- About FIRST
- FIRST Members
- Global Initiatives
- Special Interest Groups (SIGs)
- Best Practices Contest
- Standardization efforts
- Affiliates
- Events
- Meetings
- Security Library
- Newsroom
Tuesday — November 13th, 2012 16:00
The presentation takes a closer look at TROJAN.FOXY, a family of remote-access trojans that is being used to mount APT style attacks against the industry and governmental organizations. The first part of the presentation elaborates on the atter's toolset. Information from the Portable Executable file format and implementation details of cryptographic algorithms lead to a signature to detect and classify "foxy" samples. Apparently this family stems from the well-known Downbot and evolved into malware strains like Govdj.A, Namsoth.B, Crapmisc.A, Danginex and tools to move laterally through the victim organization. The second part analyzes how the attackers leverage their tools in order to gain access into an organization. We will observe, how they manage to elevate their privileges and how they proceed from system to system. Finally, it will be shown how the attackers filter, package and exfiltrate sensitive data.
Andreas Schuster (Deutsche Telekom AG, DE) 
Andreas Schuster is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years.
Andreas has authored and contributed to several forensic analysis tools. He regularly reverses undocumented data formats like file systems and in-memory information. For his research he was awarded the DFRWS 2006 best paper award and the German IT-Security Award 2008.
Andreas is a member of the Digital Forensic Research Workshop and a reviewer for several scientific journals in the field of digital forensics. He has given trainings to law enforcement and private-sector and presented at FIRST and other InfoSec conferences.
Copyright © 1995 - 2013 by FIRST.org, Inc.
