{"id":142,"date":"2009-01-18T17:27:08","date_gmt":"2009-01-18T16:27:08","guid":{"rendered":"http:\/\/172.22.49.24\/?p=142"},"modified":"2009-01-18T17:27:08","modified_gmt":"2009-01-18T16:27:08","slug":"keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/","title":{"rendered":"Keynote SSTIC 2009 \u2013 Use of Data Tainting for malware analysis."},"content":{"rendered":"<p>Presentation :\u00a0<strong>Florent Marceau<\/strong><\/p>\n<p>Regardless of the attack vector (whether it&#039;s a classic attack, a browser attack, a frame injection attack, etc.), malware installs itself on the target machine and causes unusual (often stealthy) behavior.<\/p>\n<p><span style=\"text-decoration: underline;\">The problem is as follows:<\/span>\u00a0<strong>how to detect these behaviors, without needing to do\u00a0<\/strong><strong>too much\u00a0<\/strong><strong>reverse engineering.<\/strong><br \/>\nThis is all the more difficult as there are more and more of them, which are hiding themselves better and better, with obfuscated code and stream encryption.<\/p>\n<p>The goal of the project is to propose a solution\u00a0<span style=\"text-decoration: underline;\">generic, automated, non-intrusive, and which operates in a viable execution time.<\/span><\/p>\n<p>The solution adopted was a\u00a0<strong>total virtualization, combined with data conditioning<\/strong>\u00a0(track tagged data, regardless of type: CPU, RAM, disk, network)<br \/>\nBy positioning itself between the CPU and RAM, marked movements can be more easily monitored, and since it is not about monitoring all the data, the execution time is not impacted in a major way (but still impacted).<\/p>\n<p>The demonstration is performed with Brazilian banking malware, which contains its own virtual machine to hide its illicit behavior.<\/p>\n<p>The solution was correct.,\u00a0<strong>and in an acceptable time<\/strong>, detected the changes, and recorded all the data, which can be viewed (network data, disk data).<\/p>\n<p>While still quite theoretical, this method has some drawbacks. Indeed, the v<strong>Complete system automation is easily detectable<\/strong>, but unfortunately indispensable to ensure that no malicious interaction is made on the malicious tool detection process.<\/p>\n<p>This remains a very good approach for analyzing the behavior of dubious software, or analyzing the effects of known malware, in order to implement detection or disinfection solutions.<\/p>","protected":false},"excerpt":{"rendered":"<p>Presentation: Florent MARCEAU Regardless of the attack vector (can be classic, browser-based attack, injection [\u2026]<\/p>","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,22],"tags":[65],"class_list":["post-142","post","type-post","status-publish","format-standard","hentry","category-soc-securite-operationnelle","category-veille-securite","tag-sstic"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Keynote SSTIC 2009 - Utilisation du Data Tainting pour les analyses de logiciels malveillants. - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Keynote SSTIC 2009 - Utilisation du Data Tainting pour les analyses de logiciels malveillants.\" \/>\n<meta property=\"og:description\" content=\"Pr\u00e9sentation :\u00a0Florent MARCEAU Peu importe le vecteur d&rsquo;attaque (peut \u00eatre classique, attaque via navigateur, injection [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2009-01-18T16:27:08+00:00\" \/>\n<meta name=\"author\" content=\"Cyrille BARTHELEMY\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cyrille BARTHELEMY\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/\"},\"author\":{\"name\":\"Cyrille BARTHELEMY\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\"},\"headline\":\"Keynote SSTIC 2009 &#8211; Utilisation du Data Tainting pour les analyses de logiciels malveillants.\",\"datePublished\":\"2009-01-18T16:27:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/\"},\"wordCount\":339,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"keywords\":[\"SSTIC\"],\"articleSection\":[\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\",\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/\",\"name\":\"Keynote SSTIC 2009 - Utilisation du Data Tainting pour les analyses de logiciels malveillants. - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2009-01-18T16:27:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Keynote SSTIC 2009 &#8211; Utilisation du Data Tainting pour les analyses de logiciels malveillants.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\",\"name\":\"Cyrille BARTHELEMY\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"caption\":\"Cyrille BARTHELEMY\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/cby\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Keynote SSTIC 2009 - Using Data Tainting for Malware Analysis - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/","og_locale":"en_US","og_type":"article","og_title":"Keynote SSTIC 2009 - Utilisation du Data Tainting pour les analyses de logiciels malveillants.","og_description":"Pr\u00e9sentation :\u00a0Florent MARCEAU Peu importe le vecteur d&rsquo;attaque (peut \u00eatre classique, attaque via navigateur, injection [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/","og_site_name":"INTRINSEC","article_published_time":"2009-01-18T16:27:08+00:00","author":"Cyrille BARTHELEMY","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Cyrille BARTHELEMY","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/"},"author":{"name":"Cyrille BARTHELEMY","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109"},"headline":"Keynote SSTIC 2009 &#8211; Utilisation du Data Tainting pour les analyses de logiciels malveillants.","datePublished":"2009-01-18T16:27:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/"},"wordCount":339,"commentCount":0,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"keywords":["SSTIC"],"articleSection":["SOC S\u00e9curit\u00e9 Op\u00e9rationnelle","Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/","url":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/","name":"Keynote SSTIC 2009 - Using Data Tainting for Malware Analysis - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2009-01-18T16:27:08+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-utilisation-du-data-tainting-pour-les-analyses-de-logiciels-malveillants\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Keynote SSTIC 2009 &#8211; Utilisation du Data Tainting pour les analyses de logiciels malveillants."}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109","name":"Cyrille BARTHELEMY","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","caption":"Cyrille BARTHELEMY"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/cby\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=142"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/142\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}