untangling the code
play

Untangling the code An overview of techniques to reverse engineer - PowerPoint PPT Presentation

Sep 08, 2023 •180 likes •381 views

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

  1. Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential — Internal Use Only

  2. Abstract Reverse engineering and analysis of binary code has been seen as a black art that requires immense commitment, large degree of experience and intuition to be fruitful. This may have been true a couple of decades ago but with the recent focus on reverse code engineering by security vendors and prolific malicious actors alike this field has progressed significantly. In this talk I will present some of the techniques employed during reversing of unknown binaries when vetting them for malicious traits. The talk would also cover how program analysis can help identify possibly suspicious traits in code and how reverse engineering and program analysis techniques used for code are also relevant for identifying potentially suspicious data when analysing document formats. 2 June 3, 2013

  3. Reverse Code Engineering: What? Scanners/Fingerprinting Decoders/Decryptors Code Unpackers Environment Behaviour Analysers Interactions Code reversers … … Better Understanding 3 June 3, 2013

  4. Reverse Code Engineering: Why? • Improve understanding where source code is not available • Audit, review or forensic investigation of software systems • Identifying intellectual property licensing breach • Malware research & defence 4 June 3, 2013

  5. Malware prevalence Historically…. 54M+ 100000000 10000000 1000000 164,000 56,342 100000 8,069 10000 357 1000 100 10 1 1990 1995 2000 2005 2010 5 June 3, 2013

  6. Malware prevalence: Why? Packer Junk-Code Chaining Dynamic Anti- Functionality Emulation Extension Destroy Compression structures Anti- Encryption Disassembly Malware New attack Virtualization vectors Code 6 June 3, 2013

  7. Reversing Code: Static Analysis • Automated Signature Search – Text search – Binary signatures – Known blobs, tables and data structure search • Decoding/decrypting code and payload - Identifying and decoding encoded payloads - From XORs to Purpose Built Custom algorithms (e.g. usage pseudo-random) • Code Block identification - Compiler and Library recognition - Fingerprinting known obfuscation techniques - Dealing with compiler optimizations - Semantic code similarity identification 7 June 3, 2013

  8. Reversing Code: Static Analysis • Decompiling - Identifying boiler-plate code - Make complex code easier to understand (e.g. algorithms) - Many issues, after so many years still in it’s infancy. • Packer identification and Un-Packing - Identify if binary is a setup, built using a binder/packer/cryptor - Unpack using custom, generic or standard algorithms. • Artefact extraction and logging - Structural anomalies - Known code patterns (e.g. peculiar function chaining) - Junk-code or no-op code search 8 June 3, 2013

  9. Reversing Code: Dynamic Analysis • Virtualization/Sandboxing and Debugging - Control malware exposure and it’s ability to leave irreversible changes. - Debugging to guide execution flows (bypass exceptions) - Providing stimulus to force malware to exhibit behaviour - Active and passive analysis platforms. • Behaviour logging - Automated behaviour trace logging - Identify communication mechanism - Identify persistence mechanism • Post/Part execution memory dumps - Generate memory dumps for detailed static analysis - In cases where unpacking is not possible/feasible - In cases where in-memory data structures need analysis - Runtime unpacking 9 June 3, 2013

  10. Reversing Code: Machine Correlation • Correlation for high level behaviour inference - correlation of artefacts extracted from automated analysis • Automated Classification - Behavioural trait association - Static code relationships - Malware family 10 June 3, 2013

  11. Reversing Code: Manual Investigation • Separating the wheat from the chaff – Identifying suspicious code – Evaluating known patterns and guiding analysis process – Making decisions where automation could only provide approximations. • Optimizing program code analysis - Correlating artefacts from static and behavioural analysis - Building new algorithms - Fixing problems faced by automation (exceptions, resource constraints, etc.) - Manual unpacking/decoding • Heuristic development - Adding new feature extraction methods - New correlation policies - New subsystem development for analysis and detection improvements 11 June 3, 2013

