A Thorny Piece Of Malware (And Me): The Nastiness of SEH, VFTables & Multi-Threading presented at DEFCON 2013

by Marion Marschalek,

Summary : Reverse Engineering is the supreme discipline in analyzing malware, how else would you find out all capabilities of a malicious sample? But this task gets trickier nearly every day, as malware authors apply new techniques to evade analysis. Even worse, documentation of said techniques is barely existent, which makes our job even harder.
This talk will focus on the challenges of a specifically thorny piece of malware, detected as Backdoor.Win32.Banito. It will discuss the palette of anti-analysis measures found and show a path through a multi-threaded file-infecting spy bot. The talk will try to shed some light on the merely shallow documentation of the binary layout of Windows Structured Exception Handling (SEH), point out complications in analyzing object oriented C++ binaries and give an insight on how to tackle multi-threaded executables.