Enhancing malware analysis through automated functionality extraction

PUBLISHED ON / 1 MIN READ — MALWARE
ABSTRACT

To understand the mode of operation of malware and fix vulnerabilities or implement mechanisms for pro- tection it is necessary to analyze malware. Static analysis, without executing the program, is one of the approaches used here. This thesis deals with automatic static analysis of malware based on the LLVM intermediate representation (IR). The focus is on the identification of stub functions, identification of arith- metic and logic heavy functions, and analysis of function calls to known functions. Furthermore detection of known and obfuscated functions using the program dependence graph (PDG) is analyzed. The developed program analyzes functions in regards to their functionality as well as similarity with known functions to support analysts. Evaluation shows that the analysis can be helpful, yet quality is degraded by obfuscation of function calls. Additionally it is shown that obfuscated functions in many cases still share similarity with the original unobfuscated PDG of functions.

Download: pdf

TAGS: MALWARE