Skip to main content

Analysis of Trigger Conditions and Hidden Behaviors

  • Chapter
  • First Online:

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior. Currently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speedup the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can: (1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area.

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, log in via an institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2–16 (2006)

    Google Scholar 

  2. Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: A system for automatically generating inputs of death using symbolic execution. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS) (2006)

    Google Scholar 

  3. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: K. Jensen, A. Podelski (eds.) Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer (2004)

    Google Scholar 

  4. Crandall, J.R., Wassermann, G., de Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: Detecting hidden malware timebombs with virtual machines. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-XII, pp. 25–36 (2006)

    Google Scholar 

  5. Dittrich, D.: The ”tribe flood network” distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/tfn.analysis.txt (1999)

  6. Ferrie, T.L.: Win32.Netsky.C. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022417-4628-99

  7. Gettis, S.: W32.Mydoom.B@mm. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022011-2447-99

  8. Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Proc. of the 2005 Programming Language Design and Implementation Conference (PLDI) (2005)

    Google Scholar 

  9. Ha, K.: Keylogger.Stawin. http://www.symantec.com/security_response/writeup.jsp?docid=2004-012915-2315-99

  10. Hindocha, N.: Win32.Netsky.D. http://www.symantec.com/security_response/writeup.jsp?docid=2004-030110-0232-99

  11. King, J.: Symbolic execution and program testing. Communications of the ACM 19, 386–394 (1976)

    Article  Google Scholar 

  12. McAfee: W97M/Opey.C. http://vil.nai.com/vil/content/v_10290.htm

  13. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland’07) (2007)

    Google Scholar 

  14. Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic protocol replay by binary analysis. In: R. Write, S.D.C. di Vimercati, V. Shmatikov (eds.) In the Proceedings of the 13th ACM Conference on Computer and and Communications Security (CCS), pp. 311–321 (2006)

    Google Scholar 

  15. Blazingtools perfect keylogger. http://www.blazingtools.com/bpk.html

  16. Sen, K., Marinov, D., Agha, G.: CUTE: A concolic unit testing engine for c. In: ACM SIGSOFT Sympsoium on the Foundations of Software Engineering (2005)

    Google Scholar 

  17. Symantec: Spyware.e2give. http://www.symantec.com/security_response/writeup.jsp?docid=2004-102614-1006-99

  18. Symantec: Xeram.1664. http://www.symantec.com/security_response/writeup.jsp?docid=2000-121913-2839-99

  19. United States Department of Justice Press Release: Former computer network administrator at new jersey high-tech firm sentenced to 41 months for unleashing $10 million computer “time bomb”. http://www.usdoj.gov/criminal/cybercrime/lloydSent.htm

  20. United States Department of Justice Press Release: Former lance, inc. employee sentenced to 24 months and ordered to pay $194,609 restitution in computer fraud case. http://www.usdoj.gov/criminal/cybercrime/SullivanSent.htm

  21. United States Department of Justice Press Release: Former technology manager sentenced to a year in prison for computer hacking offense. http://www.usdoj.gov/criminal/cybercrime/sheaSent.htm

  22. Xie, Y., Aiken, A.: Context- and path-sensitive memory leak detection. ACM SIGSOFT Software Engineering Notes 30 (2005)

    Google Scholar 

  23. Yang, J., Sar, C., Twohey, P., Cadar, C., Engler, D.: Automatically generating malicious disks using symbolic execution. In: IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and permissions

Copyright information

© 2013 The Author(s)

About this chapter

Cite this chapter

Yin, H., Song, D. (2013). Analysis of Trigger Conditions and Hidden Behaviors. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-5523-3_6

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-5522-6

  • Online ISBN: 978-1-4614-5523-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics