RAMBO: Run-Time Packer Analysis with Multiple Branch Observation

Run-time packing is a technique employed by malware authors in order to conceal e.g., encrypt malicious code and recover it at run-time. In particular, some run-time packers only decrypt individual regions of code on demand, re-encrypting them again when they are not running. This technique is known as shifting decode frames and it can greatly complicate malware analysis. The first solution that comes to mind to analyze these samples is to apply multi-path exploration to trigger the unpacking of all the code regions. Unfortunately, multi-path exploration is known to have several limitations, such as its limited scalability for the analysis of real-world binaries. In this paper, we propose a set of domain-specific optimizations and heuristics to guide multi-path exploration and improve its efficiency and reliability for unpacking binaries protected with shifting decode frames.

[1]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[2]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Vinod Yegneswaran,et al.  Eureka: A Framework for Enabling Static Malware Analysis , 2008, ESORICS.

[6]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[7]  Rolf Rolles,et al.  Unpacking Virtualization Obfuscators , 2009, WOOT.

[8]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[9]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  Edmund M. Clarke,et al.  Model Checking and the State Explosion Problem , 2011, LASER Summer School.

[11]  Yang Xiang,et al.  Classification of malware using structured control flow , 2010 .

[12]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[13]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[16]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[17]  Xiangyu Zhang,et al.  SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization , 2013, ACSAC.

[18]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[19]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[20]  Chunfu Jia,et al.  Directed Hidden-Code Extractor for Environment-Sensitive Malwares , 2012 .

[21]  Kevin Coogan,et al.  Deobfuscation of virtualization-obfuscated software: a semantics-based approach , 2011, CCS '11.

[22]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[23]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[24]  Zhenkai Liang,et al.  BitScope: Automatically Dissecting Malicious Binaries , 2007 .

[25]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[26]  Jack W. Davidson,et al.  Replacement attacks against VM-protected applications , 2012, VEE '12.

[27]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[28]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[29]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[30]  Kevin Coogan,et al.  Automatic Static Unpacking of Malware Binaries , 2009, 2009 16th Working Conference on Reverse Engineering.

[31]  Jonathon T. Giffin,et al.  Automatic Reverse Engineering of Malware Emulators , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[33]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[34]  Leyla Bilge,et al.  Thwarting real-time dynamic unpacking , 2011, EUROSEC '11.

[35]  Amit Vasudevan,et al.  Cobra: fine-grained malware analysis using stealth localized-executions , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).