ABSTRACT
As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance
- Anubis. http://analysis.seclab.tuwien.ac.at.Google Scholar
- BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu/.Google Scholar
- Norman SandBox Information Center. http://www.norman.com.Google Scholar
- OllyBonE. http://www.joestewart.org/ollybone/.Google Scholar
- OllyDbg. http://www.ollydbg.de/.Google Scholar
- PEiD. http://www.secretashell.com/codomain/peid/.Google Scholar
- Red Pill. http://invisiblethings.org/papers/redpill.html.Google Scholar
- TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html.Google Scholar
- The Unpacker Archive. http://www.woodmann.com/crackz/Tools/Unpckarc.zip.Google Scholar
- Themida. http://www.oreans.com/.Google Scholar
- Yoda Protector. http://sourceforge.net/projects/yodap/.Google Scholar
- ASPack Software. ASPack and ASProtect. http://www.aspack.com/.Google Scholar
- S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, August 2003. Google ScholarDigital Library
- Bitsum Technologies. PECompact2. http://www.bitsum.com/pec2.asp.Google Scholar
- T. Brosch and M. Morgenstern. Runtime packers: The hidden problem? https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf, 2006.Google Scholar
- M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Malware normalization. Technical Report 1539, University of Wisconsin, Madison, Wisconsin, USA, Nov. 2005.Google Scholar
- Data Rescue. Universal PE Unpacker plug-in. http://www.datarescue.com/idabase/unpack_pe.Google Scholar
- DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger. http://www.datarescue.com/idabase/.Google Scholar
- T. Graf. Generic unpacking: How to handle modified or unknown PE compression engines. http://www.virusbtn.com/pdf/conference_slides/2005/Graf.pdf, 2005.Google Scholar
- Y. L. Huang, F. S. Ho, H. Y. Tsai, and H. M. Kao. A control flow obfuscation method to discourage malicious tampering of software codes. In ASIACCS'06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 362--362, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290--299, New York, NY, USA, 2003. ACM Press. Google ScholarDigital Library
- Project Malfease. http://malfease.oarci.net/.Google Scholar
- McAfee. Advanced virus detection scan engine and DATs. http://www.mcafee.com/us/local_content/white_papers/wp_scan_engine.pdf.Google Scholar
- S. Nanda, W. Li, L. Lam, and T. Chiueh. BIRD: Binary interpretation using runtime disassembly. In CGO '06: Proceedings of the International Symposium on Code Generation and Optimization, pages 358--370, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- Obsidium Software. Obsidium. http://www.obsidium.de/show.php?home.Google Scholar
- P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pages 289--300, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- Silicon Realms Toolworks. Armadillo. http://siliconrealms.com/index.shtml.Google Scholar
- Teggo. MoleBox Pro. http://www.molebox.com/download.shtml.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren, G. Voelker, and S. Savage. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2005. Google ScholarDigital Library
Index Terms
- Renovo: a hidden code extractor for packed executables
Recommendations
Ether: malware analysis via hardware virtualization extensions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityMalware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and ...
JSDES: An Automated De-Obfuscation System for Malicious JavaScript
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMalicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Comments