Psyb0t Malware: A Step-By-Step Decompilation Case Study

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F13%3APU106271" target="_blank" >RIV/00216305:26230/13:PU106271 - isvavai.cz</a>

Výsledek na webu

<a href="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321" target="_blank" >http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/WCRE.2013.6671321" target="_blank" >10.1109/WCRE.2013.6671321</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Psyb0t Malware: A Step-By-Step Decompilation Case Study

Popis výsledku v původním jazyce

Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.

Název v anglickém jazyce

Psyb0t Malware: A Step-By-Step Decompilation Case Study

Popis výsledku anglicky

Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

Výsledek vznikl pri realizaci vícero projektů. Více informací v záložce Projekty.

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)<br>S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2013

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

20th Working Conference on Reverse Engineering (WCRE)

ISBN

978-1-4799-2930-6

ISSN

—

e-ISSN

—

Počet stran výsledku

8

Strana od-do

449-456

Název nakladatele

IEEE Computer Society

Místo vydání

Koblenz

Místo konání akce

Koblenz

Datum konání akce

14. 10. 2013

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000332514300048