Floss — Obfuscated String Solver

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility that we commonly use during basic static analysis.

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

Malware authors pack their software to resist reverse engineering and enable their operations to survive longer. However, many features of packing are easy to automatically identify during static or dynamic analysis. Therefore, some authors obfuscate only the most sensitive resources used by malware in an attempt to blend in. We call this “string obfuscation”. String obfuscation maintains some difficulty around extracting host or network based signatures (such as filenames, registry keys, or domain names), while structuring the executable file like legitimate programs. This is a technique that balances moderate anti-reverse engineering tricks with a moderate level of stealth.

As a reverse engineer, it takes significant effort to extract obfuscated strings from a malware sample. This is because there are a huge number of possible encoding functions, configurations, and control flows. For example, some malware uses a single-byte XOR operating with a static key for all obfuscated strings, while other malware uses RC4 encryption with a unique key per string. Its often difficult to figure out how encoded data is protected without opening IDA Pro or reviewing a debugger trace.

Manual extraction of obfuscated strings commonly involves thoroughly studying a decryption routine and reimplementing it in a scripting language. This is a tedious and error-prone process that is fun at first, and mind-numbing after a few iterations. Alternatively, an analyst may instrument a debugger to hop around hundreds of locations in hopes of forcing the malware to decode itself. This is also complex, tedious, and error-prone.

FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in a sample. Then FLOSS extracts cross references and arguments to decoders using control flow analysis. Next FLOSS emulates decoder functions using extracted arguments. Finally, FLOSS diffs the emulator memory states from before and after decoder emulation and extracts human readable strings.

Algorithm

1. Analyze control flow of malware to identify functions, basic blocks, etc.
2. Use heuristics to find potential decoding routines
3. Brute force emulate all code paths among basic blocks and functions
4. Snapshot emulator state (registers, memory) at appropriate points
5. Extract arguments to decoder functions from emulator snapshots
6. Emulate decoder functions using extracted arguments and emulator state
7. Diff memory state from before and after decoder emulation
8. Extract human-readable strings from memory state difference

Requirements

First, install a few required dependencies. Heres the easiest way:

• vivisect – https://github.com/vivisect/vivisect, installable module from https://github.com/williballenthin/vivisect$ pip install https://github.com/williballenthin/vivisect/zipball/master
• pytest – https://pytest.org$ pip install pytest

Usage

Extract obfuscated strings from a malware binary:

$ floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

$ ./floss -h

For a detailed description of using FLOSS, review the documention here.

For a detailed description of testing FLOSS, review the documention here.

[adsense size='1']

Obfuscated String Solver Output

$ ~/env/bin/floss -a malware.bin

Static ASCII strings
Offset       String
----------   -------------------------------------
0x0000004D   !This program cannot be run in DOS mode.
0x00000083   _YY
0x000000D0   RichYY
0x000000F0   MdfQ
0x000001E0   .text
0x00000207   `.rdata
0x0000022F   @.data
0x00000258   .idata
0x00000280   .didat
0x000002A8   .reloc
0x000005B6   U  F
0x000005F1   ?;}
0x000006D4   A@;E
0x000006E4   _^[
0x000008E0   HttHt-H
0x0000099A   '9U
0x00007020   WS2_32.dll
0x00007C4E   FreeLibrary
0x00007C5C   GetProcAddress
0x00007C6E   LoadLibraryA
0x00007C7E   GetModuleHandleA
0x00007C92   GetVersionExA
0x00007CA2   MultiByteToWideChar
0x00007CB8   WideCharToMultiByte
0x00007CCE   Sleep
0x00007CD6   GetLastError
0x00007CE6   DeleteFileA
0x00007CF4   WriteFile
[..snip...]

Static UTF-16 strings
Offset       String
----------   -------------------------------------
0x00007614   ,%d

Most likely decoding functions in: malware.bin
address:    score:
----------  -------
0x0040102D 0.71000
0x0040101E 0.23000
0x00401046 0.23000
0x00401005 0.21000
0x0040100F 0.21000
0x00401014 0.21000
0x00401023 0.21000
0x004069BF 0.21000
0x00401041 0.21000
0x00406736 0.21000

FLOSS decoded 10 strings
Offset       Called At    String
----------   ----------   -------------------------------------
0xBFB3B4E8   0x0040595F   WinSta0\Default
0xBFB3B4A0   0x0040472E   Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4A0   0x0040472E   Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4EC   0x0040472E   ProxyEnable
0xBFB3B4A0   0x0040472E   Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4E0   0x0040472E   ProxyServer
0xBFB3B4EC   0x0040472E   ProxyEnable
0xBFB3B4A0   0x0040472E   Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4E0   0x0040472E   ProxyServer
0xBFB3B4EC   0x0040472E   ProxyEnable
[..snip...]

FLOSS extracted 81 stack strings
Function:   Frame offset  String:
----------  ------------  -------
0x00401005  0x001c    WinSta0\Default
0x0040100f  0x0010    WinSta0\Default
0x0040100f  0x007f    pVAD
0x0040100f  0x0034    '%s' executed.
0x0040100f  0x0038    ERR '%s' error[%d].
0x00401014  0x005c    Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0x00401014  0x0010    ProxyEnable
0x00401014  0x001c    ProxyServer
0x00401019  0x000c    wininet.dll
0x00401019  0x001c    InternetOpenA
0x00401019  0x0107    0\A4
0x00401019  0x00c8    InternetSetOptionA
0x00401019  0x0064    InternetConnectA
0x00401019  0x00f7    pVAInternetQueryOptionA
0x0040100a  0x0080    Mozilla/4.0 (compatible; MSIE 7.0; Win32)
0x0040100a  0x004c    -ERR
0x0040100a  0x0020    FILE(%s) wrote(%d).
0x0040100a  0x0038    Invalid ojbect.
0x0040100a  0x0040    SetFilepoint error[%d].
0x0040100a  0x003c    b64_ntop error[%d].
0x0040100a  0x0024    GetFileSize error[%d].
0x0040100a  0x0024    Creates file error[%d].
0x00401041  0x0047    pVAKCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]

Source && Download

https://github.com/fireeye/flare-floss