Abstract
Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Wood P et al. (2012) Internet security threat report vol 17 Symantec corporation, Tech rep
Falliere N (2007) Windows anti-debug reference. (2012) http://www.symantec.com/connect/articles/windows-anti-debug-reference Last accessed July 2012
Yason MV (2007) The art of unpacking. Black Hat USA.
Otsuki Y et al. (2012) Alkanet: a dynamic malware analyzer based on virtual machine monitor.In: Lecture notes in engineering and computer science: Proceedings of the World congress on engineering and computer science, WCECS 2012, vol 1 San Francisco, USA pp 36–44
Shinagawa T et al. (2009) BitVisor: a thin hypervisor for enforcing i/o device security.In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on virtual execution environments, ACM, Washington, DC, USA pp 121–130
Microsoft: standalone and remote debugging tools, Symbols, and windows SDK. (2012) http://msdn.microsoft.com/en-us/windows/hardware/hh852360.aspx(Last accessed, June 2012)
Microsoft: SAL annotations. (2012) http://msdn.microsoft.com/en-us/library/ms235402(v=vs.80).aspx Last accessed June 2012
Hatada M et al. (2011) Datasets for anti-malware research MWS 2011 Datasets. In: Computer security symposium (CSS2011) Japanese
McAfee Inc.: W32/Sdbot.worm. (2009) http://vil.nai.com/vil/content/v_100454.htm, Last accessed, June 2012
Symantec Corporation: Backdoor. Sdbot technical details | Symantec. http://www.symantec.com/en/us/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=2 Last accessed June 2012
Trend Micro Incorporated.: PALEVO worm leads to info theft, DDoS attacks | Trend micro threat encyclopedia. (2012) http://about-threats.trendmicro.com/RelatedThreats.aspx?name=PALEVO+Worm+Leads+to+Info+Theft%2C+DDoS+attacks Last accessed June 2012
McAfee Inc.: W32/Palevo!4D58C671EE49 - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=561341 Last accessed, June 2012
Sophos Ltd.: 49–2010 - Threat spotlight archive - Threat spotlight - Security news and trends - Sophos. (2012) http://www.sophos.com/en-us/security-news-trends/threat-spotlight/threat-spotlight-archive/2010/49.aspx#f0e736f5-9b72-45c4-a6ec-4cd827fce17a Last accessed Dec 2012
McAfee Inc.: W32/Palevo.gen.b!737FE99CE9DB - Malware - McAfee labs threat center. (2012) http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=995696 Last accessed, June 2012
Microsoft corporation.: Encyclopedia entry: Virus:Win32/Polip.A - Learn more about malware - Microsoft malware protection center. (2012) http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FPolip.A Last accessed June 2012
Symantec Corporation: W32.Polip technical details | symantec. (2012) http://www.symantec.com/security_response/writeup.jsp?docid=2006-042309-1842-99&tabid=2 Last accessed June 2012
Olly advanced. (2007) http://www.openrce.org/downloads/details/241/Olly_Advanced
PhantOm (2009) - Collaborative RCE tool library. http://www.woodmann.com/collaborative/tools/index.php/PhantOm
Ollydbg (2010) v1 10 http://www.ollydbg.de/
Vasudevan A, Yerraballi R (2005) Stealth breakpoints. In: Computer security applications conference, 21st Annual, pp 10–392
Bayer U et al. (2006) TTAnalyze: a tool for analyzing malware. In: 5th European institute for computer antivirus research (EICAR 2006) Annual conference
Anubis (2010) analyzing unknown binaries. http://anubis.iseclab.org/
Mandl T et al (2009) Anubis - analyzing unknown binaries the automatic way. Virus bulletin conference. Geneva, Switzerland
Bellard F, Qemu, (2005) A fast and portable dynamic translator. Proceedings of the annual conference on USENIX Annual technical conference, USENIX association, Anaheim, CA, pp 41–41
Anh QN, Suzaki K (2010) Virt-ice: next generation debugger for malware analysis. Black Hat USA
Dinaburg A et al. (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM conference on computer and communications security, ACM, Alexandria, Virginia, USA pp 51–62
Barham P et al (2003) Xen and the art of virtualization. In: Proceedings of the nineteenth ACM symposium on operating systems principles, ACM, Bolton Landing, NY, pp 164–177
Microsoft: NtCreateFile function (Windows). (2012) http://msdn.microsoft.com/en-us/library/bb432380.aspx Last accessed June 2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Otsuki, Y., Takimoto, E., Kashiyama, T., Saito, S., Cooper, E.W., Mouri, K. (2014). Tracing Malicious Injected Threads Using Alkanet Malware Analyzer. In: Kim, H., Ao, SI., Amouzegar, M., Rieger, B. (eds) IAENG Transactions on Engineering Technologies. Lecture Notes in Electrical Engineering, vol 247. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6818-5_21
Download citation
DOI: https://doi.org/10.1007/978-94-007-6818-5_21
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-6817-8
Online ISBN: 978-94-007-6818-5
eBook Packages: EngineeringEngineering (R0)