Identification of library functions statically linked to Linux malware without symbols | Zendy

Shu Akabane | Zendy; Takeshi Okamoto | Zendy

AI Assistant Blog Pricing

Home ZAIA Blog

Open Access

Identification of library functions statically linked to Linux malware without symbols

Author(s) -

Shu Akabane,

Takeshi Okamoto

Publication year - 2020

Publication title -

procedia computer science

Language(s) - English

Resource type - Journals

SCImago Journal Rank - 0.334

H-Index - 76

ISSN - 1877-0509

DOI - 10.1016/j.procs.2020.09.053

Subject(s) - computer science , malware , identification (biology) , operating system , function (biology) , pattern matching , malware analysis , matching (statistics) , library function , programming language , mathematics , statistics , botany , biology , evolutionary biology

Many Linux malware have been found to have statically linked library functions. Much of this malware are stripped of function names and addresses, hindering function-level analysis. For function-level analysis, we identified library functions stically linked to 2,256 malware samples with the Intel 80386 architecture by matching patterns. The pattern matching identified more than 90% of the library functions for 97.7% of the samples. Thus, pattern matching can be effective for library identification. Only 12 toolchains had been used to build 99.8% of samples, and 11 of the toolchains are available on the Internet. The C library used by the malware was uClibc in 96.5% of the samples, musl in 1.3% and GLIBC in 2.0%.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.

Having issues? You can contact us here

Accelerating Research