Automatic Reverse Engineering of Malware Emulators

2009 30th IEEE Symposium on Security and Privacy Pub Date : 2009-05-17 DOI:10.1109/SP.2009.27

Monirul I. Sharif, A. Lanzi, Jonathon T. Giffin, Wenke Lee

{"title":"Automatic Reverse Engineering of Malware Emulators","authors":"Monirul I. Sharif, A. Lanzi, Jonathon T. Giffin, Wenke Lee","doi":"10.1109/SP.2009.27","DOIUrl":null,"url":null,"abstract":"Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalume and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalume accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.","PeriodicalId":161757,"journal":{"name":"2009 30th IEEE Symposium on Security and Privacy","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"210","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 30th IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2009.27","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 210

Abstract

Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalume and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalume accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.

查看原文本刊更多论文

恶意软件仿真器的自动逆向工程

恶意软件作者最近开始使用仿真技术来混淆他们的代码。它们将本地恶意软件二进制文件转换成用随机生成的指令集编写的字节码程序，并与解释字节码的本地二进制仿真器配对。没有现有的恶意软件分析可以可靠地逆转这种混淆技术。在本文中，我们提出了恶意软件仿真器自动逆向工程的第一个工作。我们的算法是基于动态分析的。我们在受保护的环境中执行仿真的恶意软件，并记录仿真器生成的整个x86指令跟踪。然后，我们在跟踪中使用动态数据流和污点分析来识别包含字节码程序的数据缓冲区，并提取有关字节码指令集的语法和语义信息。有了这些分析输出，我们就能够生成数据结构，比如控制流图，为后续的恶意软件分析提供基础。我们实现了一个名为Rotalume的概念验证系统，并使用VMProtect和Code Virtualizer模拟的合法程序和恶意软件对其进行了评估。结果表明，Rotalume能够准确地揭示仿真指令集的语法和语义，并根据原始程序的字节码表示重构原始程序的执行路径。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 30th IEEE Symposium on Security and Privacy

自引率

0.00%

发文量