Malware Analysis

Our research on the “deep” analysis of malware is closely related to our activities in the area of honeypots. Instead of restricting ourselves to just observing the behavior of malware in something like a black box approach, reverse engineering allows us to extract the functionality of malware captured in honeypots. This approach also provides us with new ways of classifying polymorphic or metamorphic malware, i.e. malicious code preserving its functionality while mutating (sometimes rapidly) in order to hide from intrusion detection systems or virus scanners.

  • Symbiosis of Blackboxing and Static Analysis
  • Automated Reverse Engineering
  • Identification and Classification of Metamorphic Malware
  • Data Dependency Tracking
  • Exploit Dissection
  • Emergency Incident Response

From our point of view, defense against the omnipresent botnets is the most important application area of the methods addressed here. Today, millions of zombie computers are part of these systems – distributing billions of spam messages and/or supporting the organized crime in various ways.

Recent spectacular stories of success include the analysis of “Storm” - a bot with tens of thousands of machines - and the analysis of “Conficker” - a bot with more than 10 million victim systems controlled by the “owners” of Conficker. Our activities reached extensive coverage by both technology-oriented media like “Heise” or “The Register” and the mass media, including TV and radio stations.

In a live demo at the Chaos Communication Congress 2008, Felix Leder and Tillmann Werner, both scientific assistants in the work group Communication Systems, showed how they were able to become part of the control structure of Storm. Due to its peer-to-peer approach, Storm had been considered undefeatable for quite a long time.

Nevertheless, the deep analysis of the Storm malware allowed them to completely understand the functionality. In addition, they were able to design and implement software components able to eliminate Storm and to sanitize the tens of thousands systems infected by Storm at that point in time. The final step – starting this software and initiating an Internet-wide sanitization – was avoided for legal reasons only: From an objective point of view, doing so would have met the criteria of computer sabotage.


For further information please contact: