Automating uncompressing and static analysis of conficker worm

Lee Ling Chuan, Chan Lee Yee, Mahamod Ismail, Kasmiran Jumari

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The infamous computer worm, Conficker, which targeting the Microsoft Windows operating system, was literally over the media. This malicious worm used modern malware technique, where it hide its malicious portion of the program code with a runtime generation and execution of program code and transforming it back into executable code at run time. This obfuscation technique poses obstacles to security researcher who want to understand the malicious features of new or unknown malware especially for those who want to create program of detection and methods of recovery. Our approach is based on observation that sequences of packed or hidden code in two different version of Conficker worm. Self-identifying when its runtime execution is checked against its static code mode and an automating uncompressing code is executed to unpack the packer. Following the extraction of the malicious worm, we focus our analysis on the features of Conficker worm.

Original languageEnglish
Title of host publicationProceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents
Pages193-198
Number of pages6
DOIs
Publication statusPublished - 2009
Event2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents, MICC 2009 - Kuala Lumpur
Duration: 15 Dec 200917 Dec 2009

Other

Other2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents, MICC 2009
CityKuala Lumpur
Period15/12/0917/12/09

Fingerprint

Static analysis
Computer worms
Windows operating system
Packers
Recovery
Malware

Keywords

  • Computer security
  • Debugging
  • Malware
  • Packing and unpacking
  • Reverse engineering

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Communication

Cite this

Chuan, L. L., Yee, C. L., Ismail, M., & Jumari, K. (2009). Automating uncompressing and static analysis of conficker worm. In Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents (pp. 193-198). [5431495] https://doi.org/10.1109/MICC.2009.5431495

Automating uncompressing and static analysis of conficker worm. / Chuan, Lee Ling; Yee, Chan Lee; Ismail, Mahamod; Jumari, Kasmiran.

Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents. 2009. p. 193-198 5431495.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chuan, LL, Yee, CL, Ismail, M & Jumari, K 2009, Automating uncompressing and static analysis of conficker worm. in Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents., 5431495, pp. 193-198, 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents, MICC 2009, Kuala Lumpur, 15/12/09. https://doi.org/10.1109/MICC.2009.5431495
Chuan LL, Yee CL, Ismail M, Jumari K. Automating uncompressing and static analysis of conficker worm. In Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents. 2009. p. 193-198. 5431495 https://doi.org/10.1109/MICC.2009.5431495
Chuan, Lee Ling ; Yee, Chan Lee ; Ismail, Mahamod ; Jumari, Kasmiran. / Automating uncompressing and static analysis of conficker worm. Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents. 2009. pp. 193-198
@inproceedings{e542d4f146fe48e797a06a300789c714,
title = "Automating uncompressing and static analysis of conficker worm",
abstract = "The infamous computer worm, Conficker, which targeting the Microsoft Windows operating system, was literally over the media. This malicious worm used modern malware technique, where it hide its malicious portion of the program code with a runtime generation and execution of program code and transforming it back into executable code at run time. This obfuscation technique poses obstacles to security researcher who want to understand the malicious features of new or unknown malware especially for those who want to create program of detection and methods of recovery. Our approach is based on observation that sequences of packed or hidden code in two different version of Conficker worm. Self-identifying when its runtime execution is checked against its static code mode and an automating uncompressing code is executed to unpack the packer. Following the extraction of the malicious worm, we focus our analysis on the features of Conficker worm.",
keywords = "Computer security, Debugging, Malware, Packing and unpacking, Reverse engineering",
author = "Chuan, {Lee Ling} and Yee, {Chan Lee} and Mahamod Ismail and Kasmiran Jumari",
year = "2009",
doi = "10.1109/MICC.2009.5431495",
language = "English",
isbn = "9781424455324",
pages = "193--198",
booktitle = "Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents",

}

TY - GEN

T1 - Automating uncompressing and static analysis of conficker worm

AU - Chuan, Lee Ling

AU - Yee, Chan Lee

AU - Ismail, Mahamod

AU - Jumari, Kasmiran

PY - 2009

Y1 - 2009

N2 - The infamous computer worm, Conficker, which targeting the Microsoft Windows operating system, was literally over the media. This malicious worm used modern malware technique, where it hide its malicious portion of the program code with a runtime generation and execution of program code and transforming it back into executable code at run time. This obfuscation technique poses obstacles to security researcher who want to understand the malicious features of new or unknown malware especially for those who want to create program of detection and methods of recovery. Our approach is based on observation that sequences of packed or hidden code in two different version of Conficker worm. Self-identifying when its runtime execution is checked against its static code mode and an automating uncompressing code is executed to unpack the packer. Following the extraction of the malicious worm, we focus our analysis on the features of Conficker worm.

AB - The infamous computer worm, Conficker, which targeting the Microsoft Windows operating system, was literally over the media. This malicious worm used modern malware technique, where it hide its malicious portion of the program code with a runtime generation and execution of program code and transforming it back into executable code at run time. This obfuscation technique poses obstacles to security researcher who want to understand the malicious features of new or unknown malware especially for those who want to create program of detection and methods of recovery. Our approach is based on observation that sequences of packed or hidden code in two different version of Conficker worm. Self-identifying when its runtime execution is checked against its static code mode and an automating uncompressing code is executed to unpack the packer. Following the extraction of the malicious worm, we focus our analysis on the features of Conficker worm.

KW - Computer security

KW - Debugging

KW - Malware

KW - Packing and unpacking

KW - Reverse engineering

UR - http://www.scopus.com/inward/record.url?scp=77952228906&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77952228906&partnerID=8YFLogxK

U2 - 10.1109/MICC.2009.5431495

DO - 10.1109/MICC.2009.5431495

M3 - Conference contribution

AN - SCOPUS:77952228906

SN - 9781424455324

SP - 193

EP - 198

BT - Proceedings - MICC 2009: 2009 IEEE 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents

ER -