Boris Lau Sophos
download slides (PDF)
Modern malware analysis is shifting towards dynamic behavioural analysis to assist static analysis in combating the increasing volume and complexity of samples. However, information between these two stages are not closely integrated, illustrated by the division of debugger and disassembler seen in many professional reverse engineering environments. Consequently collating and comparing low-level information between multiple samples, which is important for grouping/generic detection, is often difficult.
This paper will discuss a hybrid platform-independent framework - DSD Tracer. DSD Tracer is a way to collect low-level Dynamic analysis information (first D in DSD), such as a full assembly trace of sample(s) which could then be fed into various Static analysers (S in DSD) which automate the processing of huge amounts of information generated from the D step. To explore the full behaviour of a sample, one could re-execute the program under modified test states/environments and repeat the above cycle (and hence the recursive acronym of DSD).
A demonstration of DSD Tracer will be implemented using instrumentation of Virtual Machines. The algorithms used to analyse the output will be illustrated with graphical interfaces, such as the ability to backwards/forwards play dynamic assembly trace with multiple samples, to explore its advantage over traditional analysis tools for consolidating information derived from Dynamic and Static analysis.