DSD Tracer - implementation and experimentation
Boris Lau Sophos
download slides (PDF)
Modern malware analysis is shifting towards dynamic behavioural analysis to assist static analysis in combating the
increasing volume and complexity of samples. However, information between these two stages are not closely integrated,
illustrated by the division of debugger and disassembler seen in many professional reverse engineering environments.
Consequently collating and comparing low-level information between multiple samples, which is important for
grouping/generic detection, is often difficult.
This paper will discuss a hybrid platform-independent framework - DSD Tracer. DSD Tracer is a way to collect low-level
Dynamic analysis information (first D in DSD), such as a full assembly trace of sample(s) which could then be fed into
various Static analysers (S in DSD) which automate the processing of huge amounts of information generated from the
D step. To explore the full behaviour of a sample, one could re-execute the program under modified test
states/environments and repeat the above cycle (and hence the recursive acronym of DSD).
A demonstration of DSD Tracer will be implemented using instrumentation of Virtual Machines. The algorithms used to
analyse the output will be illustrated with graphical interfaces, such as the ability to backwards/forwards play
dynamic assembly trace with multiple samples, to explore its advantage over traditional analysis tools for
consolidating information derived from Dynamic and Static analysis.
VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland.
VB is currently seeking submissions from those wishing to present papers at VB2009. Full details are in the call for papers.