The cryptominer

We took the Wasm cryptominer from bitcoinpeople.online.wasm, we passed it to wasm-mutate for 1 hour, and we generated 18877 variants from the original program. The mutation process is completely random. Since each new generated variant serves as the seed for the next one, wasm-mutate is mutating the original cryptominer iteratively. After each binary is generated, we create an square image where each byte in the binary was translated to a grayscale value, i.e. 0 to 255. Take a look to the result.

Original cryptominer.
1000 rotations after
10000 rotations after
18000 rotations after

Another target

We did the same for a Wasm binary that we knew was not a crypto miner. Check the results.

Original binary.
1000 rotations after
10000 rotations after
18000 rotations after

Some preliminary conclusions

Denoising

We followed the agorithm proposed in the MINOS work [?], all images are “reshaped” to be 100x100 square pictures. This process is the first approximation from Wasm binaries to images. We simplified the next steps of MINOS to have a preliminary and manual evaluation of our obfuscation method.

We have observed two phenomena. First, after several iterations, the images from wasm-mutate variants starts to converge the pixel values of the images, i.e., during the image conversion a group of pixels are approximated to the one single color value. This means that two any Wasm, either crypto or not, might be convoluted to the same image.

Second, we generated two variants population for two different binaries, inside this population we found some variant pairs (a pair is compound of one variant for the cryptminer and one variant of the non crypto program) that are much closer in terms of imaging. This means that our method does the trick for the human eye. We are currently reproducing the implementation of the classifier to check if in fact wasm-mutate can create undetected malware by state-of-the-art defenses.

Our final intuition is that malware classifiers based on the “imaging” of the Wasm binaries can be bypassed with the right obfuscation process.