Finding the needle: A study of the PE32 rich header and respective malware triage

George D. Webster; Bojan Kolosnjaji; Christian Von Pentz; Julian Kirsch; Zachary D. Hanif; Apostolis Zarras; Claudia Eckert

doi:10.1007/978-3-319-60876-1_6

Finding the needle: A study of the PE32 rich header and respective malware triage

George D. Webster, Bojan Kolosnjaji, Christian Von Pentz, Julian Kirsch, Zachary D. Hanif, Apostolis Zarras, Claudia Eckert

Informatics 20 - Chair of IT Security

Technical University of Munich

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

15 Scopus citations

Abstract

Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Editors	Michalis Polychronakis, Michael Meier
Publisher	Springer Verlag
Pages	119-138
Number of pages	20
ISBN (Print)	9783319608754
DOIs	https://doi.org/10.1007/978-3-319-60876-1_6
State	Published - 2017
Event	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany Duration: 6 Jul 2017 → 7 Jul 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10327 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Country/Territory	Germany
City	Bonn
Period	6/07/17 → 7/07/17

Access to Document

10.1007/978-3-319-60876-1_6

Cite this

Webster, G. D., Kolosnjaji, B., Von Pentz, C., Kirsch, J., Hanif, Z. D., Zarras, A., & Eckert, C. (2017). Finding the needle: A study of the PE32 rich header and respective malware triage. In M. Polychronakis, & M. Meier (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (pp. 119-138). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-60876-1_6

Webster, George D. ; Kolosnjaji, Bojan ; Von Pentz, Christian et al. / Finding the needle : A study of the PE32 rich header and respective malware triage. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. editor / Michalis Polychronakis ; Michael Meier. Springer Verlag, 2017. pp. 119-138 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b20196f73ae24c3994fb31edc24fb7c3,

title = "Finding the needle: A study of the PE32 rich header and respective malware triage",

abstract = "Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header{\textquoteright}s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.",

author = "Webster, {George D.} and Bojan Kolosnjaji and {Von Pentz}, Christian and Julian Kirsch and Hanif, {Zachary D.} and Apostolis Zarras and Claudia Eckert",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 ; Conference date: 06-07-2017 Through 07-07-2017",

year = "2017",

doi = "10.1007/978-3-319-60876-1_6",

language = "English",

isbn = "9783319608754",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "119--138",

editor = "Michalis Polychronakis and Michael Meier",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",

}

Webster, GD, Kolosnjaji, B, Von Pentz, C, Kirsch, J, Hanif, ZD, Zarras, A & Eckert, C 2017, Finding the needle: A study of the PE32 rich header and respective malware triage. in M Polychronakis & M Meier (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10327 LNCS, Springer Verlag, pp. 119-138, 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, Bonn, Germany, 6/07/17. https://doi.org/10.1007/978-3-319-60876-1_6

Finding the needle: A study of the PE32 rich header and respective malware triage. / Webster, George D.; Kolosnjaji, Bojan; Von Pentz, Christian et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. ed. / Michalis Polychronakis; Michael Meier. Springer Verlag, 2017. p. 119-138 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Finding the needle

T2 - 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017

AU - Webster, George D.

AU - Kolosnjaji, Bojan

AU - Von Pentz, Christian

AU - Kirsch, Julian

AU - Hanif, Zachary D.

AU - Zarras, Apostolis

AU - Eckert, Claudia

PY - 2017

Y1 - 2017

N2 - Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.

AB - Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.

UR - http://www.scopus.com/inward/record.url?scp=85022345601&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_6

DO - 10.1007/978-3-319-60876-1_6

M3 - Conference contribution

AN - SCOPUS:85022345601

SN - 9783319608754

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 119

EP - 138

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

A2 - Polychronakis, Michalis

A2 - Meier, Michael

PB - Springer Verlag

Y2 - 6 July 2017 through 7 July 2017

ER -

Webster GD, Kolosnjaji B, Von Pentz C, Kirsch J, Hanif ZD, Zarras A et al. Finding the needle: A study of the PE32 rich header and respective malware triage. In Polychronakis M, Meier M, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Springer Verlag. 2017. p. 119-138. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-60876-1_6

Finding the needle: A study of the PE32 rich header and respective malware triage

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this