Malware Sight-Seeing: Accelerating Reverse-Engineering via Point-of-Interest-Beacons

TL;DR

This paper introduces a novel automated method to identify Points-of-Interest in malware, aiding reverse engineering by guiding analysts to relevant code sections and enabling effective botnet peer extraction.

Contribution

The paper presents a new technique for automatically finding POIs in executed programs and a confidence score metric to estimate their relevance, improving malware analysis efficiency.

Findings

Successfully identified POIs in four botnets

High accuracy in peer extraction for botnets

Enhanced malware analysis guidance

Abstract

New types of malware are emerging at concerning rates. However, analyzing malware via reverse engineering is still a time-consuming and mostly manual task. For this reason, it is necessary to develop techniques that automate parts of the reverse engineering process and that can evade the built-in countermeasures of modern malware. The main contribution of this paper is a novel method to automatically find so-called Points-of-Interest (POIs) in executed programs. POIs are instructions that interact with data that is known to an analyst. They can be used as beacons in the analysis of malware and can help to guide the analyst to the interesting parts of the malware. Furthermore, we propose a metric for POIs , the so-called confidence score that estimates how exclusively a POI will process data relevant to the malware. With the goal of automatically extract peers in P2P botnet malware, we demonstrate and evaluate our approach by applying it on four botnets (ZeroAccess, Sality, Nugache, and Kelihos). We looked into the identified POIs for known IPs and ports and, by using this information, leverage it to successfully monitor the botnets. Furthermore, using our scoring system, we show that we can extract peers for each botnet with high accuracy.