FLOSS every day - automatically extracting obfuscated strings from malware

Presented at CarolinaCon 12 (2016), March 4, 2016, 8:30 p.m. (Unknown duration).

The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files. Malware analysts, forensic investigators, and incident responders can use FLOSS to quickly extract sensitive strings to identify indicators of compromise (IOCs). Malware authors encode strings in their programs to hide malicious activity and impede reverse engineering. Even simple encoding schemes defeat the strings tool and complicate static and dynamic analysis. Reverse engineers are challenged to decode the obfuscated data in order to fully understand a program. This usually involves recognizing encoded strings, re-implementing the decoding function, and manually applying the algorithm to the data. This process may take several hours for each malware variant. FLOSS automates this down to seconds without requiring the analyst to examine the deobfuscation method. Although FLOSS uses advanced static analysis techniques such as emulation, the tool can be used by anyone. Incident responders and forensic analysts that understand how to interpret the strings found in a binary will understand FLOSS's output. FLOSS extracts higher value strings, as strings that are obfuscated typically contain the most sensitive configuration resources - including malicious domains, IP addresses, suspicious file paths, and other IOCs.

Presenters:

  • William Ballenthin
    William Ballenthin is also a reverse engineer on the FLARE team. He enjoys tackling malware and developing forensic analysis techniques. His favorite beer is La Chouffe.
  • Moritz Raabe
    Moritz Raabe is a reverse engineer on the FireEye Labs Advanced Reverse Engineering (FLARE) team. He currently focuses on automating and simplifying malware analysis.

Links:

Similar Presentations: