Anoop Saldanha & Abhijit Mohanta, Juniper Threat Labs

Malware Reversers have developed patterns and custom tools over a period of time to help them speed up analysis of a malware. But manual analysis hasn’t scaled with the huge deluge of malwares everyday. The increasing complexity, new attack vectors, improved armoring has raised the cost of analysis, thereby leaving gaps in detection. In the face of this, Malware Reversal continues to remains one such area that has not seen the introduction of automation to speed up analysis.

While many Binary Instrumentation Toolkits do exist, they haven’t been developed with a focus on debugging malwares. Our research focuses on building tools that extends and adapts Binary Instrumentation to target malware analysis. We further discuss on how it can be further utilized to convert the patterns, intelligence and techniques collected by malware researchers to effectively automate debugging of a malware. We explain how Binary Instrumentation can be utilized to overcome hurdles like anti-debugging, packing, locating the payload, anti-vm and sandbox detection employed by malwares.

Presentation Outline:
1. What is Binary Instrumentation+A43
In this section we explain what Binary Instrumentation is and cover existing instrumentation toolkits available to researchers.

2. Obstacles faced By Malware Researchers
In this section we talk about the various obstacles faced by a researcher, experienced and new alike. We also talk about the cause for the pain and what’s needed off the current toolkit state to overcome them.

3. Malware Reversal Shortcut Using Binary Instrumentation
We talk about the features we contributed to binary instrumentation that facilitates to extract minute details out of the malware body that can speed up reverse engineering. This includes identifying unpacked code, anti-debugs, fake loops, payload identification.

4. Binary Instrumentation: Live In Action
We show Binary Instrumentation in action, utilizing it to to reverse a malware sample.

5. Extending Binary Instrumentation as a Detection Solutions.
From being utilized to debug malwares, in this section we delve into how it can converted into a sandbox based detection tool.

6. Closing Remarks
In this section we talk about how the system can be abused and future research to address them and plans for further extension of these toolkits.

Attendee Takeaways:
1. Introduction to Binary Instrumentation and the various toolkits currently available.
2. How Binary Instrumentation can be adapted to target malware debugging and can be further extended into building Sandbox Based Detection Solutions.