Distributing the Reconstruction of High-Level Intermediate Representation for Large Scale Malware Analysis

Presented at Black Hat USA 2015, Aug. 5, 2015, 3 p.m. (50 minutes).

Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception. Analysts and companies use different degrees of automation to be able to handle the challenge, but there is always a gap. Reverse engineering is an even harder task due to the increased amount of work and the stricter time-frame to accomplish it. This has a direct impact on the investigative process and thus makes prevention of future threats more challenging.

In this work, the authors discuss distributed reverse engineering techniques, using intermediate representation (thanks Hex-Rays team for support us in this research) in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families.

A higher level abstraction of the malware code is constructed from the abstract syntax tree (ctree) provided by Hex-Rays Decompiler. That abstraction facilitates the extraction of characteristics such as domain generation algorithms (DGA), custom encryption and specific parsers for configuration data. In order to reduce the number of false positives in some C++ metadata identification, such as virtual function tables and RTTI, the authors created the object-oriented artifacts directly from the analyzed malware.

The extracted characteristics of 2 million malware samples are analyzed and the presented results provide a rich dataset to improve malware analysis efforts and threat intelligence initiatives. With that dataset, other researchers will be able to extract a ctree from new samples and compare to the millions we performed.

As an additional contribution, the gathered representation together with all the raw information from the samples will be available to other researchers after the presentation; together with additional ideas for future development. The developed Hex-Rays Decompiler plugin and analysis/automation tools used to extract the characteristics will also be made available to the audience on Github.


Presenters:

  • Rodrigo Branco - Intel
    Rodrigo Rubira Branco (BSDaemon) is a Principal Security Researcher at Intel, responsible for driving security assurance of targeted security technologies in core client products and for SeCoE hackathon initiatives within Intel. Prior to joining Intel, he held positions at various companies in the security industry, such as IBM, Check Point, Coseinc, and Qualys. In 2011, he was honored as one of the top contributors to annual Adobe Vulnerabilities. He is part of the technical committee for the Brazilian Department of Cyber-Defense (CDCiber) and for many security conferences, such as Hackito, LACSEC, PHDays. He is a member of the RISE Security Group and is the organizer of the Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. He is an active contributor to open-source projects and has given keynotes and spoken at numerous security and open-source related events, including Black Hat, Hack in The Box, XCon, VNSecurity, OLS, Defcon, Hackito, Ekoparty, Troopers, and many others.
  • Gabriel Negreira Barbosa - Intel
    Gabriel Negreira Barbosa works as a Senior Security Researcher at Intel. Previous to that, he worked as a security researcher of the Qualys Vulnerability & Malware Research Labs (VMRL). He received the Msc title by Instituto Tecnol_gico de Aeronutica (ITA), where he also worked in security projects for the Brazilian government and Microsoft Brazil.
  • Eugene Rodionov
    Eugene Rodionov graduated with honours from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009 and successfully defended his PhD thesis in 2012. He has worked over the past five years for several companies, performing software development and malware analysis. He currently works at ESET, where he is involved into internal research projects and also performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Eugene has spoken at security conferences such as REcon, Virus Bulletin, Zeronights, CARO and AVAR, and has co-authored numerous research papers.
  • Alexander Matrosov - Intel
    Alexander Matrosov has more than ten years of experience with malware analysis, reverse engineering, and advanced exploitation techniques. He is currently a senior security researcher in the Advanced Threat Research team at Intel Security Group. Prior to this role, he spent four years focused on advanced malware research at ESET. He is co-author of the numerous research papers, including Stuxnet Under the Microscope, The Evolution of TDL: Conquering x64, and 'Mind the Gapz: The Most Complex Bootkit Ever Analyzed?' Alexander is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, AVAR, CARO, and Virus Bulletin. Nowadays, he specializes in the comprehensive analysis of advanced threats, modern vectors of exploitation, and hardware security research.

Links:

Similar Presentations: