AUTOMATED MALWARE ANALYSIS: A BEHAVIOURAL APPROACH TO AUTOMATED UNPACKING presented at Ruxcon 2015

by Karl Denton,

Summary : With malware being developed at an alarming rate, the quicker we can analyse and classify it, the better. Quicker analysis and classification enables us to develop defences sooner, and because of this malware authors often try to slow us down by hindering analysis.
One of the techniques often used by malware authors to hinder analysis of their handiwork, is that of 'packing'. Packing an executable file involves compressing, and optionally encrypting the file on disk, and unpacking it at runtime.
Packing makes it difficult to simply disassemble a malicious sample. It also makes it difficult to find useful strings which might reveal clues about its behaviour.
A packed executable must be unpacked before the processor can run it, and in this presentation I will introduce WinAppDbg -- a Python module originally written for coding instrumentation scripts and fuzzing -- and demonstrate how it can be used to not only detect an executable unpacking itself, but also dump a copy of the unpacked memory, locate the original entry point, and attempt to locate the unpacking loop -- with varying degrees of success.
I'll conclude the presentation by mentioning some of the other automated analysis ideas that I've been playing with -- some of which proved successful, and some were so slow that it may have been quicker to do the work manually.