Dynamic Analysis of Malicious Code

详细信息    查看全文

• 作者：Ulrich Bayer ; Andreas Moser ; Christopher Kruegel&#8230
• 关键词：Malware ; Analysis ; API ; Virus worm ; Static analysis ; Dynamic analysis
• 刊名：Journal of Computer Virology and Hacking Techniques
• 出版年：2006
• 出版时间：August 2006
• 年：2006
• 卷：2
• 期：1
• 页码：67-77
• 全文大小：218 KB
• 参考文献：1.Bellard, F. Qemu, a fast and portable dynamic translator. In: Usenix Annual Technical Conference, 2005
  2.Christodorescu, M., Jha, S. Static analysis of executables to detect malicious patterns. In: Usenix Security Symposium, 2003
  3.Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R. Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, 2005
  4.Collberg, C., Thomborson, C., Low, D. Manufacturing cheap, resilient, and stealthy opaque constructs. In: Conference on Principles of Programming Languages (POPL), 1998
  5.Computer Economics. Malware report 2005: the impact of malicious code attacks, 2006. http://鈥媤ww.鈥媍omputereconomic鈥媠.鈥媍om/鈥?article.cfm?id=1090
  6.Hunt, G., Brubacher, D. Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium, 1999
  7.Kaspersky Lab: antivirus software, 2006. http://鈥媤ww.鈥?kaspersky.com/
  8.Kruegel, C., Robertson, W., Vigna, G. Detecting Kernel-level rootkits through binary analysis. In: Annual Computer Security Application Conference (ACSAC), 2004
  9.Linn, C., Debray, S. Obfuscation of executable code to improve resistance to static disassembly. In: ACM Conference on Computer and Communications Security (CCS), 2003
  10.Windows Device Driver Kit 2003, 2006. http://鈥媤ww.鈥媘icrosoft.鈥媍om/鈥媤hdc/鈥媎evtools/鈥媎dk/鈥?/cite>
  11.Microsoft IFS KIT, 2006. http://鈥媤ww.鈥媘icrosoft.鈥媍om/鈥媤hdc/鈥?devtools/ifskit
  12.Microsoft PECOFF. Microsoft Portable Executable and Common Object File Format Specification, 2006. http://鈥媤ww.鈥媘icrosoft.鈥媍om/鈥?whdc/system/platform/firmware/PECOFF.mspx
  13.Microsoft Platform SDK, 2006. http://鈥媤ww.鈥媘icrosoft.鈥媍om/鈥?msdownload/platformsdk/
  14.Nebbett G. (2000) Windows NT/2000 Native API Reference. New Riders Publishing, indianapolis
  15.Neitzel, M.St. Analysis of win32/sober.y, 2005. http://鈥媤ww.鈥?eset.com/msgs/sobery.htm
  16.Oberhumer, M., Molnar, L. UPX: Ultimate Packer for eXecutables, 2004. http://鈥媢px.鈥媠ourceforge.鈥媙et/鈥?/cite>
  17.Robin, J., Irvine, C. Analysis of the Intel Pentium鈥檚 ability to support a secure virtual machine monitor. In: Usenix Annual Technical Conference, 2000
  18.Russinovich, M., Cogswell, B. Freeware Sysinternals, 2006. http://鈥媤ww.鈥媠ysinternals.鈥媍om/鈥?/cite>
  19.Russinovich M., Solomon D. (2004) Microsoft Windows Internals: Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, Bellevue
  20.Rutkowska, J. Red pill... or how to detect VMM using (almost) one CPU instruction, 2006. http://鈥媔nvisiblethings.鈥媜rg/鈥?papers/redpill.html
  21.Symantec. Internet security threat report, 2005. http://鈥媤ww.鈥?symantec.com/enterprise/threatreport/index.jsp
  22.Szor P. (2005) The Art of Computer Virus Research and Defense. Addison Wesley, Reading
  23.Vasudevan, A., Yerraballi, R. Stealth breakpoints. In: 21st Annual Computer Security Applications Conference, 2005
  24.VMware: server and desktop virtualization, 2006. http://鈥媤ww.鈥?vmware.com/
  25.Wang, C. A security architecture for survivability mechanisms. PhD Thesis, University of Virginia (2001)
  26.Yetiser, T. Polymorphic Viruses 鈥?Implementation, detection, and protection, 1993. http://鈥媣x.鈥媙etlux.鈥媜rg/鈥媗ib/鈥媋yt01.鈥媓tml
  
• 作者单位：Ulrich Bayer (1)
  Andreas Moser (2)
  Christopher Kruegel (2)
  Engin Kirda (2)
  
  1. Ikarus Software, Fillgradergasse 7, 1060, Vienna, Austria
  2. Secure Systems Lab, Technical University Vienna, Vienna, Austria
  
• 刊物类别：Computer Science, general;
• 刊物主题：Computer Science, general;
• 出版者：Springer Paris
• ISSN：2263-8733

文摘

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware. Keywords Malware Analysis API Virus worm Static analysis Dynamic analysis