High Confidence Malware Attribution Using the Rich Header

Explore high-confidence malware attribution techniques using the Rich Header in this 50-minute conference talk. Delve into the undocumented Microsoft Rich Header and its potential for uniquely identifying malware build environments. Learn how the header is generated, its role in fingerprinting, and the development of a metadata hash for large-scale sample detection. Gain insights into PE file format components, Rich Header analysis case studies, and various packing techniques. Examine the strengths and weaknesses of different metadata hashing methods, including Imphash, Pehash, and the presenters' own RichPE hash. Investigate Rich Header spoofing feasibility and validity checks, with real-world examples like OlympicDestroyer and RLPack. Presented by UMBC students and cybersecurity enthusiasts Kevin Bilzer, RJ Joyce, and Seamus Burke, this talk offers valuable knowledge for malware analysts and cybersecurity professionals.

Intro
What is the PE File Format?
The MS-DOS Stub Header
The IMAGE_FILE_HEADER
The Section Table
The Import Address Table (IAT)
Rich Header Backstory
Rich Header Checksum
De-Obfuscated Rich Header
How the Rich Header is Built
The Devil's in the Rich Header
Case Studies in Rich Header Analysis
Packers 101
Our Own Findings
What is a Hash Function?
What is Metadata Hashing?
Imphash Weaknesses
Pehash Weaknesses
Metadata Hashes vs ASPack
Metadata Hashes vs PECompact
Metadata Hashes vs Petite
Metadata Hashes vs Themida
Metadata Hash Stats - APT1 Dataset
Metadata Hash Stats - All Files
RichPE Hash Accuracy
RichPE Weaknesses
Motivation
Checking Rich Header Validity
Spoofing a Rich Header?
Rich Header Spoofing Feasibility?
Invalid Metadata Test Stats
OlympicDestroyer vs Basic Metadata Tests
RLPack vs Basic Metadata Tests
Acknowledgements
Source Code