BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Reverse Engineering Malware - Hassen Saidi\, SRI International DTSTART:20101209T141500Z DTEND:20101209T151500Z UID:TALK27970@talks.cam.ac.uk CONTACT:Wei Ming Khoo DESCRIPTION:Program analysis is a challenging task when source code is ava ilable. It is even more challenging when neither the source code nor debug information is present. The analysis task is rendered even more challengi ng when the code has been obfuscated to prevent the analysis from being ca rried out. Malware authors often employ a myriad of these evasion techniqu es to impede automated reverse engineering and static analysis efforts of their binaries. The most popular technologies include "code obfuscators" t hat serve to rewrite the original binary code to an equivalent form that p rovides identical functionality while defeating signature-based detection systems. These systems significantly complicate static analysis\, making i t challenging to uncover the malware intent and the full spectrum of embed ded capabilities. While code obfuscation techniques are commonly integrate d into contemporary commodity packers\, from the perspective of a reverse engineer\, deobfuscation is often a necessary step that must be conducted independently after unpacking the malware binary. In this presentation\, w e review the main challenges when analyzing binary programs and explore te chniques for recovery of information that allows program understanding and reverse-engineering. In particular\, we describe a set of techniques for automatically unrolling the impact of code obfuscators with the objective of completely recovering the original malware logic. We have implemented a set of generic debofuscation rules as a plug-in for the popular IDA Pro d isassembler. We use sophisticated obfuscation strategies employed by two i nfamous malware instances from 2009\, Conficker C and Hydraq (the binary a ssociated with the Aurora attack) as case studies. In both instances our d eobfuscator enabled a complete decompilation of the underlying code logic. This work was instrumental in the comprehensive reverse engineering of th e heavily obfuscated P2P protocol embedded in the Conficker worm. LOCATION:Lecture Theatre 2\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR