A Longitudinal Study of the Little Endian that Could: Threat Hunting Summit 2016

The 9002 malware, first seen during Operation Aurora in 2009, is a family of malware seen in use by threat actors based in China. What makes 9002 interesting is that over the last six years, the development of this malware has not been linear. Different threat groups have taken 9002 and customized it to suit their own needs, creating multiple, parallel development branches. By understanding the differences between these development branches we can gain an insight into the adversary’s development process, allowing the creation of better criteria for detection for both current and future threats. This presentation will provide an overview of the 9002 malware, how the different development branches can be distinguished, how the development goals of the groups behind each branch differ, and how all of this information can be combined to better detect and respond to an intrusion. Andrew White, Senior Security Researcher, Dell Secureworks Andrew White, Ph.D. is a senior security researcher at Dell Secureworks with over five years of experience in digital forensics research. When not responding to targeted intrusions, Andrew performs research into memory forensics, targeted malware, credential theft and malware-less intrusions. Current holder of the DFIR Netwars high-score record. ATTEND THE 2017 THREAT HUNTING SUMMIT: http://dfir.to/ThreatHunting2017 SANS THREAT HUNTING AND INCIDENT RESPONSE COURSES FOR508: Digital Forensics, Incident Response, & Threat Hunting: http://sans.org/FOR508 FOR572: Network Forensics: http://sans.org/FOR572 FOR578: Cyber Threat Intelligence: http://sans.org/FOR578