Hunting Obfuscated Malware by Abstract Interpretation

The Problem. A malware is a program with a malicious behaviour, that is designed to replicate with no user consent and to damage software and/or data on infected machines. Malware are generally classified according to their goals and propagation methods into viruses, worms, backdoors, Trojans, etc. A malware detector is a system that attempts to verify whether a program presents a malicious behaviour or not. The design of efficient malware detectors is crucial for preventing serious damages caused by malware infection. Current malware detectors (e.g. commercial virus scanners) in general rely on static signature matching and, more recently, on dynamic analyses [9]. The dynamic approach executes the potentially infected program in a controlled environment (sandbox) thus performing a run-time verification of malicious behaviours. However, smart malware may foil a dynamic analysis by modifying their behaviour when executed in a sandbox. Static signature matching classifies a program P as infected by a malware M when an instruction sequence of P matches the characteristic instruction sequence of M . Malware writers frequently use obfuscation to prevent signature matching detection. Code obfuscation [3] consists in syntactically transforming a program while maintaining its functional behaviour. Recent results [1] show that static signature matching can be defeated using simple obfuscating techniques, including code transposition, substitution of equivalent instruction sequences, opaque predicate insertion and variable renaming. Thus, the signature matching methodology is not resilient to slight modifications of malware and needs a frequently updated database of malware signatures (one for each version of the malware). The reason way obfuscation can easily foil signature matching lies in the syntactic nature of this approach that ignores program functionality. Program behaviours are precisely described by formal semantics, so that facing the malware detection problem from a semantic point of view could lead to a more resilient detection system. Preliminary work [2] on semantics-aware malware detectors confirms the potential benefits of a semantic approach. Our goal is to provide a semantic characterization of malware infection to be used as a basis for designing malware detectors that are resilient to most commonly used obfuscating techniques.