Wednesday 30 September 16:30 - 17:00, Green roomFanny Lalonde Lévesque (École Polytechnique de Montréal)
Erwann Traourouder (École Polytechnique de Montréal)
François Menet (École Polytechnique de Montréal)
Jean-Yves Marion (Université de Lorraine)
Jose M. Fernandez (École Polytechnique de Montréal)
Joan Calvet (ESET) download slides (PDF)Obfuscation techniques have become increasingly prevalent in malware programs, employed as tools to thwart reverse engineering efforts or to evade signature-based detection by security products. Among the most popular methods, the use of packers - which are programs that transform an executable file's appearance without affecting its semantic execution - is now widely adopted by malware authors. However, despite the rise in the number of malicious programs distributed with packers, we still lack a global picture of their current use. What kind of packers protect malware nowadays? Is there a common model? Previous attempts, based on static database-signature tools, failed to build an accurate picture of the use of packers by malware, their main limitation being that static analysis says nothing about the actual behaviour of the packers and, due to its static nature, misses run-time features.In this paper, we present WaveAtlas, a novel framework designed to map the code used by packers. Using a dynamic analysis approach, it reconstructs in a nutshell the structure of the code modification tree where the root is the packed code and packer, and the nodes represent snippets of code extracted in successive 'waves'. We report on a large-scale experiment conducted on a representative sample of thousands of pieces of self-modifying malicious code. Our results allowed us to successfully identify common features of malware packers, ranging from their self-modification code usage to exotic choices of machine instructions. In particular, we were able to confirm some commonly held beliefs regarding the use of packers by malware writers. For example, a malicious payload (e.g. code including network callbacks) is typically present in the last or penultimate wave. Furthermore, the number of waves is relatively small and the structure of the trees relatively simple, indicating that malware authors are probably using simpler tools and parameters as a compromise between stealth and efficiency.Click here for more details about the conference.