Sciweavers

Share
SP
2009
IEEE

Automatic Reverse Engineering of Malware Emulators

12 years 6 days ago
Automatic Reverse Engineering of Malware Emulators
Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemen...
Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffi
Added 21 May 2010
Updated 21 May 2010
Type Conference
Year 2009
Where SP
Authors Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffin, Wenke Lee
Comments (0)
books