Full Program »
CUBISMO: Decloaking Server-side Malware via Cubist Program Analysis
Malware written in dynamic languages such as PHP routinely employ anti-analysis techniques such as obfuscation schemes and evasive tricks to avoid detection. On top of that, attackers use automated malware creation tools to create numerous variants with little to no manual effort. This paper presents a system called CUBISMO to solve this pressing problem. It processes potentially malicious files and decloaks their obfuscations, exposing the hidden malicious code into multiple files. The resulting files can be scanned by existing malware detection tools, leading to a much higher chance of detection. CUBISMO achieves this by exploring all executable statements of the program counterfactually to see malicious code through complicated polymorphism, metamorphism and, obfuscation techniques. Our evaluation on a real-world data set collected from a commercial web hosting company shows that CUBISMO is highly effective in dissecting sophisticated metamorphic malware with multiple layers of obfuscation. In particular, it enables VirusTotal to detect 53 out of 56 zero-day malware samples in the wild, which were previously undetectable.