  12. Reverse Engineering documents Binary Code Binary Documents Analysis Not human readable Yes Yes RE tools and environment Multitude of Many execution Documents are Heuristic analysis environments environments including generally platform systems can be shared VMs agnostic. when analysing artefact correlation. Can exploit Yes, but not always Yes, generally in Dynamic analysis vulnerabilities needed. document editor/reader techniques can be used but sometimes in OS Internal formats can be Yes Yes Detecting encoded obfuscated payloads. Identifying presence of obfuscation. Executable Code Yes No Signature searches and payload analysis techniques. 12 June 3, 2013

  13. 13 100 An example technique… 10 20 30 40 50 60 70 80 90 0 100 38400 76700 115000 153300 191600 229900 268200 306500 344800 explorer.exe 383100 421400 459700 498000 536300 574600 612900 651200 689500 727800 766100 804400 842700 881000 919300 957600 June 3, 2013 995900 100 10 20 30 40 50 60 70 80 90 0 100 14500 28900 43300 57700 upx compressed explorer.exe 72100 86500 100900 115300 129700 144100 158500 172900 187300 201700 216100 230500 244900 259300 273700 288100 302500 316900 331300 345700 360100 374500

  14. 100 10 20 30 40 50 60 70 80 90 0 14 An example technique… 100 157900 315700 473500 631300 document with hidden executable 789100 946900 1104700 1262500 1420300 1578100 1735900 1893700 2051500 2209300 2367100 2524900 2682700 2840500 2998300 3156100 3313900 3471700 3629500 3787300 3945100 4102900 June 3, 2013 4260700 4418500 4576300 100 4734100 10 20 30 40 50 60 70 80 90 0 100 157900 315700 473500 631300 789100 946900 1104700 1262500 1420300 1578100 1735900 1893700 document 2051500 2209300 2367100 2524900 2682700 2840500 2998300 3156100 3313900 3471700 3629500 3787300 3945100 4102900 4260700 4418500 4576300 4734100

  15. Open source toolsets SysAnalyzer - Automated malcode analysis system (not a sandbox!) Malcode Analyst Pack - suite of tools useful for malcode analysts VirtualBox - x86 and AMD64/Intel64 virtualization product BeaEngine - disassembler library x86 x86-64 (IA32 and Intel64) Libemu - x86 shellcode emulation 15 June 3, 2013

  16. Databases/Tools RE-Google IDA plugin Queries Google Code for information about the functions contained in a disassembled binary ClamAV Open source (GPL) antivirus engine Malware lookup services VirusTotal, The Malware Hash Registry ThreatExpert, McAfee SiteAdvisor Utilities and Assessment Tools McAfee Free Tools, Collaborative RCE Tool Library 16 June 3, 2013

  17. Extensible analysis frameworks Cuckoo Sandbox - Modular malware analysis system Zero Wine Malware Analysis Tool - Research project to dynamically analyse the behaviour of malware Malheur - Automatic analysis of malware behaviour Radare - Open source tools to disasm, debug, analyse, manipulate binary files 17 June 3, 2013

  18. Prashant Gupta Security Architect, McAfee Inc. @PrashantGupta

  19. References IMPORTANT: These are 3 rd party websites so please review what you download for malware/suspicious content before use. 1. Cuckoo Sandbox: http://www.cuckoosandbox.org/ 2. Zero Wine Malware Analysis Tool: http://zerowine.sourceforge.net/ 3. Malheur: http://www.mlsec.org/malheur/ 4. Radare: http://www.radare.org/ 5. Interactive Disassembler Pro: http://www.hex-rays.com/ 6. REGoogle: http://regoogle.carnivore.it/ 7. ClamAV: http://www.clamav.net/ 8. SysAnalyzer: https://github.com/dzzie/SysAnalyzer 9. Example technique from - Detecting exploits in electronic objects, Alexander Shipp: http://www.google.com/patents/US20080134333 19 June 3, 2013

  20. References IMPORTANT: These are 3 rd party websites so please review what you download for malware/suspicious content before use. 10. Malcode Analyst Pack: https://github.com/dzzie/MAP 11. VirusTotal: http://www.virustotal.com/ 12. The Malware Hash Registry: http://www.team-cymru.org/Services/MHR/ 13. ThreatExpert: http://www.threatexpert.com 14. McAfee SiteAdvisor: http://www.siteadvisor.com/ 15. McAfee Free Tools: http://www.mcafee.com/us/downloads/free-tools/ 16. Collaborative RCE Tool Library: http://www.woodmann.com/collaborative/tools/index.php/Category:RCE_To ols 17. McAfee Threats Report Q4 2012: http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q4- 2012.pdf 20 June 3, 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Untangling Composite Commits Untangling Composite Commits Using Program Slicing Using Program

