Malproxying: Leave Your Malware at Home

Conference:  Defcon 27



The presentation discusses the evolution of endpoint security solutions and the three main mechanisms used to protect against cyber attacks: static signatures, heuristic rules, and behavioral signatures.
  • Static signatures look for indications of compromise in binary sequences or strings in a file or memory dump.
  • Heuristic rules calculate a heuristic score based on properties of a file, such as location or API usage, to determine if it is malicious.
  • Behavioral signatures monitor API calls and analyze the impact of a piece of code on a system to detect unknown malware.
  • The presentation provides examples of creating static signatures and the limitations of relying solely on them.
  • The speaker also discusses the challenges of creating accurate behavioral signatures and the need for continued improvement in endpoint security solutions.
The speaker uses the analogy of a cat and mouse game to illustrate the ongoing battle between cyber attackers and endpoint security solutions. They explain that while endpoint security solutions have evolved significantly, there are still successful penetrations of defenses. The presentation emphasizes the importance of using a combination of mechanisms to protect against cyber attacks and the need for continued improvement in endpoint security solutions.


During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.