PsybOt malware: A step-by-step decompilation case study

Lukás Durfina, J. Kroustek, Petr Zemek
{"title":"PsybOt malware: A step-by-step decompilation case study","authors":"Lukás Durfina, J. Kroustek, Petr Zemek","doi":"10.1109/WCRE.2013.6671321","DOIUrl":null,"url":null,"abstract":"Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.","PeriodicalId":275092,"journal":{"name":"2013 20th Working Conference on Reverse Engineering (WCRE)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 20th Working Conference on Reverse Engineering (WCRE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WCRE.2013.6671321","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 27

Abstract

Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms. This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
PsybOt恶意软件:一步一步的反编译案例研究
反编译(即反向编译)是逆向工程中最困难和最具挑战性的任务之一。更困难的任务是反编译恶意软件,因为它通常不遵循标准的应用程序二进制接口约定,剥离符号,混淆,并且可以包含多态代码。此外,近年来,各种智能设备迅速扩张,在许多类型的处理器上运行不同类型的操作系统,恶意软件针对这些平台。这些事实,再加上标准反编译工具对特定平台的局限性,意味着在为如此多样化的平台反编译恶意软件时需要付出相当大的努力。这是一篇报告真实世界恶意软件反编译的经验论文。我们给出了一个逐步的案例研究,通过使用Lissom项目中正在开发的可重定向反编译器来反编译名为psyb0t的MIPS蠕虫。首先,我们详细描述反编译器。然后,我们介绍了案例研究。然后,我们分析了在反编译过程中得到的结果,并介绍了我们的个人经验。最后讨论了未来研究的可能性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
An IDE-based context-aware meta search engine Do developers care about code smells? An exploratory survey Automated library recommendation Circe: A grammar-based oracle for testing Cross-site scripting in web applications Extracting business rules from COBOL: A model-based framework
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1