IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest

25. October, 2023

Sergejs Harlamovs, malware analyst at IKARUS

New development speeds up the analysis of new and complex threats

  • The number of new malware samples that arrive in the analysis labs every day is sheer overwhelming. The primary concern is the processing time. IKARUS malware analyst Sergejs Harlamovs developed an open-source plugin that accelerates malware analysis with the widely used IDA Pro disassembler – and won this year’s Hex-Rays Plugin Contest.

    The malware analysts at IKARUS use the IDA Pro software to dissect malware and thus create effective methods for malware detection. The goal is to keep the detection rate of the IKARUS Malware Scan Engine constantly high and to improve the security of IKARUS customers in the face of increasingly complex threats even further.

    IdaClu: automatic grouping of relevant functions

    Malware that poses a threat to critical infrastructures is typically highly sophisticated in structure. Malware writers invest considerable time and effort in hiding and obfuscating their creations to remain undetected for as long as possible. When such malware is uncovered, it still presents an analysis challenge, even for experienced analysts.

    „Knowing where to start, focusing on relevant parts, and setting the right priorities is crucial in this process“, explains Sergejs Harlamovs, malware analyst at IKARUS for three years: „IdaClu is a plugin designed to assist in all three vectors. The plugin offers an additional toolset that allows working with functions in meaningful groups or clusters, rather than analyzing each one separately. This approach helps identify and label relevant functions while ignoring irrelevant ones in bulk.“

    In the IKARUS Lab, a raw form of the plugin had already been in use for some time before Sergejs Harlamovs developed a public version and submitted it to the contest: „While there are numerous plugins for IDA addressing specific aspects of the analyzed sample, there are few that provide a comprehensive overview. This plugin was a missing one.”

    IdaClu accelerates the analysis of modern, complex malware

    The plugin, which managed to get through the hype around ChatGPT in malware analysis and was chosen by the expert jury as the winner of the official Hex-Rays Plugin Contest 2023, is particularly valuable for analyzing large samples with minimal or no context. It thus supports the detection of modern, complex malware. „IdaClu speeds up the process of reverse engineering, which can also reduce the response time to new threats.“

    But even beyond malware analysis, there is a large community of software developers, researchers, and enthusiasts who can benefit from the new development. Sergejs Harlamovs is excited to see what more is going to be developed: „In addition to the plugin’s primary purpose, IdaClu has introduced several new plugin architecture-specific features likely to be adopted and integrated into new plugins in the coming years. Its high extensibility makes it a potential platform for smaller sub-plugins due to its well-defined interface.“

    IdaClu can be downloaded at https://github.com/harlamism/IdaClu. It can be used with a pre-defined tool set or extended with own IDAPython script algorithms.

     

    Links:

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download