Presented at
DEF CON 14 (2006),
Aug. 5, 2006, 4 p.m.
(50 minutes).
The amount of new malware being developed has increased at a staggering rate over the last couple of years. At the same time, executable packing technology has grown to provide malware authors with a myriad of choices in how they pack their malware to evade detection and analysis. This presents a growing problem to analysts who lack the time to learn how each packer works and can be unpacked, but still need to be able to quickly handle anything that comes their way.
There are three conventional approaches to automatic unpacking, including unpacking by emulation (very difficult to write 100% compatible to the platform and therefore tools that are closely held by their authors), unpacking by memory dump (not reliable and, will also corrupt variables with their post-initialization values), and finally, writing a specific unpacking engine for each packer based on reverse-engineering the packer code (also a huge undertaking to have enough coverage, also a cat-and-mouse game).
In this presentation I will demonstrate a semi-automatic approach to unpacking malware that bridges the gap between highly-skilled manual unpacking and speedy but costly automatic unpacking. By leveraging certain aspects of the i386 architecture we can unpack code from a great deal of packers to the OEP without emulation or specific knowledge of the packing algorithm.
Presenters:
-
Joe Stewart
- Senior Security Researcher
Joe Stewart, GCIH - Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for six years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot, BlackWorm, Cryzip and other cyber-threats and attack techniques. Joe is the author of software projects Fess, Mumsie, and Truman as well as numerous OllyDbg plugins including OllyPerl.
Links:
Similar Presentations: