ucc
  • Research Articles

    Using Reverse Engineering to Handle Malware

    DOI: https://doi.org/10.16925/2357-6014.2019.02.02
    Vol. 15 No. 2 (2019)
    Published: 2019-05-15
    Carlos Andrés Sánchez Venegas
    Escuela Colombiana de Ingeniería Julio Garavito
    Camilo Aguado Bedoya
    Escuela Colombiana de Ingeniería Julio Garavito
    Daniel Orlando Díaz López
    Escuela Colombiana de Ingeniería Julio Garavito
    Juan Carlos Camilo García Ruíz
    Armada Nacional de Colombia

    Introduction: This paper is a product of the research Project “Cyber Security Architecture for Incident Management” developed in the Colombian School of Engineering Julio Garavito in the year 2018.

    Objetive: Reverse engineering involves deconstructing and extracting knowledge about objects. The use of reverse engineering in malware analysis is extremely useful in understanding the functionalities and purposes of a suspicious sample.

    Methods: This paper makes use of Radare which is one of the most popular open source tools for reverse engineering, with the aim of dealing with malware.

    Results: A use case related to hacking of anti-sandbox malware is presented, in such a way that it is possible to analyze the behavior of the sample using a sandbox. Additionally, another use case is presented, where an in-depth analysis of a malicious Android application aimed to the audience of a popular event (FIFA World Cup 2018) is developed, making it possible to demonstrate the relevance of reverse engineering techniques in end-user protection strategies.

    Conclusions: This paper shows how the results of a reverse engineering process can be integrated with Yara rules, allowing for the detection of malware on the fly, and it also shows an alternative to automatically generating Yara rules through the yarGen generator.

    Originality: Use of Open Source reversing solutions by Colombian Law Enforcement Agencies has not been discussed previously, making this paper a notable element toward the modernization of the Army.

    Limitation: Different approaches and perspectives about the limitations in the use of reverse engineering by Law Enforcement Agencies are also shared.

    Keywords: Reverse engineering, Radare, Sandboxing, Yara rules, Malware analysis
    PDF

    How to Cite

    [1]
    C. A. Sánchez Venegas, C. Aguado Bedoya, D. O. Díaz López, and J. C. C. García Ruíz, “Using Reverse Engineering to Handle Malware”, ing. Solidar, vol. 15, no. 2, pp. 1–26, May 2019, doi: 10.16925/2357-6014.2019.02.02.

    License

    Copyright (c) 2019 Ingeniaría Solidaria

    Creative Commons License

    This work is licensed under a Creative Commons Attribution 4.0 International License.

    Cession of rights and ethical commitment

    As the author of the article, I declare that is an original unpublished work exclusively created by me, that it has not been submitted for simultaneous evaluation by another publication and that there is no impediment of any kind for concession of the rights provided for in this contract.

    In this sense, I am committed to await the result of the evaluation by the journal Ingeniería Solidaría before considering its submission to another medium; in case the response by that publication is positive, additionally, I am committed to respond for any action involving claims, plagiarism or any other kind of claim that could be made by third parties.

    At the same time, as the author or co-author, I declare that I am completely in agreement with the conditions presented in this work and that I cede all patrimonial rights, in other words, regarding reproduction, public communication, distribution, dissemination, transformation, making it available and all forms of exploitation of the work using any medium or procedure, during the term of the legal protection of the work and in every country in the world, to the Universidad Cooperativa de Colombia Press.

    References

    M. Sikorski and A. Honig, “Practical Malware Analysis,” vol. 53, no. 9. No Starch Press, San Francisco, pp. 650–652, 2012. doi: 10.1016/s1353-4858(12)70109-5

    K. Dunham, S. Hartman, J. Morales, M. Quintans, and T. Strazzere, “Android Malware And Analysis.” CRC Press, p. 232, 2014.[Online]. Available: https://www.crcpress.com/Android-Malware-and-Analysis/Dunham-Hartman-Quintans-Morales-Strazzere/p/book/9781482252194 doi:10.1201/b17598

    J. J. Drake, Z. Lanier, C. Mulliner, P. Oliva, S. A. Ridley, and G. Wicherski, “Android hacker’s han-dbook.” John Wiley & Sons, p. 577, 2014. [Online]. Available: https://www.wiley.com/en-co/Android+Hacker%27s+Handbook-p-9781118922255

    Radare, “radare/radare2: unix-like reverse engineering framework and commandline tools security.” [Online]. Available: https://github.com/radare/radare2.

    E. Eilam and E. J. Chikofsky, “Reversing: Secrets of Reverse Engineering.” John Wiley & Sons, p. 624, 2011. [Online]. Available: https://www.wiley.com/en-co/Android+ Hacker%27s+Handbook-p-9781118922255

    A. Singh, “Identifying Malicious code through Reverse Engineering,” vol. 44. Springer Science & Business Media, p. 198, 2009. [Online]. Available: https://www.springer.com/la/book/9780387098241 doi:10.1007/978-0-387-89468-3

    D. Oktavianto and I. Muhardianto, “Cuckoo Malware Analysis.” Packt Publishing Ltd, p. 142, 2013. [Online]. Available: https://www.packtpub.com/hardware-and-creative/cuckoo- malware-analysis

