"Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries"

When analyzing malware samples, a human analyst is typically interested in understanding/recovering a specific algorithms of the given sample. In the case of Conficker, for example, she might be interested in extracting the domain generation algorithm such that she can understand what domains are currently and in the future used by the malware. Or for spam bots, she might be interested in how the malware downloads spam templates, decodes them, and then generates the actual spam messages. Or for bots, she might be interested in understanding how binary updates are downloaded, decoded, and then executed.

In each case, the binary itself encodes the algorithm, but it is cumbersome and hard work to understand all of this. Thus it would be useful to have a tool that enables a malware analyst to automatically extract from a given binary sample the relevant algorithm related to a specific task. In a paper that will be presented at the 31st IEEE Symposium on Security & Privacy we introduce Inspector Gadget, a tool that implements exactly this. A gadget encapsulates all code related to a specific task and can be executed in a stand-alone fashion. A gadget player can take a gadget and replay it, for example to determine which domains are currently used by Conficker, or download and decode an update for a bot binary. Furthermore, we introduce an approach to revert gadget based on a enhanced brute-force algorithm: this is useful to understand the effects of malware in detail and we can (in certain cases) also revert obfuscation algorithms, i.e., to understand what data has been exfiltrated by a given sample. The full paper has all the details and describes Inspector Gadget in more depth. And if you are interested in the topic, you should also read the paper by Caballero et al. on BCR (paper title is "Binary Code Extraction and Interface Identification for Security Applications").

Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes.
In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion.
Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.

The full paper is available at http://www.iseclab.org/papers/ieee_sp10_inspector_gadget.pdf and will be presented in May at the 31st IEEE Symposium on Security & Privacy. The paper was joint work with Clemens Kolbitsch, Christopher Kruegel, and Engin Kirda - all members of the International Secure Systems Lab.


    No Trackbacks


Display comments as (Linear | Threaded)

  1. voip for small business says:

    My business is constantly bombarded by attacks on our network. We even have our phone lines attacked by telemarketers and we need help. It takes hours of a work week to handle the security of our network that results in loss of profit for our small family run business. Is this available to download on your blog?

  2. business phone solutions says:

    I also run a small voip company and have been having trouble dealing with telemarketers because we have so many incoming phone lines.

  3. Cheap Britney Spears Tickets says:

    You have done really nice job. There are many people searching about that now they will find enough sources by your tips.

  4. Jersey Savings says:

    I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work.

  5. arthritis advice says:

    absolutely marvelous. I wonder when will the next Lotus Award be held, wishing to attend one myself if possible.

  6. Pex says:

    wonderful article.

  7. Pex says:

    good post.

  8. seo chicago says:

    What kind of viruses can be attached to e-mails? I have had some suspicious e-mails that I haven't opened because I'm worried about getting a computer virus. How can I tell if I'm at risk?

  9. Denver Homes says:

    The best rule of thumb is, if you don't know who it's from or what it relates to, delete it. If it's legit, they'll find a way to get in touch

  10. survival seed bank says:

    How much better is this gadget at extracting malware binaries? I have spent so much money trying to protect our companies servers, I could clear out an entire bank full of money. Is this the best product on the market at protecting servers from this type of attack?

  11. kratom says:

    I've never heard of an automated extraction method for malware binaries. How much does this program cost to add you your existing security software?

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.