Gorille sniffs code similarities, the case study of qwerty versus regin

In the last decade, our group has developed a tool called Gorille which implements morphological analysis, roughly speaking control graph comparison of malware. Our first intention was to use it for malware detection, and this works quite well as already presented. However, morphological analysis outputs a more refine output than 'yes' or 'no'. In the current contribution, we show that it can be used in several ways for retro-engineering. First, we describe a rapid triggering process that enlighten code similarities. Second, we present a function identification mechanism which aim is to reveal some key code in a malware. Finally, we supply a procedure which separate different families of code given some samples. All these tasks are done (almost) automatically seen from a retro-engineering perspective.

[1]  Arun Lakhotia,et al.  FuncTracker: Discovering Shared Code to Aid Malware Forensics , 2013, LEET.

[2]  Lingyu Wang,et al.  SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code , 2015, Digit. Investig..

[3]  Roberto Giacobazzi,et al.  Unveiling metamorphism by abstract interpretation of code properties , 2015, Theor. Comput. Sci..

[4]  Guillaume Bonfante,et al.  Architecture of a morphological malware detector , 2009, Journal in Computer Virology.

[5]  Guillaume Bonfante,et al.  Analysis and diversion of Duqu's driver , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).