Journal in Computer Virology

, Volume 2, Issue 1, pp 67–77

Dynamic Analysis of Malicious Code

  • Ulrich Bayer
  • Andreas Moser
  • Christopher Kruegel
  • Engin Kirda
Original Paper

Abstract

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Keywords

Malware Analysis API Virus worm Static analysis Dynamic analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bellard, F. Qemu, a fast and portable dynamic translator. In: Usenix Annual Technical Conference, 2005Google Scholar
  2. 2.
    Christodorescu, M., Jha, S. Static analysis of executables to detect malicious patterns. In: Usenix Security Symposium, 2003Google Scholar
  3. 3.
    Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R. Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, 2005Google Scholar
  4. 4.
    Collberg, C., Thomborson, C., Low, D. Manufacturing cheap, resilient, and stealthy opaque constructs. In: Conference on Principles of Programming Languages (POPL), 1998Google Scholar
  5. 5.
    Computer Economics. Malware report 2005: the impact of malicious code attacks, 2006. http://www.computereconomics.com/ article.cfm?id=1090Google Scholar
  6. 6.
    Hunt, G., Brubacher, D. Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium, 1999Google Scholar
  7. 7.
    Kaspersky Lab: antivirus software, 2006. http://www. kaspersky.com/Google Scholar
  8. 8.
    Kruegel, C., Robertson, W., Vigna, G. Detecting Kernel-level rootkits through binary analysis. In: Annual Computer Security Application Conference (ACSAC), 2004Google Scholar
  9. 9.
    Linn, C., Debray, S. Obfuscation of executable code to improve resistance to static disassembly. In: ACM Conference on Computer and Communications Security (CCS), 2003Google Scholar
  10. 10.
    Windows Device Driver Kit 2003, 2006. http://www.microsoft.com/whdc/devtools/ddk/Google Scholar
  11. 11.
    Microsoft IFS KIT, 2006. http://www.microsoft.com/whdc/ devtools/ifskitGoogle Scholar
  12. 12.
    Microsoft PECOFF. Microsoft Portable Executable and Common Object File Format Specification, 2006. http://www.microsoft.com/ whdc/system/platform/firmware/PECOFF.mspxGoogle Scholar
  13. 13.
    Microsoft Platform SDK, 2006. http://www.microsoft.com/ msdownload/platformsdk/Google Scholar
  14. 14.
    Nebbett G. (2000) Windows NT/2000 Native API Reference. New Riders Publishing, indianapolisGoogle Scholar
  15. 15.
    Neitzel, M.St. Analysis of win32/sober.y, 2005. http://www. eset.com/msgs/sobery.htmGoogle Scholar
  16. 16.
    Oberhumer, M., Molnar, L. UPX: Ultimate Packer for eXecutables, 2004. http://upx.sourceforge.net/Google Scholar
  17. 17.
    Robin, J., Irvine, C. Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Usenix Annual Technical Conference, 2000Google Scholar
  18. 18.
    Russinovich, M., Cogswell, B. Freeware Sysinternals, 2006. http://www.sysinternals.com/Google Scholar
  19. 19.
    Russinovich M., Solomon D. (2004) Microsoft Windows Internals: Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, BellevueGoogle Scholar
  20. 20.
    Rutkowska, J. Red pill... or how to detect VMM using (almost) one CPU instruction, 2006. http://invisiblethings.org/ papers/redpill.htmlGoogle Scholar
  21. 21.
    Symantec. Internet security threat report, 2005. http://www. symantec.com/enterprise/threatreport/index.jspGoogle Scholar
  22. 22.
    Szor P. (2005) The Art of Computer Virus Research and Defense. Addison Wesley, ReadingGoogle Scholar
  23. 23.
    Vasudevan, A., Yerraballi, R. Stealth breakpoints. In: 21st Annual Computer Security Applications Conference, 2005Google Scholar
  24. 24.
    VMware: server and desktop virtualization, 2006. http://www. vmware.com/Google Scholar
  25. 25.
    Wang, C. A security architecture for survivability mechanisms. PhD Thesis, University of Virginia (2001)Google Scholar
  26. 26.
    Yetiser, T. Polymorphic Viruses – Implementation, detection, and protection, 1993. http://vx.netlux.org/lib/ayt01.htmlGoogle Scholar

Copyright information

© Springer-Verlag 2006

Authors and Affiliations

  • Ulrich Bayer
    • 1
  • Andreas Moser
    • 2
  • Christopher Kruegel
    • 2
  • Engin Kirda
    • 2
  1. 1.Ikarus SoftwareViennaAustria
  2. 2.Secure Systems LabTechnical University ViennaViennaAustria

Personalised recommendations