GPGPU and threat analysis presented at Virus Bulletin 2011

by Takashi Katsuki (Symantec),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2011/abstracts/R-Katsuki.xml

Summary : "The CPU clock speed wars are now over, and multicore CPUs are now standard. For specialized processing, though, the most
affordable and readily available devices are now Graphics Processing Units (GPUs). Devices including the Geforce from
nVidia and Radeon from AMD have hundreds of cores in a single package, and following vendors' recent release of
development kits under the umbrella term GPGPU (General-Purpose computing on Graphics Processing Units), the power of
these resources is now ready to be harnessed.
The GPGPU approach has already been taken advantage of for some security-related fields such as password brute-forcing and
hash collision attacks. In this abstract I would like to introduce the potential of GPGPU use in the reverse engineering of
malware.
Finding hidden data is important during manual sample analysis and also for automation. Often malware or documents that
attempt to exploit vulnerabilities contain encrypted data; this may be something as simple as a URL or an entire
encapsulated executable. At this point the problem is how to decrypt the hidden data without manual analysis of the
decryption routine(s). In many cases the encryption method used is a combination of bitwise and arithmetic operations
('add', 'sub', 'xor', and so on), and rotations of byte, word, and dword.
Given that the structure of both URLs and PEs is well understood, with enough computational force these kinds of
obfuscation can be brute-forced. When this brute-forcing is broken down into smaller and parallelizable operations, GPGPU
comes into its own.
"