The FireEye Labs Obfuscated String Solver (FLOSS) is an open-source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files. Malware analysts, forensic investigators, and incident responders can use FLOSS to quickly extract sensitive strings to identify indicators of compromise (IOCs).
Malware authors encode strings in their programs to hide malicious capabilities and impede reverse engineering. Even simple encoding schemes defeat the ‘strings’ tool and complicate static and dynamic analysis. FLOSS uses advanced static analysis techniques, such as emulation, to deobfuscate encoded strings. Incident responders and forensic analysts that understand how to interpret the strings found in a binary will understand FLOSS’s output. FLOSS extracts higher value strings, as strings that are obfuscated typically contain the most sensitive configuration resources – including malicious domains, IP addresses, suspicious file paths, and other IOCs.
FLOSS is more robust than ‘strings’, so in our technique talk we’ll spend some time describing the computer science that powers the tool, and why it works. We’ll also show FLOSS in action, as it decodes configurations from a dozen obfuscated malware families.