Eureka: a Framework for Enabling Static Malware Analysis

Citation

Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W. (2008). Eureka: A Framework for Enabling Static Malware Analysis. In: Jajodia, S., Lopez, J. (eds) Computer Security – ESORICS 2008. ESORICS 2008. Lecture Notes in Computer Science, vol 5283. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88313-5_31

Abstract

We introduce Eureka, a framework for enabling static analysis on Internet malware binaries. Eureka incorporates a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. The Eureka framework uniquely distinguishes itself from prior work by providing effective evaluation metrics and techniques to assess the quality of the produced unpacked code. Eureka provides several Windows API resolution techniques that identify system calls in the unpacked code by overcoming various existing control flow obfuscations. Eureka’s unpacking and API resolution capabilities facilitate the structural analysis of the underlying malware logic by means of micro-ontology generation that labels groupings of identified API calls based on their functionality. They enable a visual means for understanding malware code through the automated construction of annotated control flow and call graphs.Our evaluation on multiple datasets reveals that Eureka can simplify analysis on a large fraction of contemporary Internet malware by successfully unpacking and deobfuscating API references.

Keywords

  • System Call
  • Virtual Address
  • Call Site
  • Obfuscation Technique
  • Malicious Executable

Read more from SRI