Inspector gadget: Automated extraction of proprietary gadgets from malware binaries

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2010, Pages 29-44

  Kolbitsch, Clemens ^a   Holz, Thorsten ^a   Kruegel, Christopher ^b   Kirda, Engin ^c  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c EURECOM   (France)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATED EXTRACTION; CAN DESIGN; COMMAND AND CONTROL; COMPLEX TASK; MALICIOUS SOFTWARE; MALWARES; REAL-WORLD; SPECIFIC TASKS; STAND -ALONE; UNSOLVED PROBLEMS;

COMPUTER CRIME; EMBEDDED SOFTWARE;

EXTRACTION;

EID: 77955195701     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2010.10     Document Type: Conference Paper

References (44)

1. C. Linn and S. Debray, "Obfuscation of Executable Code to Improve Resistance to Static Disassembly," in Conference on Computer and Communications Security (CCS), 2003.
2. I. Popov, S. Debray, and G. Andrews, "Binary Obfuscation Using Signals," in USENIX Security Symposium, 2007.
3. A. Moser, C. Kruegel, and E. Kirda, "Limits of Static Analysis for Malware Detection ," in 23rd Annual Computer Security Applications Conference (ACSAC), 2007.
4. M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee, "Impeding Malware Analysis Using Conditional Code Obfuscation," in Network and Distributed System Security Symposium (NDSS), 2008.
5. L. Cavallaro, P. Saxena, and R. Sekar, "On the Limits of Information Flow Techniques for Malware Analysis and Containment," in 5th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2008.
6. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your Botnet is My Botnet: Analysis of a Botnet Takeover," in Conference on Computer and Communication Security (CCS), 2009.
7. F. Leder and T. Werner, "Containing Conficker: Conficker Domain Name Generation," http://net.cs.uni-bonn.de/wg/cs/applications/containing- conficker, 2009.
8. M. Ligh and G. Sinclair, "Malware RCE: Debuggers and Decryptor Development," Defcon 16, 2008.
9. H. Agrawal and J. R. Horgan, "Dynamic Program Slicing," in Conference on Programming Language Design and Implementation (PLDI), 1990.
10. J. Caballero, N. M. Johnson, S. McCamant, and D. Song, "Binary Code Extraction and Interface Identification for Security Applications," in Network and Distributed Systems Symposium (NDSS), February 2010.
11. U. Bayer, "Anubis: Analyzing Unknown Binaries," http://anubis.iseclab.org, 2009.
12. J. Newsome and D. X. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software," in Network and Distributed System Security Symposium (NDSS), 2005.
13. X. Zhang, R. Gupta, and Y. Zhang, "Precise Dynamic Slicing Algorithms," in International Conference on Software Engineering (ICSE), 2003.
14. F. Bellard, "Qemu: A Fast and Portable Dynamic Translator," in Usenix Annual Technical Conference, Freenix Track, 2005.
15. U. Bayer, C. Kruegel, and E. Kirda, "TTAnalyze: A Tool for Analyzing Malware," in Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006.
16. U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda, "Scalable, Behavior-Based Malware Clustering," in Network and Distributed System Security Symposium (NDSS), 2009.
17. C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, "Effective and Efficient Malware Detection at the End Host," in 18th Usenix Security Symposium, 2009.
18. Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, "ReFormat: Automatic Reverse Engineering of Encrypted Messages," in 14th European Symposium on Research in Computer Security (ESORICS), 2009.
19. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, "Efficient Software-based Fault Isolation," in 14th ACM Symposium on Operating Systems Principles (SOSP), 1993.
20. S. McCamant and G. Morrisett, "Evaluating SFI for a CISC architecture," in 15th USENIX Security Symposium, 2006.
21. W. Sun, Z. Liang, V. Venkatakrishnan, and R. Sekar, "Oneway Isolation: An Effective Approach for Realizing Safe Execution Environments," in Network and Distributed Systems Symposium (NDSS), 2005.
22. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," in IEEE Symposium on Security and Privacy, 2009.
23. T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling, "Measuring and Detecting Fast-Flux Service Networks," in Proceedings of the 15th Annual Network & Distributed System Security Symposium (NDSS), 2008.
24. N. Freed and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies," http://tools.ietf.org/ html/rfc2045#section-6.8, 1996.
25. P. Porras, H. Saïdi, and V. Yegneswaran, "A Foray into Conficker's Logic and Rendezvous Points," in USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
26. A. Decker, D. Sancho, L. Kharouni, M. Goncharov, and R. McArdle, "Pushdo/Cutwail Botnet: A study of the Pushdo/Cutwail Botnet," TrendMicro Labs, 2009.
27. A. Sotirov, "Tiny PE: Creating the smallest possible PE executable," http://www.phreedom.org/solar/code/tinype/, 2006.
28. C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage, "On the Spam Campaign Trail," in 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
29. Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, "Spamming Botnets: Signatures and Characteristics," SIGCOMM Comput. Commun. Rev., vol. 38, no. 4, 2008.
30. J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy, "Studying Spamming Botnets Using Botlab," in 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2009.
31. T. Holz, M. Engelberth, and F. Freiling, "Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones," in European Symposium on Research in Computer Security (ESORICS), 2009.
32. Finjan Malicious Code Research, "Malware Analysis Trojan Banker URLZone/Bebloh," http://www.finjan.com/ MCRCblog.aspx?EntryId=2345, 2009.
33. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in ACM Conference on Computer and Communication Security (CCS), 2007.
34. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, "Dynamic Spyware Analysis," in Usenix Annual Technical Conference, 2007.
35. E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer, "Behavior-based Spyware Detection," in 15th Usenix Security Symposium, 2006.
36. A. Lanzi, M. I. Sharif, and W. Lee, "K-Tracer: A System for Extracting Kernel Malware Behavior," in Network and Distributed System Security Symposium (NDSS), 2009.
37. M. Weiser, "Program Slicing," in International Conference on Software Engineering (ICSE), 1981.
38. Z. Lin, X. Zhang, and D. Xu, "Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack Construction," in IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010), June 2010.
39. H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86)" in ACM Conference on Computer and Communications Security (CCS), 2007.
40. R. Hund, T. Holz, and F. Freiling, "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms," in 18th USENIX Security Symposium, 2009.
41. J. Newsome, D. Brumley, J. Franklin, and D. Song, "Replayer: Automatic Protocol Replay by Binary Analysis," in 13th ACM Conference on Computer and Communications Security (CCS), 2006.
42. J. Caballero, P. Poosankam, C. Kreibich, and D. Song, "Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering," in ACM Conference on Computer and Communication Security (CCS), 2009.
43. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena, "BitBlaze: A New Approach to Computer Security via Binary Analysis," in 4th International Conference on Information Systems Security (ICISS), 2008.
44. A. Moser, C. Kruegel, and E. Kirda, "Exploring Multiple Execution Paths for Malware Analysis," in IEEE Symposium on Security and Privacy, 2007.