I joined Fortinet in 2004, and is currently working as a Senior Security Researcher/ AV Team Lead. I am also one of the Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.

I have presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, and TakeDownCon. I am also a regular contributor to the Fortinet blog and also in the Virus Bulletin publication, where I have published 22 articles.

Topic: Understanding A Malware’s On-Demand Polymorphic Code

Virlock is a polymorphic file-infecting ransomware. It is capable of infecting executable files and at the same time, hold your computer hostage.

Running a single infected file is a sure way of infecting your computer all over again. That is one of the main goals of Virlock. As a ransomware, the malware makes sure that you won’t be able to use your computer until you pay the ransom demand. And to make our lives, even harder, Virlock employs an on-demand polymorphic algorithm, where each and every copy of the infected executable file is different from each other. And there is more; Virlock is not only a polymorphic file-infecting ransomware. The initial set of the malware code is metamorphic in nature.

In this presentation, we will dive deep into Virlock’s code to expose how it implements its metamorphic code, and how it uses an on-demand polymorphic algorithm. We will also look at how we can detect Virlock, and how we can clean an infected file.

A couple of demos will be shown, including how we can unlock the screen from Virlock’s locking mechanism.