Conference paper

ĎURFINA Lukáš, KŘOUSTEK Jakub and ZEMEK Petr. Psyb0t Malware: A Step-By-Step Decompilation Case Study. In: 20th Working Conference on Reverse Engineering (WCRE). Koblenz: IEEE Computer Society, 2013, pp. 449-456. ISBN 978-1-4799-2930-6. Available from:
Publication language:english
Original title:Psyb0t Malware: A Step-by-Step Decompilation Case Study
Title (cs):Psyb0t: příkladová studie analýzy škodlivého kódu pomocí zpětného překladu
Proceedings:20th Working Conference on Reverse Engineering (WCRE)
Conference:20th Working Conference on Reverse Engineering
Place:Koblenz, DE
Publisher:IEEE Computer Society
reverse engineering, decompilation, retargetable decompiler, Lissom, malware, psyb0t, experience
Decompilation (i.e. reverse compilation) represents one of the most toughest and challenging tasks in reverse engineering. Even more difficult task is the decompilation of malware because it typically does not follow standard application binary interface conventions, has stripped symbols, is obfuscated, and can contain polymorphic code. Moreover, in the recent years, there is a rapid expansion of various smart devices, running different types of operating systems on many types of processors, and malware targeting these platforms. These facts, combined with the boundedness of standard decompilation tools to a particular platform, imply that a considerable amount of effort is needed when decompiling malware for such a diversity of platforms.

This is an experience paper reporting the decompilation of a real-world malware. We give a step-by-step case study of decompiling a MIPS worm called psyb0t by using a retargetable decompiler that is being developed within the Lissom project. First, we describe the decompiler in detail. Then, we present the case study. After that, we analyse the results obtained during the decompilation and present our personal experience. The paper is concluded by discussing future research possibilities.
   author = {Luk{\'{a}}{\v{s}} {\v{D}}urfina and Jakub
	K{\v{r}}oustek and Petr Zemek},
   title = {Psyb0t Malware: A Step-by-Step Decompilation Case
   pages = {449--456},
   booktitle = {20th Working Conference on Reverse Engineering (WCRE)},
   year = 2013,
   location = {Koblenz, DE},
   publisher = {IEEE Computer Society},
   ISBN = {978-1-4799-2930-6},
   doi = {10.1109/WCRE.2013.6671321},
   language = {english},
   url = {}

Your IPv4 address:
Switch to https