{"id":17607,"date":"2020-01-31T10:52:18","date_gmt":"2020-01-31T18:52:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/31\/news-11342\/"},"modified":"2020-01-31T10:52:18","modified_gmt":"2020-01-31T18:52:18","slug":"news-11342","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/31\/news-11342\/","title":{"rendered":"VB2019 paper: Rich headers: leveraging the mysterious artifact of the PE format"},"content":{"rendered":"<p>When analysing malware, especially if it&#8217;s new and rare, researchers look for every possible clue that could give them details on the context and perhaps help them find similar samples. One such clue could be what has been called \u2018rich headers\u2019, an undocumented chunk of data inside PE files.<\/p>\n<p>In a paper presented at VB2019 in London, <em>ESET<\/em> researchers Peter K\u00e1lnai and\u00a0Michal Poslu\u0161n\u00fd discussed the subject of rich headers and how it can be useful in malware research.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"display: block; margin-left: auto; margin-right: auto;\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/c32127a7c267423e5df8098ccbb4b4ad_f4325.png\" alt=\"04_table.png\" width=\"380\" height=\"348\" \/><span class=\"centered-caption\">The unencrypted Rich Headers structure.<\/span><\/p>\n<p>Today we publish the researchers&#8217; paper in both <a title=\"VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format\" href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2020\/01\/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format\/\">HTML<\/a> and <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2019\/VB2019-Kalnai-Poslusny.pdf\" target=\"_blank\">PDF <\/a>format, as well as the recording of their presentation in London.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\" width=\"100%\" height=\"420\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/XX0IW7WuzUo\" frameborder=\"0\" width=\"100%\" height=\"420\" style=\"\"> <\/iframe><\/p>\n<p>\u00a0<\/p>\n<p><em><em>Have you carried out research that furthers our understanding of the threat landscape? Have you discovered a technique that helps in the analysis of malware? <\/em>The <a title=\"VB2020 call for papers - now open!\" href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/12\/vb2020-call-papers-now-open\/\">Call for Papers<\/a> for VB2020 in Dublin is open! Submit your abstract before 15 March for a chance to make it onto the programme of one of the most international threat intelligence conferences.<\/em><\/p>\n<p>outertext<br \/><a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/01\/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format\/\" target=\"bwo\" >https:\/\/www.virusbulletin.com\/rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/c32127a7c267423e5df8098ccbb4b4ad_f4325.png\"\/><br \/>                                 In a paper presented at VB2019 in London, ESET researchers Peter K\u00e1lnai and Michal Poslu\u0161n\u00fd discussed the subject of rich headers and how it can be useful in malware research. Today we publish both their paper and the recording of their presentation.                <\/p>\n<p>                 <a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/01\/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format\/\">Read more<\/a>                                <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[23177,10378,23176],"tags":[],"class_list":["post-17607","post","type-post","status-publish","format-standard","hentry","category-magazine","category-security","category-virusbulletin"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17607"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17607\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17607"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}