Frankenstein: Stitching malware from benign binaries

6th USENIX Workshop on Offensive Technologies, WOOT 2012

Volumn , Issue , 2012, Pages

  Mohan, Vishwath ^a   Hamlen, Kevin W ^a  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SYSTEM FIREWALLS; ENGINES;

BINARY FEATURES; BYTE-SEQUENCES; CURRENT GENERATION; FEATURE-BASED; MALWARE PROPAGATION; METAMORPHIC MALWARE; RETURN-ORIENTED PROGRAMMING; STATE OF THE ART;

MALWARE;

EID: 85084161758     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (23)

1. J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring pay-per-install: The commoditization of malware distribution,” in Proc. USENIX Security Sym., 2011.
2. H.-A. Kim and B. Karp, “Autograph: Toward automated, distributed worm signature detection,” in Proc. Conf. on USENIX Security Sym., vol. 13, 2004, pp. 271–286.
3. C. Kreibich and J. Crowcroft, “Honeycomb: Creating intrusion detection signatures using honeypots,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 1, pp. 51–56, 2004.
4. Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez, “Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience,” in Proc. IEEE Sym. on Security & Privacy (S&P), 2006, pp. 32–47.
5. J. Newsome, B. Karp, and D. Song, “Polygraph: Automatically generating signatures for polymorphic worms,” in Proc. IEEE Sym. on Security & Privacy (S&P), 2005, pp. 226–241.
6. S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated worm fingerprinting,” in Proc. Conf. on Sym. on Opearting Systems Design & Implementation (OSDI), vol. 6, 2004, pp. 45–60.
7. K. Wang, J. J. Parekh, and S. J. Stolfo, “Anagram: A content anomaly detector resistant to mimicry attack,” in Proc. Int. Conf. on Recent Advances in Intrusion Detection (RAID), 2006, pp. 226–248.
8. K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusion detection,” in Proc. Int. Conf. on Recent Advances in Intrusion Detection (RAID), 2004, pp. 203–222.
9. R. Lyda and J. Hamrock, “Using entropy analysis to find encrypted and packed malware,” IEEE Security & Privacy, vol. 5, no. 2, pp. 40–45, 2007.
10. P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee, “Polymorphic blending attacks,” in Proc. Conf. on USENIX Security Symposium, vol. 15, 2006.
11. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, “Polymorphic worm detection using structural information of executables,” in Proc. Int. Conf. on Recent Advances in Intrusion Detection (RAID), 2005, pp. 207–226.
12. H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. ACM Conf. on Computer and Communications Security (CCS), 2007, pp. 552–561.
13. R. Roemer, E. Buchanan, H. Shacham, and S. Savage, “Return-oriented programming: Systems, languages, and applications,” ACM Trans. on Information and System Security (TISSEC), vol. 15, no. 1, 2012.
14. E. J. Schwartz, T. Avgerinos, and D. Brumley, “Q: Exploit hardening made easy,” in Proc. USENIX Security Sym., 2011.
15. Z. Wu, S. Gianvecchio, M. Xie, and H. Wang, “Mimimorphism: A new approach to binary code obfuscation,” in Proc. ACM Conf. on Computer and Communications Security (CSS), 2010, pp. 536–546.
16. P. O’Kane, S. Sezer, and K. McLaughlin, “Obfuscation: The hidden malware,” IEEE Security & Privacy, vol. 9, no. 5, pp. 41–47, 2011.
17. A. Kanade, A. Sanyal, and U. Khedker, “A PVS based framework for validating compiler optimizations,” in Proc. IEEE Int. Conf. on Software Engineering and Formal Methods (SEFM), 2006, pp. 108–117.
18. G. C. Necula, “Translation validation for an optimizing compiler,” in Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI), 2000, pp. 83–94.
19. J.-B. Tristan, P. Govereau, and G. Morrisett, “Evaluating value-graph translation validation for LLVM,” in Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI), 2011, pp. 295–305.
20. R. Tate, M. Stepp, Z. Tatlock, and S. Lerner, “Equality saturation: A new approach to optimization,” in Proc. ACM SIGPLAN-SIGACT Sym. on Principles of Programming Languages (POPL), 2009, pp. 264–276.
21. G. C. Necula and P. Lee, “The design and implementation of a certifying compiler,” in Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI), 1998, pp. 333–344.
22. Y. Chen, L. Ge, B. Hua, Z. Li, and C. Liu, “Design of a certifying compiler supporting proof of program safety,” in Proc. Joint IEEE/IFIP Sym. on Theoretical Aspects of Software Engineering (TASE), 2007, pp. 127–138.
23. S. Bansal and A. Aiken, “Binary translation using peephole superoptimizers,” in Proc. USENIX Conf. on Operating Systems Design and Implementation (OSDI), 2008, pp. 177–192.