Untangling Composite Commits Untangling Composite Commits Using Program Slicing Using Program

Untangling Composite Commits Untangling Composite Commits Using Program Slicing Using Program Slicing Ward Muylaert and Coen De Roover @wardmuylaert and @oniroi Sofuware Languages Lab SCAM 2018 Vrije Universiteit Brussel Madrid, Spain

388 views • 27 slides
Untangling and Restructuring CTDB Martin Schwenke < martin@meltin.net > Samba Team IBM

Untangling and Restructuring CTDB Martin Schwenke < martin@meltin.net > Samba Team IBM

Untangling and Restructuring CTDB Martin Schwenke < martin@meltin.net > Samba Team IBM (Australia Development Laboratory, Linux Technology Center) Martin Schwenke Untangling and Restructuring CTDB What are we talking about? Martin

1.71k views • 113 slides
Whose Fault is This? Untangling Domain Concepts in an Ontology of Resilient Computing Bene

Whose Fault is This? Untangling Domain Concepts in an Ontology of Resilient Computing Bene

Introduction Motivation Characterizing Role and Reusability Summary Whose Fault is This? Untangling Domain Concepts in an Ontology of Resilient Computing Bene Rodriguez-Castro Hugh Glaser Dependable Systems and Software Engineering

273 views • 25 slides
Midwinter Meeting February 29, 2020 Untangling Medication Administration in Patients with

Midwinter Meeting February 29, 2020 Untangling Medication Administration in Patients with

Midwinter Meeting February 29, 2020 Untangling Medication Administration in Patients with Feeding Tubes Lilian F. Ooi, PharmD, BCPS, BCCCP Advanced Clinical Pharmacist Intermountain McKay-Dee Hospital Disclosure I have no conflicts of

849 views • 16 slides
Whose Fault is This? Untangling Domain Concepts in Ontology Design Patterns Bene

Whose Fault is This? Untangling Domain Concepts in Ontology Design Patterns Bene

Introduction Motivation Characterizing Role and Reusability Summary Whose Fault is This? Untangling Domain Concepts in Ontology Design Patterns Bene Rodriguez-Castro Hugh Glaser Dependable Systems and Software Engineering Group

437 views • 25 slides
Untangling Knots in Lattices and Proteins A Computational Study By Rhonald Lua Adviser:

Untangling Knots in Lattices and Proteins A Computational Study By Rhonald Lua Adviser:

Untangling Knots in Lattices and Proteins A Computational Study By Rhonald Lua Adviser: Alexander Yu. Grosberg University of Minnesota Human Hemoglobin (oxygen transport protein) (Structure by G. FERMI and M.F. PERUTZ) Globular proteins

822 views • 58 slides
School-Level Teacher Qualifications and School Environments: Untangling Their Interrelationship

School-Level Teacher Qualifications and School Environments: Untangling Their Interrelationship

1 School-Level Teacher Qualifications and School Environments: Untangling Their Interrelationship for School Improvement. This study was funded with a grant from the Spencer Foundation. The views expressed are solely those of the authors.

318 views • 17 slides
Untangling a planar graph A. Spillner 1 A. Wolff 2 1 School of Computing Sciences University of

Untangling a planar graph A. Spillner 1 A. Wolff 2 1 School of Computing Sciences University of

Untangling a planar graph A. Spillner 1 A. Wolff 2 1 School of Computing Sciences University of East Anglia 2 Faculteit Wiskunde en Informatica Technische Universiteit Eindhoven Current Trends in Theory and Practice of Computer Science, 2008

560 views • 22 slides
Untangling the marketing supply chain ADD YOUR BRAND HERE AGILITY SPEED VISIBILITY LOSS

Untangling the marketing supply chain ADD YOUR BRAND HERE AGILITY SPEED VISIBILITY LOSS

