Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis (original) (raw)
Related papers
Rotalu e: A Tool for Automatic Reverse Engineering of Malware Emulators
Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proofof-concept system called Rotalumè and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalumè accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.
Static-Analysis Techniques of Malware Reverse Engineering
Annals of DAAAM for ... & proceedings of the ... International DAAAM Symposium .., 2022
Network and system security are critical issues of overall Internet security. Scientific papers and popular literature are full of new security issues being published and analysed daily. Due to the rapid proliferation of various types of malware tools that can be used both to create security attacks and to influence their results, traditional analysis methods struggle with the size and scope of samples needed to do proper analysis. For example, a well-disguised malware attack can easily penetrate an environment which is protected by a load balancer and/or Web Application Filter (WAF). In this paper, we will discuss different static-analysis techniques used to reverse engineer executable code to determine if the code is in fact malware.
Automatic Static Unpacking of Malware Binaries
2009 16th Working Conference on Reverse Engineering, 2009
Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software. To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking, static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking. We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.
Manual Malware Analysis Using Static Method
2014
Today malware threats represent the greatest challenge to information security. Combat between malware writer and malware researcher never end. Malware writers use a variety of avoidance techniques such as Code Obfuscation, Packing, Anti-Debugging and Anti-Virtualisation Technologies to foil researcher’s analysis. On behalf of researchers they try to find out many techniques to defend Information Technology (IT) services from access or stolen by unauthorized parties. Most of the researches perform malware analysis in Virtualisation Technology in the isolation environment because of security issues. This research focuses on analysis malware using static method in operating system environment. Thus, we focus on malware analysis that uses Anti-Virtualisation avoidance technique. Although our platform environment exposed to the threat by malware sample, we protect this environment by using Toolwiz TimeFreeze and window backup image to protect and secure our environment. This research pr...
Static detection of malicious code in executable programs
Int. J. of Req. Eng, 2001
In this paper, we propose a new approach for the static detection of malicious code in executable programs. Our approach rests on a semantic analysis based on behaviour that even makes possible the detection of unknown malicious code. This analysis is carried out directly on binary code. Static analysis offers techniques for predicting properties of the behaviour of programs without running them. The static analysis of a given binary executable is achieved in three major steps: construction of an intermediate representation, flow-based analysis that catches securityoriented program behaviour, and static verification of critical behaviours against security policies (model checking). *
BIRD: Binary Interpretation using Runtime Disassembly
International Symposium on Code Generation and Optimization (CGO'06)
The majority of security vulnerabilities published in the literature are due to software bugs. Many researchers have developed program transformation and analysis techniques to automatically detect or eliminate such vulnerabilities. So far, most of them cannot be applied to commercially distributed applications on the Windows/x86 platform, because it is almost impossible to disassemble a binary file with 100% accuracy and coverage on that platform. This paper presents the design, implementation, and evaluation of a binary analysis and instrumentation infrastructure for the Windows/x86 platform called BIRD (Binary Interpretation using Runtime Disassembly), which provides two services to developers of security-enhancing program transformation tools: converting binary code into assembly language instructions for further analysis, and inserting instrumentation code at specific places of a given binary without affecting its execution semantics. Instead of requiring a highfidelity instruction set architectural emulator, BIRD combines static disassembly with an on-demand dynamic disassembly approach to guarantee that each instruction in a binary file is analyzed or transformed before it is executed. It takes 12 student months to develop the first BIRD prototype, which can successfully work for all applications in Microsoft Office suite as well as Internet Explorer and IIS web server, including all DLLs that they use. Moreover, the additional throughput penalty of the BIRD prototype on production server applications such as Apache, IIS, and BIND is uniformly below 4%.
2011
Context: Every day increasing number of malwares are spreading around the world and infecting not only end users but also large organizations. This results in massive security threat for private data and expensive computer resources. There is lot of research going on to cope up with this large amount of malicious software. Researchers and practitioners developed many new methods to deal with them. One of the most effective methods used to capture malicious software is dynamic malware analysis. Dynamic analysis methods used today are very time consuming and resource greedy. Normally it could take days or at least some hours to analyze a single instance of suspected software. This is not good enough especially if we look at amount of attacks occurring every day.
Assisting Malware Analysis with Symbolic Execution: a Case Study
2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML 2017), 2017
Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst can use symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework , we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.
Conducting Static and Dynamic analysis Techniques over Spyware
Whether the use of the Internet for personal or business intention, being a malware victim has a high probability, by clicking a link or downloading an mp3 songs, videos or even images. Malware is the malicious unwanted software that affect our machine, sometimes without even being aware of their existence on the infected machine. Spyware is a type of malware that infect the system with intent to gather and steal the victim information, and sending back this information to the creator of the malware, without the victim being notified of their existence. Malware analysis comes in handy in situations when we face a suspicious unknow file on the system, and we want to know if it is malicious or not in case of malicious malware, the desire is to know its type, method of propagation, its impact on the system, and if there is an established connection with the attacker who sent the malware. Malware analysis can be done using two techniques known as Static and Dynamic analysis. In Static analysis the malware will be studied and analyzed without running it, while dynamic analysis will run the malware in a secure virtual environment to test and see the malware behavior. This work uses Static and Dynamic analysis to be conducted on saint.exe spyware sample, where some tools like CFF Explorer, PEStudio, ProcMon and Wireshark are used to help in analyzing the malware and discover its characteristic and behavior on the level of filesystem, processes, registry and network, and track the malware ways to persist in the infected system as well the way it connected to the command and control server.