Annual Computer Security Applications Conference (ACSAC) 2023

Binary Sight-Seeing: Accelerating Reverse Engineering via Point-of-Interest-Beacons

Reverse engineering is still a largely manual and very time-consuming process. To accelerate this process, beacons in the form of known instructions or code patterns are commonly used to guide reverse engineers in dissecting a binary. However, if done manually, identifying high-quality beacons can be very laborious. This paper introduces a novel method to automatically identify the so-called \textit{Points-of-Interests (POIs)} in binaries. POIs are instructions that interact with data specified by the analyst known a priori, e.g., via sandbox analysis or expert knowledge. These POIs are then used as \emph{beacons} to guide analysts to find interesting parts of the binary that interact with the specified data, e.g., the encryption routine. Based on our proposed method, we implemented two types of prototypes. First, a prototype whose output can be loaded via custom plugins into IDA and Ghidra, i.e., two of the more popular reverse-engineering tools. We show the applicability of our method via the prototype by summarizing the insights of the analysis for the Locky and Wannacry ransomware as one of the potential application domains, i.e., malware reverse engineering. Second, we also introduced a prototype that monitors P2P botnets in a fully-automated manner by directly instrumenting the botnet malware without requiring manual reverse-engineering. We demonstrate the effectiveness of our prototype by applying it to the \textit{ZeroAccess}, \textit{Sality}, \textit{Nugache}, and \textit{Kelihos} botnets and summarize our findings in this paper. Using our approach, we effortlessly found the encryption function in the two analyzed ransomware. For P2P botnets, our monitoring prototype could enumerate the bots in all analyzed botnets, only relying on our POIs.

August See
Universität Hamburg

Maximilian Gehring
TU Darmstadt

Mathias Fischer
Universität Hamburg

Shankar Karuppayah
National Advanced IPv6 Centre, Universiti Sains Malaysia

Paper (ACM DL)