Binary CFG Rebuilt of Self-Modifying Codes

Abstract

Modern malware extensively applies self-modifying obfuscation techniques, e.g., self-decryption and mutation, which are often automatically prepared by packers. Their aim is to confuse control structures and bypass commercial anti-virus software based onbinary signatures. A popular method in industry to analyze malware is a dynamic analysis in a sand-box. Alternatively, we apply a hybrid method combining concolic testing (dynamic symbolic execution) and Windows API stubs by external executions. They are implemented as BE-PUM (Binary Emulation for Pushdown Model generation), which shows strong disassembly ability (control flow graph generation) at the cost of relatively heavy execution. For instance, BE-PUM automatically detects the destination server of EMDIVI, which caused huge information leak from Japanese governmental pension fund in 2015. The first year of the project, we developed BE-PUM from a preliminary prototype, which supports 15 x 86 instructions and no Windows APIs, to support 100 x 86 instructions and 400 Windows APIs. These x86 binary emulation and Windows API stubs are manually prepared. We also perform experiments on several thousand real malware to evaluate BE-PUM design. The second year, we worked on several topics. (1) Multi-threading for faster processing, (2) Automatic Windows API stub generation from natural language specification provided by MSDN, (3) Loop invariant generation for binary programs, and (4) Packer identification that is used when malware is made, (1)-(3) enhance BE-PUM more complete and efficient, and (4) shows that BE-PUM can precisely detect and classify individual obfuscation techniques. Next step will be to analyze contamination techniques. This project is performed under collaborations with Ho-Chi-Minh University of Technology (Vietnam) and LOIRA, University of Lorraine (France).

Document Details

Document Type

Technical Report

Publication Date

Oct 03, 2016

Accession Number

AD1019863

Entities

Tags