[Overview] [Publications] [Back to BitBlaze]


The ability to automatically dissect a malicious binary and extract information from it is an important cornerstone for system forensic analysis and system defense. Malicious binaries, also called malware, include denial of service attack tools, spamming systems, worms, and botnets. New malware samples are uncovered daily through widely deployed honeypots/honeyfarms, forensic analysis of compromised systems, and through underground channels. As a result of the break-neck speed of malware development and recovery, automated analysis of malicious programs has become necessary in order to create effective defenses. Malware analysis is needed to create signatures for subsequent malware detection, detecting scams, and in general "knowing thy enemy".

Automatic dissection of malicious binaries, however, is a challenging task. There is no source code available, and to make things worse, the binary could be packed or obfuscated to evade purely static binary analysis. There may be different behavior embedded in the malicious binary which will only be activated under certain conditions such as receiving a command from the network. Regardless of the type of malware, there are common high-level questions we would like to answer, such as:

We propose a system, called BitScope, to perform automatic malware dissection. BitScope takes as input a malicious binary, and outputs information about execution paths. This information is then be used by supplemental analysis designed to answer specific questions, such as what behavior the malware exhibits, what inputs activate interesting behavior, and dependency between inputs and outputs. BitScope dissection is not performed by executing the malware with different concrete input values. Instead, BitScope abstracts away specific concrete inputs by executing the program on symbolic inputs which simultaneously capture a multitude of different inputs to the program. Executing with symbolic inputs allows us to reason about code paths without constraining the analysis to a particular input value.


Automatically Identifying Trigger-based Behavior in Malware
David Brumley, Cody Hartwig, Zhenkai Liang James Newsome, Dawn Song, and Heng Yin. Book chapter in "Botnet Analysis", Editors W. Lee, et. al., 2007.

BitScope: Automatically Dissecting Malicious Binaries
David Brumley, Cody Hartwig, Min Gyung Kang, Zhenkai Liang James Newsome, Pongsin Poosankam, Dawn Song, and Heng Yin. Technical Report CMU-CS-07-133, School of Computer Science, Carnegie Mellon University, March 18, 2007

Back to BitBlaze