Challenges in Malware Analysis

Date

August 9, 2012

Speaker

Hassen Saidi

Affiliation

SRI International

Overview

Program analysis is a challenging task when source code is available. It is even more challenging when analyzing malware where neither the source code nor debug information are present.
Malware authors often employ a myriad of evasion techniques to impede automated reverse engineering and static analysis efforts of their binaries. This makes it challenging to uncover the malware intent and the full spectrum of embedded capabilities. In this presentation, we review the main challenges when analyzing binary programs and explore techniques for recovery of information that allows program understanding and reverse-engineering. In particular, we describe a set of techniques for automatically unrolling the impact of code obfuscators with the objective of completely recovering the original malware logic. We will describe obfuscation strategies employed by infamous malware instances such as Conficker C, Hydraq (the binary associated with the Google attack), and Stuxnet.

Speakers

Hassen Saidi

Hassen Saidi is a Senior Computer Scientist in the Computer Science Laboratory at SRI International. He holds a Ph.D. in computer science from the University of Joseph Fourier, Grenoble, France, a Master’s degree in theoretical computer science from the University of Denis Diderot, Paris 7, and a computer engineering degree from the University USTHB of Algiers, Algeria. His research interests include computer security, formal methods and static analysis.

He is the inventor of predicate abstraction, a technique used in several software and hardware model checkers including Microsoft SLAM/SDV. His work on computer security has been recently featured in the book “Worm: the First Digital World War” by Mark Bowden.