xOSSig : Leveraging OS Diversity to Automatically Extract Malware Code Signatures
2023-04-25 | 14:50 – 16:20
We present an automated approach to extract code signatures that serve as the forensic fingerprint of a given malware program. Our high-level idea is to compare the memory contents of a sandbox before and after infection by a malware. To pinpoint the actual memory changes caused by the malware, and ignore all others, we use a novel concept called Cross OS Execution. That is, we execute a malware program on multiple different but compatible operating systems (OSes) to identify its memory commonalities, while neglecting OS-specific noise. The commonalities of the dumps therefore contain patterns whose presence is the consequence of executing the malware, i.e., the forensic fingerprint of the malware. We show that we can use two different versions Windows to accurately extract fingerprints of all 17 popular Windows malware families in our test set. These signatures serve to re-identify malware infections in memory dumps with a TPR of 93% and an FPR of 0.15%.