Skip to main content
SpringerLink
Log in

Tracking Memory Writes for Malware Classification and Code Reuse Identification

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7591))

Abstract

Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the limitations of static approaches, researchers have proposed dynamic analysis systems. These systems usually rely on a sandboxing environment that captures the system calls performed by a program under analysis.

In this paper, we propose a novel approach to capture and model malware behavior that is based on the monitoring of the data values that a certain subset of instructions writes to memory during program execution. We have implemented a malware clustering component and a component to detect code reuse between different malware families. To validate our proposed techniques, we analyzed 16,248 malware samples. We found that our techniques produce clusters with high accuracy, as well as interesting cases of code reuse among malicious programs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  2. Bayer, U., Milani Comparetti, P., Hlauscheck, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: 16th Symposium on Network and Distributed System Security, NDSS (2009)

    Google Scholar 

  3. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 51–62 (2008)

    Google Scholar 

  4. Jacob, G., Neugschwandtner, M., Comparetti, P.M., Kruegel, C., Vigna, G.: A static, packer-agnostic filter to detect similar malware samples. Tech. Rep. 2010-26, UCSB (November 2010)

    Google Scholar 

  5. Jain, A.K., Murty, M.N., Flynn, P.J.: Data clustering: a review. ACM Comput. Surv. 31, 264–323 (1999)

    Article  Google Scholar 

  6. Jang, J., Brumley, D., Venkataraman, S.: BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In: ACM Conference on Computer and Communications Security, CCS (2011)

    Google Scholar 

  7. Kinable, J., Kostakis, O.: Malware classification based on call graph clustering. J. Comput. Virol. 7(4), 233–245 (2011)

    Article  Google Scholar 

  8. Kruegel, C., Kirda, E., Bayer, U.: Ttanalyze: A tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference (April 2006)

    Google Scholar 

  9. Neugschwandtner, M., Comparetti, P.M., Jacob, G., Kruegel, C.: Forecast: skimming off the malware cream. In: Proc. of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 11–20. ACM (2011)

    Google Scholar 

  10. Park, Y., Reeves, D., Mulukutla, V., Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW 2010, pp. 45:1–45:4. ACM, New York (2010)

    Google Scholar 

  11. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, NSDI 2010, p. 26 (2010)

    Google Scholar 

  12. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and Classification of Malware Behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Seitz, J.: Gray Hat Python: Python Programming for Hackers and Reverse Engineers. No Starch Press, San Francisco (2009)

    Google Scholar 

  14. Shankarapani, M., Ramamoorthy, S., Movva, R., Mukkamala, S.: Malware detection using assembly and api call sequences. J. Comput. Virol. 7, 107–119 (2011)

    Article  Google Scholar 

  15. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy Magazine 5(2), 32–39 (2007)

    Article  Google Scholar 

  16. Zhang, Q., Reeves, D.: Metaaware: Identifying metamorphic malware. In: Proc. of the 23rd Annual Computer Security Applications Conference, ACSAC 2007, pp. 411–420 (December 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Information Technology Renato Archer, Brazil

    André Ricardo Abed Grégio

  2. University of Campinas, Brazil

    André Ricardo Abed Grégio & Paulo Lício de Geus

  3. University of California, Santa Barbara, USA

    Christopher Kruegel & Giovanni Vigna

Authors
  1. André Ricardo Abed Grégio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paulo Lício de Geus
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department C, HFT Stuttgart, Schellingstr. 24, 70174, Stuttgart, Germany

    Ulrich Flegel

  2. Department of Computer Science, Foundation for Research and Technology – Hellas (FORTH), 100 Plastira Ave, Vassilika Vouton, 70013, Heraklion, Crete, Greece

    Evangelos Markatos

  3. College of Computer and Information Science, Northeastern University, 360 Huntington Ave, 02115, Boston, MA, USA

    William Robertson

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Grégio, A.R.A., de Geus, P.L., Kruegel, C., Vigna, G. (2013). Tracking Memory Writes for Malware Classification and Code Reuse Identification. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37300-8_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37299-5

  • Online ISBN: 978-3-642-37300-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation