23 August 2023, by Mathias Fischer
Our paper, ”Binary Sight-Seeing: Accelerating Reverse Engineering via Point-of-Interest-Beacons” was accepted for publication at the Annual Computer Security Applications Conference (ACSAC 2023).
The paper introduces automated identification of key points in binaries, aiding ransomware analysis and botnet monitoring without exhaustive manual reverse engineering.
We will present our results at the workshop in Texas/Austin in December 2023 and seek an exchange with international researchers.
Reverse engineering is still a largely manual and very time-consuming process. To accelerate this process, beacons in the form of known instructions or code patterns are commonly used to guide reverse engineers in dissecting a binary. However, if done manually, identifying high-quality beacons can be very laborious. This paper introduces a novel method to automatically identify the so-called Points-of-Interests (POIs) in binaries. POIs are instructions that interact with data specified by the analyst known a priori, e.g., via sandbox analysis or expert knowledge. These POIs are then used as beacons to guide analysts to find interesting parts of the binary that interact with the specified data, e.g., the encryption routine. Based on our proposed method, we implemented two types of prototypes. First, a prototype whose output can be loaded via custom plugins into IDA and Ghidra, i.e., two of the more popular reverse-engineering tools. We show the applicability of our method via the prototype by summarizing the insights of the analysis for the Locky and Wannacry ransomware as one of the potential application domains, i.e., malware reverse engineering. Second, we also introduced a prototype that monitors P2P botnets in a fully-automated manner by directly instrumenting the botnet malware without requiring manual reverse-engineering. We demonstrate the effectiveness of our prototype by applying it to the ZeroAccess, Sality, Nugache, and Kelihos botnets and summarize our findings in this paper. Using our approach, we effortlessly found the encryption function in the two analyzed ransomware. For P2P botnets, our monitoring prototype could enumerate the bots in all analyzed botnets, only relying on our POIs.