    C. Elisan, “Advanced Malware Analysis.” McGraw Hill Professional, p. 464, 2015. [Online]. Available: https://www.mhprofessional.com/9780071819749-usa-advanced-malware-analysis-group

    M. Ligh, A. Case, J. Levy, and Aa. Walters, “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory,” vol. 1. John Wiley & Sons, p. 912, 2014. [Online]. Available: https://www.wiley.com/en-co/The+Art+of+Memory+Forensics%3A+Detecting+ Malware+ and+Threats+in+Windows%2C+Linux%2C+and+Mac+Memory-p-9781118824993

    D. Regalado, S. Harris, A. Harper, C. Eagle, and J. Ness, “Gray hat hacking: the ethical hac-ker’s handbook.” McGraw Hill Professional, p. 577, 2008. [Online]. Available: https://www.mhprofessional.com/9781260108415-usa-gray-hat-hacking-the-ethical-hackers-handbook-fifth-edition-group doi: 10.1036/0071495681

    P. Shah, “Security Sandboxing for PC2: Windows Version,” California State University, Sacramento, 2017. [Online]. Available: https://csus-dspace.calstate.edu/bitstream/hand-le/10211.3/190565/SecuritySandboxingForPC2WindowsVersion.pdf?sequence=1

    C. Eagle, “The IDA Pro Book.” No Starch Press, p. 672, 2011. [Online]. Available: https://nos-tarch.com/idapro2.htm

    Aptoide S.A, Aptoide | Descarga, encuentra y comparte los mejores juegos y apps para Android.[Online]. Available: https://es.aptoide.com/.

    Klinnerds, “World Cup 2018 Yeah! - Russia 2018 2.2.3 Descargar APK para Android - Aptoide.” [Online]. Available: https://world-cup-2018-yeah-russia-2018.es.aptoide.com/

    J. Morris, “Hands-On Android UI Development: Design and develop attractive user interfaces for Android applications.” Packt Publishing Ltd, p. 348, 2017. [Online]. Available: https://www.packtpub.com/application-development/hands-android-ui-development

    N. Elenkov, “Android Security Internals: An In-Depth Guide to Android’s Security Architecture.” No Starch Press, p. 432, 2014. [Online]. Available: https://nostarch.com/androidsecurity

    A. Dubkey and A. Misra, “Android Security: Attacks and Defenses.” CRC Press, p. 280, 2016. [Online]. Available: https://www.crcpress.com/Android-Security-Attacks-and-Defenses/Misra-Dubey/p/book/9781439896471

    K. Dunham, “Mobile Malware Attacks and Defense.” Syngress, p. 440, 2008. [Online]. Available: https://cdn.sonicwall.com/sonicwall.com/media/pdfs/resources/2018-snwl-cy-ber-threat-report.pdf

    K. Mandia, C. Prosise, and M. Pepe, “Incident Response & Computer Forensics.” McGraw Hill Professional, p. 624, 2014. [Online]. Available: https://www.mhprofessional.com/9780071798686-usa-incident-response-computer-forensics-third-edition-group

    M. Christodorescu, S. Jha, C. Wang, D. Song, and D. Maughan, “Malware Detection.” Springer Science & Business Media, p. 312, 2007. [Online]. Available: https://www.springer.com/la/book/9780387327204 doi: 10.1007/978-0-387-44599-1

    V. Total, “YARA – VirusTotal.” [Online]. Available: https://support.virustotal.com/hc/en-us/articles/115002178945-YARA.

    D. Balzarotti, M. Cova, and S. Stolfo, “Research in Attacks, Intrusions, and Defenses,” vol. 7462. Springer, p. 400, 2012. doi: 10.1007/978-3-642-33338-5

    M. Spreitzenbarth and J. Uhrmann, “Mastering Python Forensics,” vol. 21. Packt Publishing Ltd, p. 192, 2015. [Online]. Available: https://www.packtpub.com/networking-and-servers/mastering-python-forensics

    J. Six, “Application Security for the Android Platform.” O’Reilly Media, p. 97, 2011. [Online]. Available: http://shop.oreilly.com/product/0636920022596.do

    M. Goodman, “Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It.” Knopf Doubleday Publishing Group, p. 10100, 2015. [Online]. Available: http://www.futurecrimesbook.com/

    T. Intelligence and I. Analysis, “2018 SonicWall Cyber Threat Report,” 2018. [Online]. Available: https://cdn.sonicwall.com/sonicwall.com/media/pdfs/resources/2018-snwl-cy-ber-threat-report.pdf

    C. Abad-Aramburu, “Aplicación de metodología de Análisis de Malware al caso de estudio de la Amenaza Avanzada Persistente (APT) ‘Octubre Rojo.’” España, p. 2, 2015. [Online]. Available: http://reunir.unir.net/handle/123456789/2841

    J. Muniz, G. McIntyre, and N. AlFardan, “Security Operations Center: Building, Operating, and Maintaining your SOC,” vol. 2. Cisco Press, p. 21, 2015. [Online]. Available: http://www.ciscopress.com/store/security-operations-center-building-operating-and-maintaining-9780134052014

    MÉTRICAS
    ARTICLE VIEWS: 888
    PDF VIEWS: 457
    Metrics
    Metrics Loading ...
    https://plu.mx/plum/a/?doi=10.16925/2357-6014.2019.02.02