Tricky sample? Hack it easy! Applying dynamic binary instrumentation to lightweight malware behaviour analysis

Thursday 4 October 09:00 - 09:30, Red room

Maksim Shudrak (Salesforce)



Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited.

In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice.

Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.

 

Maksim-Shudrak-web.jpg

Maksim Shudrak

Maksim Shudrak is a senior offensive security researcher at Salesforce, PhD. His research interests include developing advanced solutions for highly evasive malware analysis and detection, reverse engineering and vulnerabilities hunting. Maksim is a main contributor to the DynamoRIO DBI framework.

@MShudrak


   Download slides

Other VB2018 papers

Anatomy of an attack: detecting and defeating CRASHOVERRIDE

Joe Slowik (Dragos)

Little Brother is watching - we know all your secrets!

Siegfried Rasthofer (Fraunhofer SIT)
Stephan Huber (Fraunhofer SIT)
Steven Arzt (Fraunhofer SIT)

Workshop: Manual kernel mode malware analysis

Vanja Svajcer (Cisco Talos)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.