Impeding Malware Analysis Using Conditional Code Obfuscation

Abstract

Malware programs that incorporate trigger-based behavior initiate malicious activities based on conditions satisfied only by specific inputs. State-of-the-art malware analyzers discover code guarded by triggers via multiple path exploration, symbolic execution, or forced conditional execution, all without knowing the trigger inputs. We present a malware obfuscation technique that automatically conceals specific trigger-based behavior from these malware  analyzers. Our technique automatically transforms a program by encrypting code that is conditionally dependent on an input value with a key derived from the input and then removing the key from the program. We have implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary. Experiments on various existing malware samples show that our tool can hide a significant portion of trigger based code. We provide insight into the strengths, weaknesses, and possible ways to strengthen current analysis approaches in order to defeat this malware obfuscation technique.

Read More and Download This Papers : http://iseclab.org

Advertisements

5 Comments

  1. Hello there, just turned into aware of your blog thru Google, and found that it is truly informative. I’m gonna watch out for brussels. I will be grateful if you happen to continue this in future. Many other folks will likely be benefited out of your writing. Cheers! recession

  2. Greetings! 🙂

  3. I’ll right away seize your rss feed as I can not find your email subscription link or e-newsletter service. Do you’ve any? Kindly allow me understand in order that I could subscribe. Thanks.

  4. I conceive this web site has some rattling great information for everyone : D.

  5. I love your website! did you create this yourself or did you outsource it? Im looking for a blog design thats similar so thats the only reason I’m asking. Either way keep up the nice work I was impressed with your content really.


Sorry, the comment form is closed at this time.

Comments RSS