Program analysis is a challenging task when source code is available. It is even more challenging when analyzing malware where neither the source code nor debug information are present.
Malware authors often employ a myriad of evasion techniques to impede automated reverse engineering and static analysis efforts of their binaries. This makes it challenging to uncover the malware intent and the full spectrum of embedded capabilities. In this presentation, we review the main challenges when analyzing binary programs and explore techniques for recovery of information that allows program understanding and reverse-engineering. In particular, we describe a set of techniques for automatically unrolling the impact of code obfuscators with the objective of completely recovering the original malware logic. We will describe obfuscation strategies employed by infamous malware instances such as Conficker C, Hydraq (the binary associated with the Google attack), and Stuxnet.