The University of Arizona
banner image

lynx: Analysis and Reverse Engineering of Malware Code

lynx-logo The lynx project aims to develop techniques and tools to automate the process of analysis and simplification of malware code.

Computer malware codes are usually heavily obfuscated via a variety of techniques that make it difficult to figure out the internal logic of the code. For example, malware programs are very often self-modifying — the code is initially in a compressed or encrypted form, and is "unpacked" to the original executable form at runtime; in some cases, a program may undergo dozens or hundreds of layers of such runtime unpacking. In other cases, the malware logic may be embedded in the byte-code program of a custom-generated interpreter; in this case, examining the program code reveals only the structure of the interpreter, not that of the actual malware. The code may also be strewn with useless instructions that make it difficult to understand what the program is doing.

Existing tools for malware analysis do not provide much support for automatic removal of such obfuscations, which therefore requires a great deal of time-consuming manual intervention. The goal of this project is to develop tools and techniques to automatically analyze malware code and make such code easier to understand.

Publications

  1. Automatic Simplification of Obfuscated JavaScript Code (Extended Abstract), with Gen Lu and Kevin Coogan.
    Proc. ICISTM-12 Workshop on Program Protection and Reverse Engineering (PPREW). March 2012. To appear.
    Abstract
    Paper: PDF

  2. Deobfuscating Virtualization-Obfuscated Software: A Semantics-Based Approach. Kevin Coogan, Gen Lu, and Saumya Debray.
    Proc. ACM Conference on Computer and Communications Security (CCS) Oct. 2011, pages 275-284.
    Abstract
    Paper: PDF

  3. Equational Reasoning on x86 Assembly Code. Kevin Coogan and Saumya Debray.
    Proc. Eleventh IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), Sept. 2011.
    Abstract
    Paper: PDF

  4. Reverse Engineering Self-Modifying Code: Unpacker Extraction. Jay Patel and Saumya Debray.
    Proc. 17th. IEEE Working Conference on Reverse Engineering, October 2010, pages 131-140.
    Abstract
    Paper: Postscript   |   PDF

  5. Modelling Metamorphism by Abstract Interpretation. Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray, Kevin Coogan, and Gregg Townsend.
    Proc. 17th. International Static Analysis Symposium (SAS), Sept. 2010, pages 218–235.
    Abstract
    Paper: Postscript   |   PDF

  6. Automatic Static Unpacking of Malware Binaries. Kevin Coogan, Saumya Debray, Tasneem Kaochar, and Gregg Townsend.
    Proc. 16th. IEEE Working Conference on Reverse Engineering, October 2009, pp. 167-176.
    Abstract
    Paper: Postscript   |   PDF

  7. Static Detection of Disassembly Errors. Nithya Krishnamoorthy, Saumya Debray, and Keith Fligg.
    Proc. 16th. IEEE Working Conference on Reverse Engineering, October 2009, pp. 259-268.
    Abstract
    Paper: Postscript   |   PDF

  8. On the Semantics of Self-Unpacking Malware Code. Saumya Debray, Kevin Coogan and Gregg Townsend.
    Draft, July 2008.
    Abstract
    Paper: Postscript  |  PDF