Jump to content
Nytro

Mimimorphism: A New Approach to Binary Code Obfuscation

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Mimimorphism: A New Approach to Binary Code Obfuscation

Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang

Abstract

Binary obfuscation plays an essential role in evading malware static

analysis and detection. The widely used code obfuscation techniques,

such as polymorphism and metamorphism, focus on evading

syntax based detection. However, statistic test and semantic

analysis techniques have been developed to thwart their evasion

attempts. More recent binary obfuscation techniques are divided

in their purposes of attacking either statistical or semantic

approach, but not both. In this paper, we introduce mimimorphism,

a novel binary obfuscation technique with the potential of evading

both statistical and semantic detections. Mimimorphic malware

uses instruction-syntax-aware high-order mimic functions to transform

its binary into mimicry executables that exhibit high similarity

to benign programs in terms of statistical properties and semantic

characteristics. We implement a prototype of the mimimorphic engine

on the Intel x86 platform, and evaluate its capability of evading

statistical anomaly detection and semantic analysis detection

techniques. Our experimental results demonstrate that the mimicry

executables are indistinguishable from benign programs in terms

of byte frequency distribution and entropy, as well as control flow

fingerprint.

Full paper (387 KB) appeared in

Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10).

http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/Mimimorphic.pdf

Download

Presentation slides (for PowerPoint 2007+, 1.12 MB)

http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/ZhenyuWu_CCS2010_Mimimorphism.pptx

Experimental data

7th order 100 mimimorphic instances (bz2 tar package, 127 MB)

http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder7.tar.bz2

8th order 100 mimimorphic instances (bz2 tar package, 169 MB)

http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder8.tar.bz2

Note: These mimimorphic instances are NOT standalone executables.

They are the mimimorphic payloads, which consist of sequences of mimicry instructions that

encode a piece of randomized data. In a standalone mimimorphic executable, if we were to make

one, each piece of payload will be merged with the decoder binary and put into the ".text"

section of the executable.

Maintained by: Zhenyu Wu

Last modified: Mon Apr 30 18:16:22 EDT 2012

Sursa: Mimimorphism: A New Approach to Binary Code Obfuscation

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...