Psyb0t Malware: A Step-By-Step Decompilation Case Study
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F13%3APU106271" target="_blank" >RIV/00216305:26230/13:PU106271 - isvavai.cz</a>
Výsledek na webu
<a href="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321" target="_blank" >http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1109/WCRE.2013.6671321" target="_blank" >10.1109/WCRE.2013.6671321</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
Psyb0t Malware: A Step-By-Step Decompilation Case Study
Popis výsledku v původním jazyce
Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.
Název v anglickém jazyce
Psyb0t Malware: A Step-By-Step Decompilation Case Study
Popis výsledku anglicky
Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.
Klasifikace
Druh
D - Stať ve sborníku
CEP obor
—
OECD FORD obor
10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)
Návaznosti výsledku
Projekt
Výsledek vznikl pri realizaci vícero projektů. Více informací v záložce Projekty.
Návaznosti
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)<br>S - Specificky vyzkum na vysokych skolach
Ostatní
Rok uplatnění
2013
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název statě ve sborníku
20th Working Conference on Reverse Engineering (WCRE)
ISBN
978-1-4799-2930-6
ISSN
—
e-ISSN
—
Počet stran výsledku
8
Strana od-do
449-456
Název nakladatele
IEEE Computer Society
Místo vydání
Koblenz
Místo konání akce
Koblenz
Datum konání akce
14. 10. 2013
Typ akce podle státní příslušnosti
WRD - Celosvětová akce
Kód UT WoS článku
000332514300048