Advanced Malware Analysis
Sujet proposé par
Directeur de thèse:
Unité de recherche UMR 7102 Laboratoire de recherche d'EURECOM
Domaine: Sciences et technologies de l'information et de la communication
Research Overview The first objective of this thesis is to advance the state of the art in binary and malware analysis. For example, recent efforts have been done to better understand packed samples , better analyze their behavior [3,8], or to reverse new form of advanced rootkits . However, these works only scratched the surface of the techniques we need to analyze complex malware samples – both in a fully automated fashion and as tools to support manual reverse engineering. 1 A second objective of this thesis is the investigation of new form of malware, starting from malware running on other operating systems of platform. Only recently researchers have started looking at more “exotic” form or malware , but there is still a lot to explore in this area. For example, as a starting point we plan to develop an open source infrastructure to analyze Linuxbased malware samples. Internet routers and IoT devices are rapidly becoming prime targets for malicious code – ranging from simple botnet to more sophisticated targeted attacks. Unfortunately, the security industry is still largely unprepared for this threat. Most of the tool and the knowledge about the behavior and the characteristics of malware derives from a decade of research on Windows binaries. However, Linux samples have its unique set of characteristics, including the widespread use of static linking, the broad set of CPU architectures, its own packing ecosystem, and completely different techniques to achieve persistence and process infection. This task includes the development of dedicated tools, as well as their application to tens of thousands Linux malware samples – with the goal of extracting and measuring the prevalence of different techniques and the characteristics of this rapidly increasing form of malware. As a result, this part of the project would not only produce a usable platform, but also a precious knowledge base about the behavior and key indicators of Linux malware – that can be extremely useful for malware analysts, to improve the detection of these samples, and to guide incident response on infected devices. Finally, part of the research in this area will also focus on the problem of cyber-attribution [1, 2] – proposing new techniques to identify reused components and detect malware samples likely developed by the same group. As currently pointed out by Graziano et al. , the current malware collection infrastructure is very efficient, but the vertiginous amount of samples analyzed every day in dynamic analysis sandboxes makes it impossible to tell apart the interesting malware from the surrounding noise of less relevant samples.
References  S. Alrabaee, N. Saleem, S. Preda, L. Wang, and M. Debbabi. Oba2: An onion approach to binary code authorship attribution. Digital Investigation, 11:S94–S103, 2014.  S. Alrabaee, P. Shirani, M. Debbabi, and L.Wang. On the feasibility of malware authorship attribution. In International Symposium on Foundations and Practice of Security, pages 256–272. Springer, 2016.  G. Bonfante, J. Fernandez, J.-Y. Marion, B. Rouxel, F. Sabatier, and A. Thierry. CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions. In 22nd ACM Conference on Computer and Communications Security, Denver, United States, Oct. 2015.  M. F. Botacin, P. L. de Geus, and A. R. A. Gr´egio. The other guys: automated analysis of marginalized malware. Journal of Computer Virology and Hacking Techniques, pages 1–12, 2017.  M. Graziano, D. Balzarotti, and A. Zidouemba. ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), ASIACCS 16, June 2016. 2  M. Graziano, D. Canali, L. Bilge, A. Lanzi, and D. Balzarotti. Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence. In Proceedings of the 24rd USENIX Security Symposium (USENIX Security), August 2015.  X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. [SoK] Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, May 2015.  X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. RAMBO: Run-time packer Analysis with Multiple Branch Observation. July 2016.