BruCON 0x0D has ended
Back To Schedule
Friday, October 8 • 13:30 - 14:30
Chasing the White Whale of Malware: Foundations for Understanding Operational Technology Binaries

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Finding malware is not difficult. Multiple platforms offer security analysts access to malicious files of all colours and flavours. However, as the amount of data grows we may be missing unique types of malware hidden in plain sight. White whale samples that have only been observed a couple times and were developed to generate damage to the physical world by targeting operational technologies.  

Although we have only observed operational technology (OT) malware – e.g. TRITON or Industroyer– a couple times in the wild, it is possible that there are currently similar samples being developed and tested. We do not want to see this type of malware ever deployed in the real world as it is designed to target the physical integrity of infrastructure, people, and industrial processes.

However, identifying OT malware is not simple. Common methods used to detect malicious behaviours (e.g. sandboxes) are currently not able to understand and analyse OT binaries. For example, legitimate scripts developed by original equipment manufacturers (OEMs) or by operators to fulfil precise process objectives often cannot be read by automated malware analysis solutions, or are flagged as malicious when unable to run. Therefore, finding and filtering OT software samples worth analysing is already a challenge.

In this talk we will describe the unique challenges we have faced while filtering binaries from OT products and vendors. We will then walk through simple methods that do not require advanced reverse engineering skills – e.g. static strings, strings in memory, analysis of functions, or import hashing –to set up a partial benchmark for sorting OT binaries. For that, we will use several Modbus samples to illustrate our success and failures filtering these samples during the initial analysis steps. We hope our stories encourage entry and intermediate level analysts to take their first steps towards recognizing and identifying interesting OT samples.

avatar for Daniel Kapellmann Zafra

Daniel Kapellmann Zafra

Technical Analysis Manager for Mandiant where he oversees the strategic coverage of cyber physical threat intelligence and coordinates the development of tools and solutions to collect and analyze data. He is a frequent speaker on industrial control systems (ICS) / operational technology... Read More →

Friday October 8, 2021 13:30 - 14:30 CEST
01. Westvleteren University