Skip to main content
SpringerLink
Log in

Tracing Malicious Injected Threads Using Alkanet Malware Analyzer

  • Chapter
  • First Online:
IAENG Transactions on Engineering Technologies

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 247))

Abstract

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Wood P et al. (2012) Internet security threat report vol 17 Symantec corporation, Tech rep

    Google Scholar 

  2. Falliere N (2007) Windows anti-debug reference. (2012) http://www.symantec.com/connect/articles/windows-anti-debug-reference Last accessed July 2012

  3. Yason MV (2007) The art of unpacking. Black Hat USA.

    Google Scholar 

  4. Otsuki Y et al. (2012) Alkanet: a dynamic malware analyzer based on virtual machine monitor.In: Lecture notes in engineering and computer science: Proceedings of the World congress on engineering and computer science, WCECS 2012, vol 1 San Francisco, USA pp 36–44

    Google Scholar 

  5. Shinagawa T et al. (2009) BitVisor: a thin hypervisor for enforcing i/o device security.In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on virtual execution environments, ACM, Washington, DC, USA pp 121–130

    Google Scholar 

  6. Microsoft: standalone and remote debugging tools, Symbols, and windows SDK. (2012) http://msdn.microsoft.com/en-us/windows/hardware/hh852360.aspx(Last accessed, June 2012)

  7. Microsoft: SAL annotations. (2012) http://msdn.microsoft.com/en-us/library/ms235402(v=vs.80).aspx Last accessed June 2012

  8. Hatada M et al. (2011) Datasets for anti-malware research MWS 2011 Datasets. In: Computer security symposium (CSS2011) Japanese

    Google Scholar 

  9. McAfee Inc.: W32/Sdbot.worm. (2009) http://vil.nai.com/vil/content/v_100454.htm, Last accessed, June 2012

  10. Symantec Corporation: Backdoor. Sdbot technical details | Symantec. http://www.symantec.com/en/us/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=2 Last accessed June 2012

  11. Trend Micro Incorporated.: PALEVO worm leads to info theft, DDoS attacks | Trend micro threat encyclopedia. (2012) http://about-threats.trendmicro.com/RelatedThreats.aspx?name=PALEVO+Worm+Leads+to+Info+Theft%2C+DDoS+attacks Last accessed June 2012

  12. McAfee Inc.: W32/Palevo!4D58C671EE49 - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=561341 Last accessed, June 2012

  13. Sophos Ltd.: 49–2010 - Threat spotlight archive - Threat spotlight - Security news and trends - Sophos. (2012) http://www.sophos.com/en-us/security-news-trends/threat-spotlight/threat-spotlight-archive/2010/49.aspx#f0e736f5-9b72-45c4-a6ec-4cd827fce17a Last accessed Dec 2012

  14. McAfee Inc.: W32/Palevo.gen.b!737FE99CE9DB - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=995696 Last accessed, June 2012

  15. Microsoft corporation.: Encyclopedia entry: Virus:Win32/Polip.A - Learn more about malware - Microsoft malware protection center. (2012) http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FPolip.A Last accessed June 2012

  16. Symantec Corporation: W32.Polip technical details | symantec. (2012) http://www.symantec.com/security_response/writeup.jsp?docid=2006-042309-1842-99&tabid=2 Last accessed June 2012

  17. Olly advanced. (2007) http://www.openrce.org/downloads/details/241/Olly_Advanced

  18. PhantOm (2009) - Collaborative RCE tool library. http://www.woodmann.com/collaborative/tools/index.php/PhantOm

  19. Ollydbg (2010) v1 10 http://www.ollydbg.de/

  20. Vasudevan A, Yerraballi R (2005) Stealth breakpoints. In: Computer security applications conference, 21st Annual, pp 10–392

    Google Scholar 

  21. Bayer U et al. (2006) TTAnalyze: a tool for analyzing malware. In: 5th European institute for computer antivirus research (EICAR 2006) Annual conference

    Google Scholar 

  22. Anubis (2010) analyzing unknown binaries. http://anubis.iseclab.org/

  23. Mandl T et al (2009) Anubis - analyzing unknown binaries the automatic way. Virus bulletin conference. Geneva, Switzerland

    Google Scholar 

  24. Bellard F, Qemu, (2005) A fast and portable dynamic translator. Proceedings of the annual conference on USENIX Annual technical conference, USENIX association, Anaheim, CA, pp 41–41

    Google Scholar 

  25. Anh QN, Suzaki K (2010) Virt-ice: next generation debugger for malware analysis. Black Hat USA

    Google Scholar 

  26. Dinaburg A et al. (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, ACM, Alexandria, Virginia, USA pp 51–62

    Google Scholar 

  27. Barham P et al (2003) Xen and the art of virtualization. In: Proceedings of the nineteenth ACM symposium on operating systems principles, ACM, Bolton Landing, NY, pp 164–177

    Google Scholar 

  28. Microsoft: NtCreateFile function (Windows). (2012) http://msdn.microsoft.com/en-us/library/bb432380.aspx Last accessed June 2012

Download references

Author information

Authors and Affiliations

  1. Graduate School of Science and Engineering, Ritsumeikan University, 1-1-1 Nojihigashi, Kusatsu, Shiga, 525-8577, Japan

    Yuto Otsuki

  2. Ritsumeikan Global Innovation Research Organization, Ritsumeikan University, 1-1-1 Nojihigashi, Kusatsu, Shiga, 525-8577 , Japan

    Takehiro Kashiyama

  3. Graduate School of Engineering, Nagoya Institute of Technology, Gokiso-cho, Showa-ku, Nagoya, Aichi, 466-8555 , Japan

    Shoichi Saito

  4. College of Information Science and Engineering, Ritsumeikan University, 1-1-1 Nojihigashi, Kusatsu, Shiga, 525-8577, Japan

    Eiji Takimoto, Eric W. Cooper & Koichi Mouri

Authors
  1. Yuto Otsuki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eiji Takimoto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Takehiro Kashiyama
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shoichi Saito
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Eric W. Cooper
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Koichi Mouri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Koichi Mouri .

Editor information

Editors and Affiliations

  1. Computer & Communication Dean of Engineering College, Catholic University of DaeGu Engineering College, DaeGu, Korea, Republic of (South Korea)

    Haeng Kon Kim

  2. Unit 1, 1/F, International Association of Engineers, Hong Kong, Hong Kong SAR

    Sio-Iong Ao

  3. College of Engineering, California State Polytechnic University, Pomona, California, USA

    Mahyar A. Amouzegar

  4. Abt. Linguistische Datenverarbeitung, Universität Trier Inst.Computerlinguistik, Trier, Germany

    Burghard B. Rieger

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media Dordrecht

About this chapter

Cite this chapter

Otsuki, Y., Takimoto, E., Kashiyama, T., Saito, S., Cooper, E.W., Mouri, K. (2014). Tracing Malicious Injected Threads Using Alkanet Malware Analyzer. In: Kim, H., Ao, SI., Amouzegar, M., Rieger, B. (eds) IAENG Transactions on Engineering Technologies. Lecture Notes in Electrical Engineering, vol 247. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6818-5_21

Download citation

  • DOI: https://doi.org/10.1007/978-94-007-6818-5_21

  • Published:

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-94-007-6817-8

  • Online ISBN: 978-94-007-6818-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation