Copy, Paste Persist: Inside The .NET Malware Gene Pool - Jonathan Peters

In my talk, I will explore the extensive code reuse within the .NET malware ecosystem and how this phenomenon can be leveraged by defenders. Key points of the talk: Analysis and data based on 150+ million malware samples processed in our analysis pipeline. Highlight the massive code reuse across the .NET malware ecosystem. Demonstrate direct copy-paste reuse between well-known malware families such as Quasar, AsyncRAT, Pulsar, and XWorm. Show how many supposedly “new” malware families are simply modified forks of existing projects. Present real code examples that reveal shared implementations, such as cryptography routines and communication logic. Explain how defenders can use these insights to design generic detections that target reused code instead of individual families. Provide real-world detection results and data showing how this strategy enables broad coverage across many malware variants. The goal of the talk is to show how understanding the shared “gene pool” of .NET malware allows detection engineers to significantly improve coverage and detect entire categories of threats.

Bio: Jonathan Peters is a threat researcher and detection engineer with a background in software development. He began reverse engineering video games in 2015, which gradually led him to malware analysis. His interest in understanding how malicious software works and how to detect it led him to start building his own analysis tools and writing detection rules. He is active in the cybersecurity community under the handle @cod3nym on X and Discord.

Видео Copy, Paste Persist: Inside The .NET Malware Gene Pool - Jonathan Peters канала DEFCON Switzerland