Tracing Malicious Injected Threads Using Alkanet Malware Analyzer

  • Yuto Otsuki
  • Eiji  Takimoto
  • Takehiro Kashiyama
  • Shoichi Saito
  • Eric W. Cooper
  • Koichi Mouri
Chapter
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 247)

Abstract

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.

Keywords

Dynamic analysis Malware’s behavior Malware analysis System call tracing Thread injection Virtual machine monitor 

References

  1. 1.
    Wood P et al. (2012) Internet security threat report vol 17 Symantec corporation, Tech repGoogle Scholar
  2. 2.
    Falliere N (2007) Windows anti-debug reference. (2012) http://www.symantec.com/connect/articles/windows-anti-debug-reference Last accessed July 2012
  3. 3.
    Yason MV (2007) The art of unpacking. Black Hat USA.Google Scholar
  4. 4.
    Otsuki Y et al. (2012) Alkanet: a dynamic malware analyzer based on virtual machine monitor.In: Lecture notes in engineering and computer science: Proceedings of the World congress on engineering and computer science, WCECS 2012, vol 1 San Francisco, USA pp 36–44Google Scholar
  5. 5.
    Shinagawa T et al. (2009) BitVisor: a thin hypervisor for enforcing i/o device security.In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on virtual execution environments, ACM, Washington, DC, USA pp 121–130Google Scholar
  6. 6.
    Microsoft: standalone and remote debugging tools, Symbols, and windows SDK. (2012) http://msdn.microsoft.com/en-us/windows/hardware/hh852360.aspx(Last accessed, June 2012)
  7. 7.
    Microsoft: SAL annotations. (2012) http://msdn.microsoft.com/en-us/library/ms235402(v=vs.80).aspx Last accessed June 2012
  8. 8.
    Hatada M et al. (2011) Datasets for anti-malware research MWS 2011 Datasets. In: Computer security symposium (CSS2011) JapaneseGoogle Scholar
  9. 9.
    McAfee Inc.: W32/Sdbot.worm. (2009) http://vil.nai.com/vil/content/v_100454.htm, Last accessed, June 2012
  10. 10.
    Symantec Corporation: Backdoor. Sdbot technical details | Symantec. http://www.symantec.com/en/us/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=2 Last accessed June 2012
  11. 11.
    Trend Micro Incorporated.: PALEVO worm leads to info theft, DDoS attacks | Trend micro threat encyclopedia. (2012) http://about-threats.trendmicro.com/RelatedThreats.aspx?name=PALEVO+Worm+Leads+to+Info+Theft%2C+DDoS+attacks Last accessed June 2012
  12. 12.
    McAfee Inc.: W32/Palevo!4D58C671EE49 - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=561341 Last accessed, June 2012
  13. 13.
    Sophos Ltd.: 49–2010 - Threat spotlight archive - Threat spotlight - Security news and trends - Sophos. (2012) http://www.sophos.com/en-us/security-news-trends/threat-spotlight/threat-spotlight-archive/2010/49.aspx#f0e736f5-9b72-45c4-a6ec-4cd827fce17a Last accessed Dec 2012
  14. 14.
    McAfee Inc.: W32/Palevo.gen.b!737FE99CE9DB - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=995696 Last accessed, June 2012
  15. 15.
    Microsoft corporation.: Encyclopedia entry: Virus:Win32/Polip.A - Learn more about malware - Microsoft malware protection center. (2012) http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FPolip.A Last accessed June 2012
  16. 16.
    Symantec Corporation: W32.Polip technical details | symantec. (2012) http://www.symantec.com/security_response/writeup.jsp?docid=2006-042309-1842-99&tabid=2 Last accessed June 2012
  17. 17.
  18. 18.
    PhantOm (2009) - Collaborative RCE tool library. http://www.woodmann.com/collaborative/tools/index.php/PhantOm
  19. 19.
    Ollydbg (2010) v1 10 http://www.ollydbg.de/
  20. 20.
    Vasudevan A, Yerraballi R (2005) Stealth breakpoints. In: Computer security applications conference, 21st Annual, pp 10–392Google Scholar
  21. 21.
    Bayer U et al. (2006) TTAnalyze: a tool for analyzing malware. In: 5th European institute for computer antivirus research (EICAR 2006) Annual conferenceGoogle Scholar
  22. 22.
    Anubis (2010) analyzing unknown binaries. http://anubis.iseclab.org/
  23. 23.
    Mandl T et al (2009) Anubis - analyzing unknown binaries the automatic way. Virus bulletin conference. Geneva, SwitzerlandGoogle Scholar
  24. 24.
    Bellard F, Qemu, (2005) A fast and portable dynamic translator. Proceedings of the annual conference on USENIX Annual technical conference, USENIX association, Anaheim, CA, pp 41–41Google Scholar
  25. 25.
    Anh QN, Suzaki K (2010) Virt-ice: next generation debugger for malware analysis. Black Hat USAGoogle Scholar
  26. 26.
    Dinaburg A et al. (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, ACM, Alexandria, Virginia, USA pp 51–62Google Scholar
  27. 27.
    Barham P et al (2003) Xen and the art of virtualization. In: Proceedings of the nineteenth ACM symposium on operating systems principles, ACM, Bolton Landing, NY, pp 164–177Google Scholar
  28. 28.
    Microsoft: NtCreateFile function (Windows). (2012) http://msdn.microsoft.com/en-us/library/bb432380.aspx Last accessed June 2012

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • Yuto Otsuki
    • 1
  • Eiji  Takimoto
    • 4
  • Takehiro Kashiyama
    • 2
  • Shoichi Saito
    • 3
  • Eric W. Cooper
    • 4
  • Koichi Mouri
    • 4
  1. 1.Graduate School of Science and EngineeringRitsumeikan UniversityKusatsuJapan
  2. 2.Ritsumeikan Global Innovation Research OrganizationRitsumeikan UniversityKusatsuJapan
  3. 3.Graduate School of EngineeringNagoya Institute of TechnologyNagoyaJapan
  4. 4.College of Information Science and EngineeringRitsumeikan UniversityKusatsuJapan

Personalised recommendations