Static shellcode analysis and classification presented at Virus Bulletin 2011

by Aleksander Czarnowski (Avet information and network security),

Tags: Security


Summary : "Historically, the term 'shellcode' referred to short shell executing binary code in order to exploit some kind of overflow
vulnerability. With advances in intrusion prevention safeguards and the increasing complexity of operating systems and
applications, the requirements and form of shellcode have changed. Today, shellcode can be used in conjunction with other
classes of vulnerabilities besides simple stack or buffer overflows. Shellcodes can be encoded in many different ways in
order to bypass filters (like the one in ASP.NET) and evade intrusion prevention systems. They range from small assembly
language programs that are almost couple of bytes in size to multipart, multistage code including JavaScript or other
bytecode/script components.
Such a variety of shellcode forms and the attackers' ability to automatically make different ones creates the need for
automatic analysis and classification in order to provide proper detection and protection. The aim of this paper is to
describe an automatic, generic method based on static analysis of shellcodes for different CPU architectures and operating
systems. The proposed approach, based on the meta-processor idea, will be demonstrated with the help of Python-based
proof-of-concept code.