Morphological Detection of Malware

International audienceIn the field of malware detection, method based on syntactical consideration are usually efficient. However, they are strongly vulnerable to obfuscation techniques. This study proposes an efficient construction of a morphological malware detector based on a syntactic and a semantic analysis, technically on control flow graphs of programs (CFG). Our construction employs tree automata techniques to provide an efficient representation of the CFG database. Next, we deal with classic obfuscation of programs by mutation using a generic graph rewriting engine. Finally, we carry out experiments to evaluate the false-positive ratio of the proposed methods

Code synchronization by morphological analysis

International audienceReverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSL's use within waledac.La rétroconception de programmes malveillants est une tâche difficile, parsemée des embûches préparées par les développeurs du malware. La qualité des logiciels de défense dépendant grandement de l'analyse faite du malware, il est nécessaire de fournir aux analystes des outils automatiques. Nous décrivons ici un outil qui synchronise deux programmes binaires ayant des similarités. Notre outil trouve des instructions assembleur communes et affiche les correspondances dans IDA. Des expériences ont été réalisées sur plusieurs malware tels Stuxnet, Duqu, Sality ou Waledac. Nous avons retrouvé certains liens entre Duqu et Stuxnet ainsi que l'utilisation que Waledac fait d'OpenSSL

Software similarity and classification

This thesis analyses software programs in the context of their similarity to other software programs. Applications proposed and implemented include detecting malicious software and discovering security vulnerabilities