Amanda Rousseau, Malware Researcher, Endgame
Amanda Rousseau’s job puts her knee deep in the guts of malware. A research engineer at Endgame, Rousseau’s history includes two years at the Department of Defense Cyber Crime Center as a malware reverse engineer and computer forensic examiner. Malware is weird and ever changing, so we talked to Rosseau about exactly what she’s seen and where she’s looking next.
What’s the most interesting or powerful malware you’ve seen?
I actually have a couple of my favorites. They’re all APT malware. Everyone knows Stuxnet and Flame from the same creators, some of the most advanced malware out there.
I particularly like the more multi-platform type of malware, kind of like the Careto mask. It was a multi-stage attack, it had payloads for both Windows and OS X and it could be run on Linux as well. I thought that was quite interesting. These guys thought about going after whatever environments a victim had. They had a payload for each. They make very reliable and robust malware. I think that’s part of what advanced attackers do. They think about getting in, getting out, cleaning, making sure it works. They have a mission and they make the malware to complete their mission.
Stuxnet and Flame still get headlines and hold a certain position in the public imagination but obviously that’s pretty old by now. How far advanced from that point are we?
Since I’m not in government anymore, I don’t see any of the nation-state stuff anymore. I think what they’ve taken from a lot of these older, more advanced malware samples is ideas for new malware authors. For instance, before we weren’t having a lot of fileless attacks, now everybody’s using fileless attack techniques. Once a report comes out or someone shares that information, newer generations of malware have capabilities that were there [in APT actors] a couple years back. If you think about ransomware, they’re doing a lot of stuff that APT attackers used to use.
What are one or two biggest or most important initiatives you are currently undertaking or accomplished in the past year?
I’ve been researching how to defend PowerShell. A lot of use scripting language to hide in the memory without even dropping a file to disk, that’s what I said about fileless attacks. And it’s become really popular in the past couple of years. You can see more widespread malware using this as a delivery mechanism. Depending on the trends we see, that’s where we focus. I’ve been created a couple of .NET rootkits to detect malicious PowerShell activity.