Worm Charming: Harvesting Malware Lures for Examination presented at ISSW2019 2019

by Pedram Amini,

Summary : It’s no secret that client-side attacks are a common source of compromise for many organizations. Web browser and e-mail borne malware campaigns target users by way of phishing, social engineering, and exploitation. Office suites from vendors such as Adobe and Microsoft are ubiquitous and provide a rich and ever-changing attack surface. Poor user awareness and clever social engineering tactics frequently result in users consenting to the execution of malicious embedded logic such as macros, JavaScript, ActionScript, and Java applets. In this talk we’ll explore a mechanism for harvesting a variety of these malware lures for the purposes of research and detection.Worm charming (grunting or fiddling) is an increasingly rare real-world skill for attracting earthworms from the ground. A competitive sport in east Texas, most worm charming methods involve some vibration of the soil, which encourages the worms to surface. In our context, we’ll apply a series of YARA rules to charm interesting samples to the surface from the nearly 1M files uploaded to Virus Total daily. Once aggregated, we’ll explore mechanisms for clustering and identifying “interesting” samples. Specifically, we’re on the hunt for malware lures that can provide a heads up to defenders on upcoming campaigns as adversaries frequently test their lures against AV consensus.