BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.
Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.
While writing some PE analysis code I needed to calculate the actual physical offset in a PE file for a given RVA (relative virtual address). Looking around on the Internet it was non-obvious. The Metasploit Framework's msfpescan was actually the most help. I've ported it to Ero Carrera's pefile module and attached the patch to this post. Pefile is a Python module that I highly recommend.
Read more for the simple technique.
how do i unpack malware so like i can see whats inside it? like where is connects etc.
Unfortunately, the utility of the UI was perhaps not worth the development effort. Fortunately, the trainings I've attended at Blackhat have given me a good idea of how to use other UI's and get access to a `better' disassembler than objdump in IDA Pro.
Instead of the UI, I've shifted development focus to the automatic signature generation, an attempt to use the binBLAST technique to identify unique code sequences compared to some universal set of code. Initial development of this is showing great promise but is far from submission quality. I'm making changes to my DefCon talk to reflect this new progress/development.
As Chamuco has indicated, I'm working on getting my prototype code into a usable form. For those of you who did not get the chance to see my office, I had about 8 pages filled front-and-back with file offset calculations and other side-effects of a highly disjoint process.
Right now I've moved the code from a series of standalone projects into a suite unified by a CGI/python interface. This is moving toward integration with OC's systems to provide automatic coverage of malware submissions.
The major problem with the BLAST-type approach, as with the original BLAST algorithm, is in filtering the output to get the usable kernels.
The tool mentioned in previous post will be presented at DefCon and released via sourceforge. The intent is to make the suite usable for larger analysis vs. the prototype analysis present in my thesis topic. As soon as I have the registration for the sourceforge project completed, I will post the project link here.
Special thanks to Valsmith and Chamuco for providing the source malware for my thesis as well as some reverse engineering pointers.
Welcome to the Offensive Computing open malware research project. If you're reading this you may (or may not) be interested in researching malware. There are a few different ways that you can contribute. You can upload your malware samples, download the samples, or discuss them.
Our friend lin0xx just sent us this cool new tool he made called sc_frmt.
Its basically a shellcode formatter written in ruby so that you can take gdb output and have it formatted into various languages shellcode style.
Feedback goes to lin0xx [at] gmail.com
Check it out!
I suppose this is a question to everyone reading this blog. If you were to have a tool that could locate similar instruction sequences in some large database, say all of the binaries on an installation, what would you like to see it do?
Based on the work/analysis of valsmith and others, I'm going to start by seeing if Win32.Klez has anything in common with Ubuntu, SuSE, and Mandrake.*
As I don't expect that to return any results, does anyone have any good Linux malware w/ analysis?
* Yes, I do realize that I'm doing a cross-platform analysis. Unfortunately, the people funding my research will not let me assume the risk for analysis of Windows.
As I don't know exactly where to begin, I will begin in medias res. I've been spending some time now on a number of techniques to automate portions of reverse engineering for security analysis most of which have been inspired by bioinformatics-type approaches. I don't have any succinct documentation to this point in time, but that will change in the next two-to-three weeks.