Publication Details

Psyb0t Malware: A Step-by-Step Decompilation Case Study

ĎURFINA Lukáš, KŘOUSTEK Jakub and ZEMEK Petr. Psyb0t Malware: A Step-By-Step Decompilation Case Study. In: 20th Working Conference on Reverse Engineering (WCRE). Koblenz: IEEE Computer Society, 2013, pp. 449-456. ISBN 978-1-4799-2930-6. Available from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321
Czech title
Psyb0t: příkladová studie analýzy škodlivého kódu pomocí zpětného překladu
Type
conference paper
Language
english
Authors
Ďurfina Lukáš, Ing. (DIFS FIT BUT)
Křoustek Jakub, Ing. (DIFS FIT BUT)
Zemek Petr, Ing. (DIFS FIT BUT)
URL
Keywords

reverse engineering, decompilation, retargetable decompiler, Lissom, malware, psyb0t, experience

Abstract

Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms.

This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.

Published
2013
Pages
449-456
Proceedings
20th Working Conference on Reverse Engineering (WCRE)
Conference
20th Working Conference on Reverse Engineering, Koblenz, DE
ISBN
978-1-4799-2930-6
Publisher
IEEE Computer Society
Place
Koblenz, DE
DOI
UT WoS
000332514300048
BibTeX
@INPROCEEDINGS{FITPUB10341,
   author = "Luk\'{a}\v{s} \v{D}urfina and Jakub K\v{r}oustek and Petr Zemek",
   title = "Psyb0t Malware: A Step-by-Step Decompilation Case Study",
   pages = "449--456",
   booktitle = "20th Working Conference on Reverse Engineering (WCRE)",
   year = 2013,
   location = "Koblenz, DE",
   publisher = "IEEE Computer Society",
   ISBN = "978-1-4799-2930-6",
   doi = "10.1109/WCRE.2013.6671321",
   language = "english",
   url = "https://www.fit.vut.cz/research/publication/10341"
}
Back to top