New development speeds up the analysis of new and complex threats
- The number of new malware samples that arrive in the analysis labs every day is sheer overwhelming. The primary concern is the processing time. IKARUS malware analyst Sergejs Harlamovs developed an open-source plugin that accelerates malware analysis with the widely used IDA Pro disassembler – and won this year’s Hex-Rays Plugin Contest.
The malware analysts at IKARUS use the IDA Pro software to dissect malware and thus create effective methods for malware detection. The goal is to keep the detection rate of the IKARUS Malware Scan Engine constantly high and to improve the security of IKARUS customers in the face of increasingly complex threats even further.
IdaClu: automatic grouping of relevant functions
Malware that poses a threat to critical infrastructures is typically highly sophisticated in structure. Malware writers invest considerable time and effort in hiding and obfuscating their creations to remain undetected for as long as possible. When such malware is uncovered, it still presents an analysis challenge, even for experienced analysts.
„Knowing where to start, focusing on relevant parts, and setting the right priorities is crucial in this process“, explains Sergejs Harlamovs, malware analyst at IKARUS for three years: „IdaClu is a plugin designed to assist in all three vectors. The plugin offers an additional toolset that allows working with functions in meaningful groups or clusters, rather than analyzing each one separately. This approach helps identify and label relevant functions while ignoring irrelevant ones in bulk.“
In the IKARUS Lab, a raw form of the plugin had already been in use for some time before Sergejs Harlamovs developed a public version and submitted it to the contest: „While there are numerous plugins for IDA addressing specific aspects of the analyzed sample, there are few that provide a comprehensive overview. This plugin was a missing one.”
IdaClu accelerates the analysis of modern, complex malware
The plugin, which managed to get through the hype around ChatGPT in malware analysis and was chosen by the expert jury as the winner of the official Hex-Rays Plugin Contest 2023, is particularly valuable for analyzing large samples with minimal or no context. It thus supports the detection of modern, complex malware. „IdaClu speeds up the process of reverse engineering, which can also reduce the response time to new threats.“
But even beyond malware analysis, there is a large community of software developers, researchers, and enthusiasts who can benefit from the new development. Sergejs Harlamovs is excited to see what more is going to be developed: „In addition to the plugin’s primary purpose, IdaClu has introduced several new plugin architecture-specific features likely to be adopted and integrated into new plugins in the coming years. Its high extensibility makes it a potential platform for smaller sub-plugins due to its well-defined interface.“
IdaClu can be downloaded at https://github.com/harlamism/IdaClu. It can be used with a pre-defined tool set or extended with own IDAPython script algorithms.
Links:
- Hex-Rays Plugin Contest 2023: https://Hex-Rays .com/contests_details/contest2023/
- About IKARUS malware analyst Sergejs Harlamovs: https://www.ikarussecurity.com/portrait/sergejs-harlamovs/
- This is how the IKARUS Malware Scan Engine works: https://www.ikarussecurity.com/anti-malware-sdks-und-apis/ikarus-malware-scan-engine/