Extending Binary Instrumentation To Automate Malware Reversing

Anoop Saldanha & Abhijit Mohanta, Juniper Threat Labs

Malware Reversers have developed patterns and custom tools over a period of time to help them speed up analysis of a malware. But manual analysis hasn’t scaled with the huge deluge of malwares everyday. The increasing complexity, new attack vectors, improved armoring has raised the cost of analysis, thereby leaving gaps in detection. In the face of this, Malware Reversal continues to remains one such area that has not seen the introduction of automation to speed up analysis.

While many Binary Instrumentation Toolkits do exist, they haven’t been developed with a focus on debugging malwares. Our research focuses on building tools that extends and adapts Binary Instrumentation to target malware analysis. We further discuss on how it can be further utilized to convert the patterns, intelligence and techniques collected by malware researchers to effectively automate debugging of a malware. We explain how Binary Instrumentation can be utilized to overcome hurdles like anti-debugging, packing, locating the payload, anti-vm and sandbox detection employed by malwares.

Presentation Outline:
1. What is Binary Instrumentation+A43
In this section we explain what Binary Instrumentation is and cover existing instrumentation toolkits available to researchers.

2. Obstacles faced By Malware Researchers
In this section we talk about the various obstacles faced by a researcher, experienced and new alike. We also talk about the cause for the pain and what’s needed off the current toolkit state to overcome them.

3. Malware Reversal Shortcut Using Binary Instrumentation
We talk about the features we contributed to binary instrumentation that facilitates to extract minute details out of the malware body that can speed up reverse engineering. This includes identifying unpacked code, anti-debugs, fake loops, payload identification.

4. Binary Instrumentation: Live In Action
We show Binary Instrumentation in action, utilizing it to to reverse a malware sample.

5. Extending Binary Instrumentation as a Detection Solutions.
From being utilized to debug malwares, in this section we delve into how it can converted into a sandbox based detection tool.

6. Closing Remarks
In this section we talk about how the system can be abused and future research to address them and plans for further extension of these toolkits.

Attendee Takeaways:
1. Introduction to Binary Instrumentation and the various toolkits currently available.
2. How Binary Instrumentation can be adapted to target malware debugging and can be further extended into building Sandbox Based Detection Solutions.

Anoop Saldanha

Anoop Saldanha, was one of the core developers of Suricata(OISF), the next generation Intrusion Prevention and Detection System(IDS/IPS), developed under the funding of US Department of Homeland Security(DHS) and US Navy’s Space and Naval Warfare Command(SPAWAR). Currently a security engineer with Juniper Threat Labs and Engineering, he comes with varied industry experience previously with RSA Security, Cyphort Cybersecurity, Open Information Security Foundation(OISF) and as a consultant for various security startups and the academia. His areas of interest include IDS/IPS, Sandboxes, Endpoints Systems, Malware Analysis and developing Scalable Detection Engines.

Abhijit Mohanta

Abhijit Mohanta, author of the book Preventing Ransomware: Understand, Prevent, and Remediate Ransomware Attacks, is a malware researcher at Juniper Threat Labs. He is part of the panel of Malware Researchers with Data Security Council of India(DSCI) that tracks recent and upcoming security trends. He has previously worked as a malware researcher developing modules for Antivirus and Sandboxes at Symantec, Mcafee, Cyphort CyberSecurity. He specializes in reverse engineering, malware analysis, windows internals, vulnerabilities and exploits.

The Dynamic Security Ecosystem
Other Topics