Master of Puppets. Turning thousands of AV sandboxes into a botnet.

A quick run through the solution serving freshly compiled exe directly to antivirus sandboxes. Includes both “fun” and “profit” parts.

How do antivirus vendors recognize if a file is malicious or not? This is one of the most secret parts of each solution, but we all know that it relies often on a “detonation” meaning executing the code in a specialized environment. Wait, did someone say my code will be executed…? At the very end the scale may be a bit surprising, as reaching 2 million executions per day is rather limited by my hardware serving files and not by sandboxes themselves. The session covers details of the solution (just to mention exe is freshly compiled each time someone downloads it) and results collected, ranging from IP addresses to sandbox hardware details.

Idea, implementation and maintenance of a solution compiling exe files “on the fly” letting sandboxes to detonate them. Includes technical details from ISAPI module generating files, through the payload details up to analysis of the data sent back from sandboxes. Includes a lot of C and IIS as the solution relies on these two.