• DocumentCode
    2946094
  • Title

    Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries

  • Author

    Kolbitsch, Clemens ; Holz, Thorsten ; Kruegel, Christopher ; Kirda, Engin

  • Author_Institution
    Secure Syst. Lab., Vienna Univ. of Technol., Vienna, Austria
  • fYear
    2010
  • fDate
    16-19 May 2010
  • Firstpage
    29
  • Lastpage
    44
  • Abstract
    Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes. In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion. Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.
  • Keywords
    Algorithm design and analysis; Command and control systems; Communication system control; Data mining; Electronic mail; Embedded software; Internet; Privacy; Security; USA Councils;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy (SP), 2010 IEEE Symposium on
  • Conference_Location
    Oakland, CA, USA
  • ISSN
    1081-6011
  • Print_ISBN
    978-1-4244-6894-2
  • Electronic_ISBN
    1081-6011
  • Type

    conf

  • DOI
    10.1109/SP.2010.10
  • Filename
    5504785