Result Details

Psyb0t Malware: A Step-by-Step Decompilation Case Study

ĎURFINA, L.; KŘOUSTEK, J.; ZEMEK, P. Psyb0t Malware: A Step-by-Step Decompilation Case Study. In 20th Working Conference on Reverse Engineering (WCRE). Koblenz: IEEE Computer Society, 2013. p. 449-456. ISBN: 978-1-4799-2930-6.
Type
conference paper
Language
English
Authors
Ďurfina Lukáš, Ing., Ph.D., DIFS (FIT)
Křoustek Jakub, Ing., Ph.D., DIFS (FIT)
Zemek Petr, Ing., Ph.D., DIFS (FIT)
Abstract

Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms.

This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.

Keywords

reverse engineering, decompilation, retargetable decompiler, Lissom, malware, psyb0t, experience

URL
Published
2013
Pages
449–456
Proceedings
20th Working Conference on Reverse Engineering (WCRE)
Conference
20th Working Conference on Reverse Engineering
ISBN
978-1-4799-2930-6
Publisher
IEEE Computer Society
Place
Koblenz
DOI
10.1109/WCRE.2013.6671321
UT WoS
000332514300048
BibTeX 
@inproceedings{BUT103401,
  author="Lukáš {Ďurfina} and Jakub {Křoustek} and Petr {Zemek}",
  title="Psyb0t Malware: A Step-by-Step Decompilation Case Study",
  booktitle="20th Working Conference on Reverse Engineering (WCRE)",
  year="2013",
  pages="449--456",
  publisher="IEEE Computer Society",
  address="Koblenz",
  doi="10.1109/WCRE.2013.6671321",
  isbn="978-1-4799-2930-6",
  url="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6671321"
}
Projects
Advanced recognition and presentation of multimedia data, BUT, Vnitřní projekty VUT, FIT-S-11-2, start: 2011-01-01, end: 2013-12-31, completed
Centrum excelence IT4Innovations, MŠMT, Operační program Výzkum a vývoj pro inovace, ED1.1.00/02.0070, start: 2011-01-01, end: 2015-12-31, completed
System for Support of Platform Independent Malware Analysis in Executable Files, TAČR, Program aplikovaného výzkumu a experimentálního vývoje ALFA, TA01010667, start: 2011-01-01, end: 2013-12-31, completed
Validace spustitelného kódu pro systémy průmyslové automatizace pomocí zpětného překladu, BUT, Vnitřní projekty VUT, FEKT/FIT-J-13-2000, start: 2013-01-01, end: 2013-12-31, completed
Research groups
Hardware-Software Codesign research group (RG LISSOM)
Departments
Department of Information Systems (DIFS)
Back to top