Title :
Code synchronization by morphological analysis
Author :
Bonfante, Guillaume ; Marion, J. ; Sabatier, Fabrice ; Thierry, Aurelien
Author_Institution :
LORIA, Univ. de Lorraine, Vandœuvre-lès-Nancy, France
Abstract :
Reverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSL´s use within waledac.
Keywords :
invasive software; reverse engineering; software tools; synchronisation; IDA instruction; OpenSSL; automatic tool; binary program; code synchronization; correspondence instruction; defense softwares; duqu; machine instruction; malware analysis; morphological analysis; reverse-engineering malware code; sality; stuxnet; waledac; Abstracts; Binary codes; Libraries; Malware; Software; Standards; Synchronization;
Conference_Titel :
Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on
Conference_Location :
Fajardo, PR
Print_ISBN :
978-1-4673-4880-5
DOI :
10.1109/MALWARE.2012.6461016
