|![[Search]](https://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](https://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](https://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](https://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](https://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Computer Laboratory Security Seminar > Reverse Engineering Malware
Reverse Engineering MalwareAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Wei Ming Khoo. Program analysis is a challenging task when source code is available. It is even more challenging when neither the source code nor debug information is present. The analysis task is rendered even more challenging when the code has been obfuscated to prevent the analysis from being carried out. Malware authors often employ a myriad of these evasion techniques to impede automated reverse engineering and static analysis efforts of their binaries. The most popular technologies include “code obfuscators” that serve to rewrite the original binary code to an equivalent form that provides identical functionality while defeating signature-based detection systems. These systems significantly complicate static analysis, making it challenging to uncover the malware intent and the full spectrum of embedded capabilities. While code obfuscation techniques are commonly integrated into contemporary commodity packers, from the perspective of a reverse engineer, deobfuscation is often a necessary step that must be conducted independently after unpacking the malware binary. In this presentation, we review the main challenges when analyzing binary programs and explore techniques for recovery of information that allows program understanding and reverse-engineering. In particular, we describe a set of techniques for automatically unrolling the impact of code obfuscators with the objective of completely recovering the original malware logic. We have implemented a set of generic debofuscation rules as a plug-in for the popular IDA Pro disassembler. We use sophisticated obfuscation strategies employed by two infamous malware instances from 2009, Conficker C and Hydraq (the binary associated with the Aurora attack) as case studies. In both instances our deobfuscator enabled a complete decompilation of the underlying code logic. This work was instrumental in the comprehensive reverse engineering of the heavily obfuscated P2P protocol embedded in the Conficker worm. This talk is part of the Computer Laboratory Security Seminar series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsEngineering Safe AI Cambridge Neuroscience Seminar: New Approaches in Neuroscience Cambridge Society for Economic PluralismOther talksBlack and British Migration Responsible Research and Innovation Lunch- Lent 2018 Nonlinear nonmodal stability theory Roland the Hero All-resolutions inference for brain imaging LARMOR LECTURE - Exoplanets, on the hunt of Universal life The Partition of India and Migration PTPmesh: Data Center Network Latency Measurements Using PTP Sustainability of livestock production: water, welfare and woodland Cambridge Rare Disease Summit 2017 Debtors’ schedules: a new source for understanding the economy in 18th-century England |
Hassen Saidi, SRI International
Thursday 09 December 2010, 14:15-15:15