Abstract
Malicious software (i.e., malware) has become a severe threat to interconnected computer systems for decades and has caused billions of dollars damages each year. A large volume of new malware samples are discovered daily. Even worse, malware is rapidly evolving to be more sophisticated and evasive to strike against current malware analysis and defense systems. The work described in this book takes a root-cause oriented approach to the problem of automatic malware analysis. In this approach, we aim to capture the intrinsic natures of malicious behaviors, rather than the external symptoms of existing attacks. We propose a new architecture for binary code analysis, which is called whole-system out-of-the-box fine-grained dynamic binary analysis, to address the common challenges in malware detection and analysis. To realize this architecture, we build a unified and extensible analysis platform, code-named TEMU. We propose a core technique for fine-grained dynamic binary analysis, called layered annotative execution, and implement this technique in TEMU. Then on the basis of TEMU, we have proposed and built a series of novel techniques for automatic malware detection and analysis. We have developed Renovo, Panorama, HookFinder, and MineSweeper, for detecting and analyzing various aspects of malware. These techniques capture intrinsic characteristics of malware and thus are well suited for dealing with new malware samples and attack mechanisms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anti-debugger techniques. http://www.textfiles.com/virus/adebgtut.txt
Anubis: Analyzing unknown binaries. http://analysis.seclab.tuwien.ac.at/
ASA, N.: Norman Sandbox. http://sandbox.norman.no/ (2006)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX 2005 Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Book chapter in ”Botnet Analysis and Defense”, Editors Wenke Lee et. al. (2007)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference (2007)
The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/
Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (2007)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (2003)
Annual worldwide economic damages from malware exceed 13 billion dollars. http://www.computereconomics.com/article.cfm?id=1225
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland’07) (2007)
the Ultimate Packer for eXecutables. http://upx.sourceforge.net/
Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained malware analysis using stealth localized-executions. In: SP ’06: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06), pp. 264–279. IEEE Computer Society, Washington, DC, USA (2006). DOI http://dx.doi.org/10.1109/SP.2006.9
Wilhelm, J., cker Chiueh, T.: A forced sampled execution approach to kernel rootkit identification. In: Recent Advances in Intrusion Detection, pp. 219–235 (2007)
Willems, C.: CWSandbox: Automatic behaviour analysis of malware. http://www.cwsandbox.org/ (2006)
Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and understanding malware hooking behavior. In: 15th Annual Network and Distributed System Security Symposium (2008)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of ACM Conference on Computer and Communication Security (2007)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2013 The Author(s)
About this chapter
Cite this chapter
Yin, H., Song, D. (2013). Introduction. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_1
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5523-3_1
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5522-6
Online ISBN: 978-1-4614-5523-3
eBook Packages: Computer ScienceComputer Science (R0)