[Zurück]

C. Kolbitsch, T. Holz, C. Krügel, E. Kirda:
"Automated Extraction of Proprietary Gadgets from Malware Binaries";
in: "Proceedings of the 2010 IEEE Symposium on Security and Privacy", herausgegeben von: IEEE; IEEE Computer Society, Oakland, 2010, ISBN: 978-0-7695-4035-1, S. 29 - 44.

Abstract-Unfortunately, malicious software is still an un-
solved problem and a major threat on the Internet. An impor-
tant component in the fight against malicious software is the
analysis of malware samples: Only if an analyst understands
the behavior of a given sample, she can design appropriate
countermeasures. Manual approaches are frequently used to
analyze certain key algorithms, such as downloading of encoded
updates, or generating new DNS domains for command and
control purposes.
In this paper, we present a novel approach to automatically
extract, from a given binary executable, the algorithm related
to a certain activity of the sample. We isolate and extract these
instructions and generate a so-called gadget, i.e., a stand-alone
component that encapsulates a specific behavior. We make sure
that a gadget can autonomously perform a specific task by
including all relevant code and data into the gadget such that
it can be executed in a self-contained fashion.
Gadgets are useful entities in analyzing malicious software:
In particular, they are valuable for practitioners, as under-
standing a certain activity that is embedded in a binary
sample (e.g., the update function) is still largely a manual and
complex task. Our evaluation with several real-world samples
demonstrates that our approach is versatile and useful in
practice.

http://dx.doi.org/10.1109/SP.2010.21

http://publik.tuwien.ac.at/files/PubDat_190241.pdf

Projektleitung Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats