Takashi Katsuki Symantec
download slides (PDF)
The CPU clock speed wars are now over, and multicore CPUs are now standard. For specialized processing, though, the most affordable and readily available devices are now Graphics Processing Units (GPUs). Devices including the Geforce from nVidia and Radeon from AMD have hundreds of cores in a single package, and following vendors' recent release of development kits under the umbrella term GPGPU (General-Purpose computing on Graphics Processing Units), the power of these resources is now ready to be harnessed.
The GPGPU approach has already been taken advantage of for some security-related fields such as password brute-forcing and hash collision attacks. In this abstract I would like to introduce the potential of GPGPU use in the reverse engineering of malware.
Finding hidden data is important during manual sample analysis and also for automation. Often malware or documents that attempt to exploit vulnerabilities contain encrypted data; this may be something as simple as a URL or an entire encapsulated executable. At this point the problem is how to decrypt the hidden data without manual analysis of the decryption routine(s). In many cases the encryption method used is a combination of bitwise and arithmetic operations ('add', 'sub', 'xor', and so on), and rotations of byte, word, and dword.
Given that the structure of both URLs and PEs is well understood, with enough computational force these kinds of obfuscation can be brute-forced. When this brute-forcing is broken down into smaller and parallelizable operations, GPGPU comes into its own.
