A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware
Blue Teams and anyone on the defensive side face various challenges when it comes to reverse engineering suspected malware or ransomware binaries, especially ones with obfuscation techniques such as variants, embedded exploits and complex ransomware. First, identifying whether the sample is even worth the effort (what makes it unique/challenging/new), and second, choosing either static, dynamic analysis, or both! With static analysis, you give up the ability to detect obfuscated malicious programs only visible during run-time, and dynamic analysis is both labor and time intensive, and requires a high-degree of skill and experience, not to mention the threat of the binary escaping your sandbox emulation or virtualization environment.
We believe there may be a new tool in the Blue Team’s toolbox, through the use of a symbolic execution engine to detect and analyze suspected malware/ransomware binaries. A practical symbolic engine can help by parsing through many of the possible execution paths of the binary, and having these pathways represented as symbols. This engine can help provide malicious execution paths analysis with relatively low computing resources, analyze contextual relationships based on instruction semantics, taint and fuzzy identification of obfuscated APIs.
Using our practical symbolic engine based on the combination and improvement of academic and practical research, you can identify and detect various exploit, techniques, and multiple malware/ransomware variants via symbolic signature attack techniques and ransomware behaviors in a fully static situation. Even if the malware binary is obfuscated, we can still statically analyze it and detect it effectively.
ShengHao Ma
Sheng-Hao Ma(@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan.
He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, BlackHat, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book “Windows APT Warfare: The Definitive Guide for Malware Researchers”.
Hank Chen
Hank Chen is a threat researcher at TXOne Networks. Hank is mainly focus on malware analysis, product security, and vulnerability research. Hank joined in many CTF competitions with BalsiFox and 10sec, and he is mainly focus on crypto, reverse, and pwn challenges. Hank also spoke at FIRSTCON22, CYBERSEC 2022 and BlackHat USA 2022.
Mars Cheng
Mars Cheng (@marscheng_) is a manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research. Cheng blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Cheng has directly contributed to more than 10 CVE-IDs, and has had work published in three SCI applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Cheng is a frequent speaker and trainer at several international cyber security conferences such as Black Hat, RSA Conference, DEFCON, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and VXCON. Cheng is general coordinator of HITCON 2022 and was coordinator of HITCON 2021.