DocumentCode
2946094
Title
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
Author
Kolbitsch, Clemens ; Holz, Thorsten ; Kruegel, Christopher ; Kirda, Engin
Author_Institution
Secure Syst. Lab., Vienna Univ. of Technol., Vienna, Austria
fYear
2010
fDate
16-19 May 2010
Firstpage
29
Lastpage
44
Abstract
Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes. In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion. Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.
Keywords
Algorithm design and analysis; Command and control systems; Communication system control; Data mining; Electronic mail; Embedded software; Internet; Privacy; Security; USA Councils;
fLanguage
English
Publisher
ieee
Conference_Titel
Security and Privacy (SP), 2010 IEEE Symposium on
Conference_Location
Oakland, CA, USA
ISSN
1081-6011
Print_ISBN
978-1-4244-6894-2
Electronic_ISBN
1081-6011
Type
conf
DOI
10.1109/SP.2010.10
Filename
5504785
Link To Document