Chapter

IAENG Transactions on Engineering Technologies

Volume 247 of the series Lecture Notes in Electrical Engineering pp 283-299

Date:

Tracing Malicious Injected Threads Using Alkanet Malware Analyzer

  • Yuto OtsukiAffiliated withGraduate School of Science and Engineering, Ritsumeikan University
  • , Eiji  TakimotoAffiliated withCollege of Information Science and Engineering, Ritsumeikan University
  • , Takehiro KashiyamaAffiliated withRitsumeikan Global Innovation Research Organization, Ritsumeikan University
  • , Shoichi SaitoAffiliated withGraduate School of Engineering, Nagoya Institute of Technology
  • , Eric W. CooperAffiliated withCollege of Information Science and Engineering, Ritsumeikan University
  • , Koichi MouriAffiliated withCollege of Information Science and Engineering, Ritsumeikan University Email author 

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.

Keywords

Dynamic analysis Malware’s behavior Malware analysis System call tracing Thread injection Virtual machine monitor