An Approach Towards Disassembly of Malicious Binary Executables

In the recent past computer security has become an issue of foremost importance for individuals, businesses, and governments. Hostile programmers, who write programs with malicious intents of collecting private information, spread spam, etc. breach the existing security measures. Whenever these hostile programmers, specifically virus/worm writers, succeed in spreading a virus or a worm, there is a significant loss to businesses. For example, mi2g website [6] quotes that within one quarter the NetSky worm and all its A - Q variants put together, had already caused between $35.8 billion and $43.8 billion of estimated economic damages worldwide. The website also quotes that, in March, combined losses due to the three worms Beagle, MyDoom, and NetSky crossed the $100 billion mark within a week.

The war between hostile programmers and antivirus writers resembles any classic arms escalation. The first step in countering the malicious attacks is to identify the malicious programs. Antivirus companies use several dynamic and static analysis techniques to identify malware [25]. Most of the Anti-Virus (AV) tools depend upon knowledge of what are called "virus signatures" which are nothing but patterns of system calls. If these AV tools can find a particular signature in their database of currently known patterns, they raise an alarm. To identify signatures from a malicious program or to understand and counteract the malicious behaviour, we need to analyse the executable. This typically requires converting the byte sequence of an executable to an intermediate representation.