Visualizing compiled executables for malware analysis

Quist, Daniel; Liebrock, Lorie M.

doi:10.1109/vizsec.2009.5375539

Cited by 59 publications

(33 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Vera [17] allows to represent graphically the execution trace of a binary at the basic block level. Unfortunately, it is not clear if this granularity is useful in presence of very complex packers that involve multiple unpacking layers and the interaction between several processes.…”

Section: Packer Visualizationmentioning

confidence: 99%

SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

Ugarte-Pedrero

Balzarotti

Santos

et al. 2015

2015 IEEE Symposium on Security and Privacy

102

View full text Add to dashboard Cite

Abstract-Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. The packer problem has been widely studied, and several solutions have been proposed in order to generically unpack protected binaries. Nevertheless, these solutions commonly rely on a number of assumptions that may not necessarily reflect the reality of the packers used in the wild. Moreover, previous solutions fail to provide useful information about the structure of the packer or its complexity. In this paper, we describe a framework for packer analysis and we propose a taxonomy to measure the runtime complexity of packers.We evaluated our dynamic analysis system on two datasets, composed of both off-the-shelf packers and custom packed binaries. Based on the results of our experiments, we present several statistics about the packers complexity and their evolution over time.

show abstract

Section: Packer Visualizationmentioning

confidence: 99%

SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

Ugarte-Pedrero

Balzarotti

Santos

et al. 2015

2015 IEEE Symposium on Security and Privacy

102

View full text Add to dashboard Cite

show abstract

“…Existing approaches [8], [9], [11], [30], [55]- [57] use graph-based representation to capture malicious programs. The authors in [55], [56] have presented a visualization approach to cluster the samples showing malign behavior. Another clustering approach proposed by Jacob et al [9] which specifically identifies botinitiated Command & Control (C&C) communication.…”

Section: Graph-based Approachesmentioning

confidence: 99%

Employing Program Semantics for Malware Detection

Naval

Laxmi

Rajarajan

et al. 2015

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract-In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous anti-detection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important antidetection feature of modern malware, i.e., system-call injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware author's aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing systemcall based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances. Permanent repository link

show abstract

“…Recovering crypto code from traces is an example of the case mentioned above, i.e., of recovering a priori known constructs from code. Finally, VERA is an interesting piece of work on trace visualization [QL09,QLN09]. The goal of VERA is to visualize malware behavior, allowing the reverse engineer to identify malware features without resorting to code analysis.…”

Section: Advancing Trace Analysismentioning

confidence: 99%

Efficient and Stealthy Instruction Tracing and Its Applications in Automated Malware Analysis: Open Problems and Challenges

Bangerter

Bühlmann

Kirda

2012

Open Problems in Network Security

View full text Add to dashboard Cite

Abstract.Malware is substantial security threat today and most likely in the foreseeable future. The analysis of malware is a key activity in the fight against the threat. Since manual analysis is time consuming and given the extent of the malware threat, malware analysis needs to be automated. Malware analysis sandboxes offer such automation and play already an important role in practice. Yet, they only uncover certain aspects of malware behavior, and still require manual analysis in many cases. This is not a viable way to go, and thus the automation and quality of automated analysis needs to be pushed further. A promising technique towards this goal is instruction tracing combined with analyzes algorithms that uncover malware behavior from an instruction trace.In this position paper, we shall argue that instruction tracing is still in its infancy and point out challenges and open problems of instruction tracing in general. In particular, we shall describe Helios, which is our new instruction tracer that offers a better balance of tracing speed and transparency than existing techniques.

show abstract

Visualizing compiled executables for malware analysis

Cited by 59 publications

References 8 publications

SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

Employing Program Semantics for Malware Detection

Efficient and Stealthy Instruction Tracing and Its Applications in Automated Malware Analysis: Open Problems and Challenges

Contact Info

Product

Resources

About