Finding Xori: Malware Analysis Triage with Automated Disassembly

Presented at DEF CON 26 (2018), Aug. 10, 2018, 1 p.m. (20 minutes)

In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.

We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike.

Presenters:

• Rich Seymour - Senior Data Scientist at Endgame Inc
  Rich Seymour is a senior data scientist at Endgame, where he works on integrating R&D successes into the company's platform and experimenting with new techniques to make security sensible. He's currently working on improving natural language understanding in the Artemis chatbot in the Endgame platform and understanding how to catch adversary tradecraft. He holds a PhD in materials science and an MS in computer science, both from the University of Southern California, where he worked on high-performance computing simulations of nanoscale materials under stress. He has spoken at USENIX SOUPS, Shmoocon and O'Reilly Security. @rseymour
• Amanda Rousseau - Senior Malware Researcher at Endgame Inc.
  Amanda Rousseau absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on dynamic behavior detection both on Windows and OSX platforms. She worked as a malware researcher at FireEye before joining Endgame. She previously worked a reverse engineer and computer forensic examiner working for DoD forensic investigations and commercial incident response engagements. She received her MS in Information Systems Engineering from Johns Hopkins University. Research interests include malware evasion techniques, dynamic behavior classification, and developing runtime detections. @malwareunicorn

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Rousseau
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Rousseau and Seymour - Finding Xori Malware Analysis Triage with Automated Disassembly.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Rousseau and Seymour - Finding Xori Malware Analysis Triage with Automated Disassembly.srt (subtitles)
• https://www.youtube.com/watch?v=-MaO-lmteeQ

Similar Presentations:

• Black Hat USA 2014 / Prevalent Characteristics in Modern Malware
• Black Hat USA 2018 / Finding Xori: Malware Analysis Triage with Automated Disassembly
• Black Hat USA 2012 / A Scientific (But Non Academic) Study of How Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies