Interesting Malware - No, I’m not kidding… presented at hacklu 2016

by Marion Marschalek,

Summary : There is malware, and then, there is m.a.l.w.a.r.e. Last year we got our fingers on a set of exquisite binaries which were definitely not the usual kind. No I’d never call malware sophisticated, after all that’s not what it takes to be dangerous; or interesting. But those were a challenging beast, unusually intriguing.
For the lack of a better name, and given all the whacky traits the binaries come with, we dubbed the family CheshireCat. That’s the pink cat in Alice’s wonderland with the most stupid grin. The CheshireCat binaries have been around since 2002, some are built for workstations as old as Windows NT4, they support dial-up connections and executable header checks for the NewExecutable file format. Go figure. We came to the conclusion, someone very dedicated has built CheshireCat for very special networks and kept his operation under the radar for more than a decade.
This talk will introduce CheshireCat’s implementation traits, stealth tactics and wonderous functionalities. Special attention will be paid to the retro coding style and the kind of functional obfuscation that make CheshireCat so special.