Automatic Reverse Engineering of Malware Emulators

Sharif, Muhammad; Lanzi, Andrea; Giffin, Jonathon; Lee, Wenke

doi:10.1109/sp.2009.27

“…PVMs can greatly increase the search space for the attacker, provide misleading run-time information and continuously relocate critical code, making dynamic analysis exceedingly difficult to accomplish. There has been research which aims to reverse engineer PVM-protected applications, by identifying code belonging to the VM in the execution trace [15,44]. However, such methodologies usually involve performing complex analysis on the trace information and are targeted towards applications which are typically small in size (i.e., a few hundred instructions e.g., malware).…”

Section: Implications Of the Attackmentioning

confidence: 99%

Replacement attacks against VM-protected applications

Ghosh

¹

,

Hiser

²

,

Davidson

³

2012

Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments

View full text Add to dashboard Cite

Process-level virtualization is increasingly being used to enhance the security of software applications from reverse engineering and unauthorized modification (called software protection). Processlevel virtual machines (PVMs) can safeguard the application code at run time and hamper the adversary's ability to launch dynamic attacks on the application. This dynamic protection, combined with its flexibility, ease in handling legacy systems and low performance overhead, has made process-level virtualization a popular approach for providing software protection. While there has been much research on using process-level virtualization to provide such protection, there has been less research on attacks against PVM-protected software. In this paper, we describe an attack on applications protected using process-level virtualization, called a replacement attack. In a replacement attack, the adversary replaces the protecting PVM with an attack VM thereby rendering the application vulnerable to analysis and modification. We present a general description of the replacement attack methodology and two attack implementations against a protected application using freely available tools. The generality and simplicity of replacement attacks demonstrates that there is a strong need to develop techniques that meld applications more tightly to the protecting PVM to prevent such attacks.

show abstract

“…However, their scheme does not produce encouraging results when applied to complex applications. Sharif et al have also devised techniques to automatically reverse engineer malware that is obfuscated by such PVMs [44]. Although their goals are somewhat similar to this work, there are marked differences.…”

Section: Related Workmentioning

confidence: 99%

Replacement attacks against VM-protected applications

Ghosh

¹

,

Hiser

²

,

Davidson

³

2012

View full text Add to dashboard Cite

Process-level virtualization is increasingly being used to enhance the security of software applications from reverse engineering and unauthorized modification (called software protection). Processlevel virtual machines (PVMs) can safeguard the application code at run time and hamper the adversary's ability to launch dynamic attacks on the application. This dynamic protection, combined with its flexibility, ease in handling legacy systems and low performance overhead, has made process-level virtualization a popular approach for providing software protection. While there has been much research on using process-level virtualization to provide such protection, there has been less research on attacks against PVM-protected software. In this paper, we describe an attack on applications protected using process-level virtualization, called a replacement attack. In a replacement attack, the adversary replaces the protecting PVM with an attack VM thereby rendering the application vulnerable to analysis and modification. We present a general description of the replacement attack methodology and two attack implementations against a protected application using freely available tools. The generality and simplicity of replacement attacks demonstrates that there is a strong need to develop techniques that meld applications more tightly to the protecting PVM to prevent such attacks.

show abstract

“…These methods proceed by monitoring the usage of memory and identifying unpacked code created at runtime. A similar approach is devised by Sharif et al [22], which defeats emulation-based packers using dynamic taint analysis. These unpackers enable a generic deobfuscation of malicious code, yet they operate at runtime and, similar to the analysis of documents in a sandbox, suffer from a runtime overhead.…”

Section: Related Workmentioning

confidence: 99%

Deobfuscating Embedded Malware Using Probable-Plaintext Attacks

Wressnegger

¹

,

Boldewin²,

Rieck

³

2013

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Malware embedded in documents is regularly used as part of targeted attacks. To hinder a detection by anti-virus scanners, the embedded code is usually obfuscated, often with simple Vigenère ciphers based on XOR, ADD and additional ROL instructions. While for short keys these ciphers can be easily cracked, breaking obfuscations with longer keys requires manually reverse engineering the code or dynamically analyzing the documents in a sandbox. In this paper, we present Kandi, a method capable of efficiently decrypting embedded malware obfuscated using Vigenère ciphers. To this end, our method performs a probable-plaintext attack from classic cryptography using strings likely contained in malware binaries, such as header signatures, library names and code fragments. We demonstrate the efficacy of this approach in different experiments. In a controlled setting, Kandi breaks obfuscations using XOR, ADD and ROL instructions with keys up to 13 bytes in less than a second per file. On a collection of real-world malware in Word, Powerpoint and RTF files, Kandi is able to expose obfuscated malware from every fourth document without involved parsing.

show abstract

Automatic Reverse Engineering of Malware Emulators

Cited by 146 publications

References 18 publications

Replacement attacks against VM-protected applications

Replacement attacks against VM-protected applications

Replacement attacks against VM-protected applications

Deobfuscating Embedded Malware Using Probable-Plaintext Attacks

Contact Info

Product

Resources

About