Code synchronization by morphological analysis

Guillaume Bonfante 1 Jean-Yves Marion 1, * Fabrice Sabatier 1 Aurélien Thierry 1
* Corresponding author
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : Reverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSL's use within waledac.
Document type :
Journal articles
Complete list of metadatas

Cited literature [8 references]  Display  Hide  Download

https://hal.inria.fr/hal-00764286
Contributor : Aurélien Thierry <>
Submitted on : Wednesday, December 12, 2012 - 4:34:15 PM
Last modification on : Tuesday, December 18, 2018 - 4:48:02 PM
Long-term archiving on : Sunday, December 18, 2016 - 12:23:09 AM

Files

malware2012.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00764286, version 1

Collections

Citation

Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry. Code synchronization by morphological analysis. 7th International Conference on Malicious and Unwanted Software (Malware 2012), IEEE Xplore, 2012. ⟨hal-00764286⟩

Share

Metrics

Record views

507

Files downloads

704