Andrew Wood, Head of Strategy & Proposition COMMUNISIS Untangling the marketing supply chain ADD YOUR BRAND HERE AGILITY SPEED VISIBILITY LOSS & WASTAGE INEFFICIENCIES COMPLEXITY Manufacturer HO Co- Packers Ac/Cat Teams

506 views • 12 slides
Statistical significance for untangling complex genotype- phenotype connections Jun Sese

Statistical significance for untangling complex genotype- phenotype connections Jun Sese

Statistical significance for untangling complex genotype- phenotype connections Jun Sese sese.jun@aist.go.jp AIST http://seselab.org/ Higher-order analyses of genome-wide data are incompatible with p-values Combinatorial e ff ects

660 views • 29 slides
Untangling Header Bidding Lore Some myths, some truths, and some hope Waqar Aqeel , Debopam

Untangling Header Bidding Lore Some myths, some truths, and some hope Waqar Aqeel , Debopam

Untangling Header Bidding Lore Some myths, some truths, and some hope Waqar Aqeel , Debopam Bhattacherjee, Balakrishnan Chandrasekaran, Philip Brighten Godfrey, Gregory Laughlin, Bruce M. Maggs, and Ankit Singla 1 How (traditional) Real-Time

442 views • 15 slides
VICORE PHARMA AB Untangling the Dualistic Components of the RAS in PF the Yin and Yang Dr Rohit

VICORE PHARMA AB Untangling the Dualistic Components of the RAS in PF the Yin and Yang Dr Rohit

VICORE PHARMA AB Untangling the Dualistic Components of the RAS in PF the Yin and Yang Dr Rohit Batta Chief Medical Officer Vicore Pharma Vicore at a glance FOCUS Patients with fibrotic lung disease GUIDING Unmet medical needs

1.03k views • 18 slides
Untangling and Unwinding Curves Dagstuhl Workshop on Computational Geometry April 27, 2017 Jeff

Untangling and Unwinding Curves Dagstuhl Workshop on Computational Geometry April 27, 2017 Jeff

Untangling and Unwinding Curves Dagstuhl Workshop on Computational Geometry April 27, 2017 Jeff Erickson University of Illinois at Urbana-Champaign Joint work with Hsien-Chih Chang Portions appeared at SOCG 2016 http://a.carapetis.com/csf/

502 views • 39 slides
Untangling Result List Refinement and Ranking quality: A Framework for Evaluation and

Untangling Result List Refinement and Ranking quality: A Framework for Evaluation and

Untangling Result List Refinement and Ranking quality: A Framework for Evaluation and Prediction Jiyin He, Marc Bron, Arjen de Vries, Leif Azzopardi, and Maarten de Rijke Batch Evaluation Cost effective evaluation: prediction of search

519 views • 30 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Untangling Chinas Quest for Oil through State-backed Financial Deals Dr. Peter C. Evans

Untangling Chinas Quest for Oil through State-backed Financial Deals Dr. Peter C. Evans

Untangling Chinas Quest for Oil through State-backed Financial Deals Dr. Peter C. Evans Sponsored by Asia Strategy Toranomon, Tokyo March 29, 2006 Peter Evans, MIT Laboratory for Energy and Environment Overview Oil Market Conditions

342 views • 19 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

501 views • 36 slides
CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

978 views • 41 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance Numrique Jean-Louis Lanet Jean-louis.lanet@unilim.fr Agenda Class of attacks Java Based Smart Card Hide this code and execute it.

708 views • 60 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter 10: Software Security Chapter 10: 2 Secure Software Software is secure if it can handle intentionally malformed input; the attacker picks (the

708 views • 33 slides
Data Structures and Object-Oriented Design II Spring 2014 Carola Wenk Stacks Are the

Data Structures and Object-Oriented Design II Spring 2014 Carola Wenk Stacks Are the

Data Structures and Object-Oriented Design II Spring 2014 Carola Wenk Stacks Are the methods in this class guaranteed to work? What kind of specifications can we guarantee to ensure the correctness of push and pop ? public int pop() {

507 views • 14 slides
Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Overview Presented

Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Overview Presented

Trustworthy Cyber Infrastructure for the Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Overview Presented by: William H. Sanders TCIP Year 1 Review, December 11, 2006 University of Illinois Dartmouth College

299 views • 11 slides

More recommend