JPCERT/CC Eyes

It has been observed that ELF malware removes symbol information during its build. This creates extra work in malware analysis to identify each function name because you do not know them.　In addition, in IDA, an analysis tool, existing F.L.I.R.T signatures [1] (hereafter abbreviated as FLIRT signatures in this article) are often not applicable to ELF malware functions, making analysis difficult when right signatures are not found.

This blog article describes how to identify function names using Yara rules. It also explains how to use “AutoYara4FLIRT,” an IDA script that automatically generates Yara rules for this method. The tool is available on GitHub, and you can download and use it from the following webpage.

JPCERTCC/AutoYara4FLIRT - GitHub
https://github.com/JPCERTCC/AutoYara4FLIRT

Problems in Static Analysis of ELF Malware

When a Linux program is built, each library is linked, and a single ELF binary is generated as shown in Figure 1. Information such as function names is generally stored in sections such as .symtab or .strtab. In the case of ELF malware, this section is removed by using the strip option at the time of its build. In ELF malware, by removing the symbols, the original function names are also lost for each statically linked library. This is problematic because it takes much more time to analyze.

Difficulty in finding the right FLIRT signatures

FLIRT signature is a feature that allows IDA to automatically identify existing libraries and function names. Without FLIRT signatures, when malware analysts find a complex function like shown in Figure 2, they would have a hard time understanding its behavior. However, if they know that the function is memcpy in advance, such analysis is not needed. With a FLIRT signature that includes the memcpy function, IDA can identify the function name, which saves time on analysis.

The FLIRT signatures that IDA includes by default do not match in most cases. Therefore, a proper FLIRT signature must be found or created. However, finding a suitable signature is very difficult because FLIRT signatures do not match even when compilation condition or library version is different. In the traditional method of creating FLIRT signatures, shown in Figure 3, differences in libraries and their versions, compiler versions, and compile conditions all affect the ELF binary to be generated. For this reason, it is difficult to find the right FLIRT signature without having those for various conditions.

How to create FLIRT signatures using Yara rules

Figure 1 shows the overview of this method. First, a Yara rule is created from the ELF malware. The rule is designed to search for ELF binaries that still contain symbol information. Next, use Retrohunt[2] on Virus Total with the above Yara rule to create a FLIRT signature (.sig) from the obtained ELF binary. The FLIRT signature is created from the Retrohunt-ed file based on the ELF malware, which is more likely to match with the target ELF malware.

In addition, to search for ELF binaries with remaining symbol information, the following condition needs to be added to the Yara rule.

import "elf"

rule Template{

condition:
        for 2 i in (0 .. elf.number_of_sections) : (
            ((elf.sections[i].name == ".symtab") and (elf.sections[i].type == elf.SHT_SYMTAB))
         or ((elf.sections[i].name == ".strtab") and (elf.sections[i].type == elf.SHT_STRTAB))
        )
        and
        not ( for 1 i in (0 .. elf.number_of_sections) : (
             ((elf.sections[i].name == ".dynamic") and (elf.sections[i].type == elf.SHT_DYNAMIC))
              )
        )
}

Evaluation results

We applied this method to 50 ELF malware on both x86 and ARM and used the created FLIRT signatures to resolve each function name. The result showed that, on average, FLIRT signatures can be created for about 60% of the functions in the x86 ELF malware and about 30% of those in the ARM ELF malware. Although we found that there were some exceptional cases in x86 ELF malware in which this method cannot be used well, the match rate was about 60% for most samples, and for some of them, the match rate was even over 90%. On the other hand, the match rate for ARM ELF malware was lower, indicating this method needs to be improved. Refer to Tables 1 and 2 in the Appendix for details of the results. The number of all functions in the target samples is defined as Total functions, and the number of functions matched by the FLIRT signatures created from the Retrohunt ELF binary is defined as Matched functions.

For sample selection, we obtained 300 ELF malware samples most recently uploaded to MalwareBazaar [3] as of November 2022. Then, 50 relevant samples for x86 and ARM architectures were selected. Therefore, the type of malware was not considered, but mirai, gafgyt, TSCookie, Coinminer, and others were included as the target when the method was evaluated. Please also note that the result is reference values since it varies depending on whether ELF binaries containing the target libraries are on Virus Total or not.

AutoYara4FLIRT, an automatic Yara rule generator for creating FLIRT signatures

In this method, Yara rules need to be created from ELF malware, and AutoYara4FLIRT is an automatic Yara rule generator. The tool was created as a plugin for IDA. To use AutoYara4FLIRT, move AutoYara4FLIRT.py to the IDA’s plugin folder, select AutoYara4FLIRT from the IDA plugin menu. A Yara file is generated in the same folder, and the results of the Yara file can be viewed on IDA. An example of executing AutoYara4FLIRT is shown in Figure 5.

Normally, Yara rules are created by figuring out strings and disassembler instruction sequences contained in the malware. AutoYara4FLIRT automatically generates Yara rules using the disassembler strings necessary for Yara rule creation. Since the extracted disassembler instruction sequence covers multiple statically linked libraries, it is extracted from multiple separated blocks, and in order to capture differences such as compiler conditions, the longest sequence among them is used. By Retrohunt-ing using the generated Yara rules, the ELF binaries with symbol information can be searched, which saves time and efforts when creating FLIRT signatures.

CLI automation tool to apply this method to multiple types of malware

To use this method for multiple types of malware, you can use the following CLI tool on the command line to automatically generate Yara rules at once. It is also possible to generate FLIRT signatures (.sig) at once for multiple ELF binaries that have been Retrohunt-ed based on Yara rules. Refer to the following link for more information.

JPCERTCC/AutoYara4FLIRT#CLI_AutoYara - GitHub
https://github.com/JPCERTCC/AutoYara4FLIRT#CLI_AutoYara

In the case of using other services than Virus Total

This method assumes that Retrohunt can be used and requires a paid account of Virus Total. However, by using the following services, you can search for files by Yara rules for free.

• tria.ge yara
  https://tria.ge/company/yara
• Hybrid Analysis Advanced Search (YARA)
  https://www.hybrid-analysis.com/yara-search
• MalwareBazaar Hunting
  https://bazaar.abuse.ch/hunting/

In Closing

This method can be used to create FLIRT signatures for ELF malware which is difficult to analyze statically because existing FLIRT signatures are not applicable. In addition to x86 and ARM, the method can also be used for x86-64 and MIPS, and thus we recommend trying it on a variety of ELF malware that has been difficult to analyze.

Yuma Masubuchi

Translated by Takumi Nakano

References

[1] F.L.I.R.T
https://hex-rays.com/products/ida/tech/flirt/

[2] Retrohunt
https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt

[3] MalwareBazaar
https://bazaar.abuse.ch/

Appendix