Abstract
Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Annual International Conference on Privacy Security and Trust (PST) (2010)
RCE Cafe. Microsoft’s Rich Signature (Undocumented) - Comments, February 2008. http://rcecafe.net/?p=27
Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: The First Workshop in Understanding Botnets (2007)
Mandiant Intelligence. APT1: Exposing One of China’s Cyber Espionage Units. 2013. Mandian.com
Jacob, G., Comparetti, P.M., Neugschwandtner, M., Kruegel, C., Vigna, G.: A static, packer-agnostic filter to detect similar malware samples. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 102–122. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37300-8_6
Kendall, K., McMillan, C.: Practical malware analysis. In: Black Hat Conference, USA (2007)
Kolosnjaji, B., Zarras, A., Lengyel, T., Webster, G., Eckert, C.: Adaptive semantics-aware malware classification. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 419–439. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_21
Lifewire. Things They Didn’t Tell You About MS Link and the PE Header (29A) (2004)
Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. Wiley Publishing, Indianapolis (2010)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. 2, 40–45 (2007)
Mandiant. Tracking Malware With Import Hashing, January 2014. https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Annual Computer Security Applications Conference (ACSAC) (2007)
Microsoft. Microsoft Portable Executable and Common Object File Format Specification, Rev. 8.3 (2013)
Microsoft. Common Object File Format - KB121460 (2016). https://support.microsoft.com/en-us/kb/121460
Parkour, M., DiMino, A.: Deepend research, May 2015. http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.htm
Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29(14), 1941–1946 (2008)
Pietrek, M.: An in-depth look into the win32 portable executable file format. MSDN Mag. 17(2), 80–90 (2002)
Pistelli, D.: Microsoft’s Rich Signature (Undocumented) (2012)
Roberts, J.-M.: Virus share, April 2016. https://virusshare.com/
Sarméjeanne, S.: The HTran tool used to hack into french companies, August 2011. https://www.lexsi.com/securityhub/the-htran-tool-used-to-hack-into-french-companies/?lang=en
Sherstobitoff, R.: Inside the world of the citadel trojan. Emergence 9 (2012)
Stephen, T.: Rich Header, January 2008. http://trendystephen.blogspot.de/2008/01/rich-header.html
Oreans Technologies. Themida - Advanced Windows Software Protection System, January 2016. http://www.oreans.com/themida.php
Tomonaga, S.: Classifying malware using import API and fuzzy hashing -impfuzzy-, May 2016. http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html
Webster, G.D., Hanif, Z.D., Ludwig, A.L.P., Lengyel, T.K., Zarras, A., Eckert, C.: SKALD: a scalable architecture for feature extraction, multi-user analysis, and real-time information sharing. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 231–249. Springer, Cham (2016). doi:10.1007/978-3-319-45871-7_15
Wicherski, G.: peHash: a novel approach to fast malware clustering. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009)
Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008)
Zakorzhevsky, V.: Mediyes - the dropper with a valid signature, March 2012. https://securelist.com/blog/research/32397/mediyes-the-dropper-with-a-valid-signature-8/
Acknowledgments
We thank our shepherd Pavel Laskov and the reviewers for their valuable feedback. We are thankful to the Technical University of Munich for providing ample infrastructure to support our development efforts. Additionally, we thank the the German Federal Ministry of Education and Research under grant 16KIS0327 (IUNO) and the Bavarian State Ministry of Education, Science and the Arts as part of the FORSEC research association for providing funding for our infrastructure. We would also like to thank the United States Air Force for sponsoring George Webster in his academic pursuit. Lastly, we would like to thank Microsoft Digital Crimes Unit, VirusTotal, and Yara Exchange for their support and valuable discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Webster, G.D. et al. (2017). Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)