Abstract
As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control ow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.
| Original language | English |
|---|---|
| Title of host publication | CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security |
| Publisher | Association for Computing Machinery |
| Pages | 1772-1774 |
| Number of pages | 3 |
| Volume | 24-28-October-2016 |
| ISBN (Electronic) | 9781450341394 |
| DOIs | |
| Publication status | Published - 24 Oct 2016 |
| Event | 23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria Duration: 24 Oct 2016 → 28 Oct 2016 |
Conference
| Conference | 23rd ACM Conference on Computer and Communications Security, CCS 2016 |
|---|---|
| Country/Territory | Austria |
| City | Vienna |
| Period | 24/10/16 → 28/10/16 |
Funding
This work is supported in part by DFG grant LU 1748/4-1 and the Research Fund KU Leuven.
Keywords
- Data structure identification
- Malware
- Program signatures
- Reverse engineering