Cythereal MAGIC’s unique analysis method combines deep knowledge of Operating Systems Internals coupled with state-of-the-art programming languages theory for formal program analysis. This allows it to peer through most known obfuscations and easily analyze even the most complex malware and extract a wealth of information about the inner structure and workings of malware. Add Data Mining to mix and you get a very powerful tool to extract Intelligence from large repositories of malware at a scale that was previously un-thought of.
MAGIC can be used to find connections among malware families that were previously never even thought of. Further queries can be made to the system to find out the nature of the connection and also to show the evidence- semantically equivalent procedures that led the system to the conclude the connection.
Below image shows MAGIC identifying a connection between Gamarue Worms and Leechole Trojans. MAGIC found that certain variants of the two families share the same packer. MAGIC also successfully identified the set of procedures that were common to the two families and formed the unpacking stub. This is of immense help to reverse engineers wanting to unpack the malware manually for deeper analysis.
Below two images show two procedures found in several variants of DarkComet and Optima families. Variants of both families use different packers to hide these procedures from static analysis. The procedures were extracted by MAGIC’s unpacker using VM Introspection at runtime.
Malware Signature Generation¶
MAGIC can analyze large collection of labeled malware and generate semantic signatures common to the family. MAGIC analyses are capable of locating and identifying even the smallest set of procedures common to a family and generate obfuscation resistant, semantically meaningful signatures.
Additionally, MAGIC can also perform probabilistic analysis to calculate a confidence value with which it assigns a new malware variant to a known family.
Below graph show number of procedures (y-axis) vs percentage of nitol binaries they are found in (x-axis) as identified by MAGIC. The graph shows that MAGIC is capable of finding the needle in haystack! It successfully generated juice based signatures for the set of 5 procedures that were present in more than 95% of nitol executables.
MAGIC uses VM introspection to observe malware execution at a level below ring 0. The intricate knowledge of Windows Internals is in-built the system to monitor the malware’s interaction with the Operating System as it is executing. This is followed by a rigorous static analysis of the original code, as well as, that of runtime generated code extracted during the execution.
MAGIC’s static analysis engine performs a variety of analyses. The most important to reverse engineers being the BinJuice analysis. Juice is an abstraction over semantics that can be computed and compared in a fast and scalable fashion.
Given a binary executable, in about a minute, MAGIC can calculate juice of all procedures in the binary and find out known procedures in the database which are semantically equivalent to procedures in the given binary. Users then have access to all the information and notes of malware analysts who have worked on the procedure before, leaving only the unique, never-seen-before, procedures to be reversed. This reduces the workload by orders of magnitude.
Propagating information from procedure to another juice equivalent procedure has interesting advantages. For instance, IDA more often than not, misses to identify library procedures. Reverse engineers thus often end up spending time reversing a library procedure which can be avoided.
Below image shows percentage of library procedures as identified by IDA followed by those identified by MAGIC by just propagating IDA isLibrary tag information across juice-equivalent procedures.
The above is just a glimpse of what can be achieved by propagating information across equivalent procedures. One can also throw in labeled open source code and propagate information from them to similar equivalent procedures in malware and use the labels to guide a reverse engineer trying to understand the malware behaviors.
To better aid in understanding new malware, MAGIC also reports on the ControlFlow Graph of the malware. Additionally, MAGIC also generates an APIFlow Graph. Since API calls are the most common way to interact with the OS, they can be used to understand malware behavior. APIFlow Graph thus may be understood as an abstraction of the ControlFlow Graph where each path describes the behavior of the program as it executed that path on the ControlFlow Graph.