Finding Xori: Malware Analysis Triage with Automated Disassembly

DEF CON 26

Presented by: Amanda Rousseau, Rich Seymour
Date: Friday August 10, 2018
Time: 13:00 - 13:20
Location: Track 2

In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.

We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike.

Amanda Rousseau

Amanda Rousseau absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on dynamic behavior detection both on Windows and OSX platforms. She worked as a malware researcher at FireEye before joining Endgame. She previously worked a reverse engineer and computer forensic examiner working for DoD forensic investigations and commercial incident response engagements. She received her MS in Information Systems Engineering from Johns Hopkins University. Research interests include malware evasion techniques, dynamic behavior classification, and developing runtime detections. @malwareunicorn

Rich Seymour

Rich Seymour is a senior data scientist at Endgame, where he works on integrating R&D successes into the company's platform and experimenting with new techniques to make security sensible. He's currently working on improving natural language understanding in the Artemis chatbot in the Endgame platform and understanding how to catch adversary tradecraft. He holds a PhD in materials science and an MS in computer science, both from the University of Southern California, where he worked on high-performance computing simulations of nanoscale materials under stress. He has spoken at USENIX SOUPS, Shmoocon and O'Reilly Security. @rseymour


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats