malware that has layers runs, it produces another malware, then another, until the final malware executes.

Vawtrak is a particular malware that uses layers in its execution. Once the malware runs, it will display a photo image as a decoy that nothing malicious is happening. But in reality, it actually runs a series of malware tricks while uncovering its different layers.

Figure 1: Layers of Vawtrak

End of the talk

My talk ends showing a video demo of Vawtrak running within a debugger, while it is performing its tricks.

For a quick reference, you can read my published article in Virus Bulletin about an in-depth analysis of Vawtrak. 

Congratulations to BSides Vancouver 2015, with all the organizers, volunteers, speakers, and attendees. See you next year.

Join the Discussion