POSTER: Identifying Dynamic Data Structures in Malware

Professorship/Faculty: Software Technologies  
Author(s): Rupprecht, Thomas; Chen, Xi; White, David H.; Mühlberg, Jan Tobias; Bos, Herbert; Lüttgen, Gerald  
By: Rupprecht, Thomas; ...
Title of the compilation: CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Corporate Body: 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, Vienna, Austria
Publisher Information: New York, NY, USA : ACM
Year of publication: 2016
Pages: 1772-1774
ISBN: 978-1-4503-4139-4
Language(s): English
DOI: 10.1145/2976749.2989041
As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.
Document Type: Conferenceobject
Release Date: 5. December 2016