Re: Years to dissect? Really?
I understand the point that you are making, in that syscalls/win32 calls have a fairly destinct appearence in the dissassembled output of a native binary.
However, there is no requirement for a malware author to use the api's for the intended purpose, meaning taking the api/syscall signatures at face value is unlikely to be helpful.
Suppose you have large volumes of logic in a scripting language that you can generate at runtime, then your native app, is just a host with the lua generator seeds + interpreter.
Also, what happens if all your interesting native code is application layer, and the api calls are just false flags.
What does this do - ( this is from the IOCC - so give it a punt before you look up the answer)
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#undef D
#undef E
#undef U
#ifndef C
#define I int n,r;
#define D(N) void*N(void*);
#define C pthread_create
#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\
='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}
#define U int
#elif ! defined J
#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"
#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={
#define U };
#define D(N) N,
#define L return fwrite("\1\t\0;",1,4,stdout)!=4;
#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)
#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K
#else
#define T pthread_t
#define E char B[8][256];
#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}
#define D(N) void *N(void *y) {\
static I char *x=y;\
T t=0;\
if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\
if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\
n++;\
if(*x) N(x+1);\
if(t) pthread_join(t,&y);\
return y;\
}
#endif
E
/* ____ END OF CODE __ */
Not trying to be difficult but I'm not any sort of expert in the domain, and I reckon I'm aware of quite a few techniques to make it difficult to determine the intent.
A simple stream cipher + interperter + randomized memory locations should slow most people down for long enought to collect the paycheck and move on to the next gig.
Imagine what tricks you might know if this was your domain, I fully expect that there are techiques for this kind of thing that make my feeble imaginings look rather old hat but hey it's not my domain.
Just some food for thought,
Sed