Binary Difference Analysis via Phase Cancellation

Presented at ShmooCon I (2005), Feb. 6, 2005, 9 a.m. (60 minutes)

Binary difference analysis is becoming more popular due to a rise in the number of patches released from Microsoft and the increase in long-running multi-variant malware. An interesting approach was taken by Halvar Flake using graph analysis to determine differences in binaries, however, this method has some drawbacks, one of which is the post-analysis data representation.

Other than the math-intensive graph isomorphism technique, the other obvious approach is to use fingerprinting to identify key characteristics of code, and find non-matching sequences. However, this method is also somewhat limited.

We propose a new analysis system, using methodology borrowed from the audio/RF world: phase cancellation. By applying these techniques, it is possible to overcome some of the drawbacks of both prior methodologies and present a clear picture of what has changed between two binaries. We present two new tools - OllyPerl, a plugin to allow scripting of the OllyDbg debugger in Perl, and WaveDiff, a Perl script which implements the phase-cancellation difference analysis described in the paper. Full source will be provided for both tools.

Presenters:

• Mike Wisener - LURHQ
  Mike Wisener, GCIA - Senior Security Analyst with LURHQ, has been working in the Information Security field for three years, and has handled millions of intrusion events for LURHQ clients while monitoring their corporate networks from the Secure Operations Center. Mike received his Bachelor's degree in Computer Science from Coastal Carolina University where he served as the BOFH for the CS student server, sometimes also known on campus as "the jerk who says I can't use telnet anymore"
• Joe Stewart - LURHQ
  Joe Stewart, GCIH - Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for four years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot and other cyber-threats and attack techniques.

Links:

• https://web.archive.org/web/20060116151828/http://www.shmoocon.org/2005/program.html#stewart

Similar Presentations:

• VB2017 / Malware deobfuscation: symbolic analysis to the rescue!
• AppSec USA 2017 / Androsia: A tool for securing in memory sensitive data
• ShmooCon I (2005) / Frustrating Automated Static Analysis of Binaries