Overview
Explore the intricacies of Microsoft Common Object Model (COM) and its impact on dynamic malware analysis in this Black Hat conference talk. Delve into the challenges faced by malware analyzers when dealing with COM interfaces, which mirror functionality provided by common Windows APIs. Discover how malware authors exploit COM calls to perform various operations, such as creating files and starting new processes, while evading detection. Examine practical approaches to automated dynamic COM malware analysis and learn which methods are effective and which are impractical. Gain insights into the widespread use of COM interfaces by malware in the wild, based on data from sample sharing programs. Investigate the limitations of existing dynamic analysis solutions in monitoring COM correctly, and understand why hooking-based approaches fall short. Learn about transition-based monitoring as a more effective method for capturing all COM calls at the first interface layer, and explore the challenges involved in parsing various COM parameter encoding formats. Understand how this approach provides a detailed list of COM calls executed by malware without modifying the analysis environment, making it harder for malware to detect and evade sandbox analysis.
Syllabus
The Beast Within - Evading Dynamic Malware Analysis Using Microsoft COM
Taught by
Black Hat