Ruoxu Zhao,Dawu Gu,Juanru Li,Yuanyuan Zhang

DOI: https://doi.org/10.1007/978-3-319-12087-4_7

2014-01-01

Abstract:Encryption is increasingly used in network communications, especially by malicious software (malware) to hide its malicious activities and protect itself from being detected or analyzed. Understanding malware's encryption schemes helps researchers better analyze its network protocol, and then derive the internal structure of the malware. However, current techniques of encrypted protocol analysis have a lot of limitations. For example, they usually require the encryption part being separated from message processing which is hardly satisfied in today's malware, and they cannot provide detailed information about the encryption parameter such as the algorithm used and its secret key. Therefore, these techniques cannot fulfill the needs of today's malware analysis.In this paper, we propose a novel and enhanced approach to automatically detect and analyze encryption and encoding functions within network applications. Utilizing dynamic taint analysis and data pattern analysis, we are able to detect encryption, encoding and checksum routines within the normal processing of protocol messages without prior knowledge of the protocol, and provide detailed information about its encryption scheme, including the algorithms used, secret keys, ciphertext and plaintext. We can also detect private or custom encryption routines made by malware authors, which can be used as signature of the malware. We evaluate our method with several malware samples to demonstrate its effectiveness.

Weihao Huang,Chaoyang Lin,Qiucun Yan,Lu Xiang,Zhiyu Zhang,Guozhu Meng,Kai Chen

DOI: https://doi.org/10.1109/cscwd57460.2023.10151998

2023-01-01

Abstract:In recent years, binary malware detection has attracted extensive attention from industry and academia. However, most of the existing work focuses on determining whether a sample is malicious or not, rather than identifying the malicious essence in malware. Few studies aim at locating malicious code at function granularity and suffer from inaccuracy. In this paper, we solve the problem by dividing malware into Functional Module (FM), which is a better granularity for locating malicious code, as it combines certain functions to express malicious behaviors in malware. We design a tool called FMDiv to automatically unpack and disassemble binary malware and then divide them into FMs based on the function call graph (CG). Meanwhile, one novel feature extraction and embedding method has been adopted to validate the effect of the FM division algorithm and provide one alternative method of characterization for subsequent malicious FM location. We evaluate FMDiv’s performance on 10,440 real-world samples from VIRUSSHARE. The results show that FMDiv can correctly characterize and make FM division of malware, outperforming current state-of-the-art work.

Peidai Xie,Xicheng Lu,Yongjun Wang,Jinshu Su

2013-01-01

International Journal of Security and Its Applications

Abstract:In order to be a long time alive, modern malware often make anti-emulation check after launched for evading dynamic analysis. Malware authors gain fingerprint information of target environment through several API to detect whether their creations are running in monitored state or not. If an emulated analysis environment is detected, the malware will change its running to avoid malicious behavior exposing. The existing approaches are based on trace matching with a intuition that, given the same inputs, the execution of a program should be the same in simulated analysis environment and on a real hardware reference system. However those approaches are too fine-grained to be inefficient.In this paper we propose an approach to deal with anti-emulation using instruction traces and dynamic slicing. With a difference from trace matching solutions presented in existing references, our approach is performed on one instruction trace derived from our dynamic analysis platform. We evaluate our approach with 189 malware samples collected in the wild. The experience shows that our proposed approach can spot efAPI used for anti-emulation check in an efficient way.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Ruoxu Zhao,Dawu Gu,Juanru Li,Ran Yu

DOI: https://doi.org/10.1007/978-3-642-24861-0_13

2011-01-01

Abstract:Cryptographic algorithms are widely used inside software for data security and integrity. The search of cryptographic data (include algorithms, input-output data and intermediated states of operation) is important to security analysis. However, various implementations of cryptographic algorithms lead the automatic detection and analysis to be very hard. This paper proposes a novel automatic cryptographic data detection and analysis approach. This approach is based on execution tracing and data pattern extraction techniques, searching the data pattern of cryptographic algorithms, and automatically extracting detected Cryptographic algorithms and input-output data. We implement and evaluate our approach, and the result shows our approach can detect and extract common symmetric ciphers and hash functions in most kinds of programs with accuracy, effectiveness and universality.

Yiheng Duan,Xiao Fu,Bin Luo,Ziqi Wang,Jin Shi,Xiaojiang (James) Du

DOI: https://doi.org/10.1109/icc.2015.7249229

2015-01-01

Abstract:Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.

Eric Filiol

DOI: https://doi.org/10.48550/arXiv.1009.4000

2010-09-21

Abstract:Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection mean. This also applies to protection of software whenever one wishes to analyze them. In this paper, we show how to amour code in such a way that reserse engineering techniques (static and dymanic) are absolutely impossible by combining malicious cryptography techniques developped in our laboratory and new types of programming (k-ary codes). Suitable encryption algorithms combined with new cryptanalytic approaches to ease the protection of (malicious or not) binaries, enable to provide both total code armouring and large scale polymorphic features at the same time. A simple 400 Kb of executable code enables to produce a binary code and around $2^{140}$ mutated forms natively while going far beyond the old concept of decryptor.

Cryptography and Security

LanJia Wang,HaiXin Duan,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0150-x

2008-01-01

Science in China Series F Information Sciences

Abstract:It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.

Fei Chen,Yan Fu

DOI: https://doi.org/10.1109/DBTA.2009.127

2009-01-01

Abstract:In this paper, we propose a new approach for the dynamic detection of malicious executables on the platform of Windows. Our approach extracts signatures of malicious executable's behaviors by using API (Application Program Interface) interception technique which makes possible the detection of unknown malicious executables. The dynamic detection of unknown malicious executables is achieved in three major steps: getting the sequence of API function calls of the executable, processing the API sequence to generate a vector, calculating the similarity between the vector and the feature library constructed by security policies to verify if the executable is malicious. The experiment confirms that this approach is effective in detection of unknown malicious executables.

CHEN Zitong,JIA Peng,LIU Jiayong

DOI: https://doi.org/10.3969/j.issn.1671-1122.2023.05.007

2023-01-01

Abstract:At present, hiding technology has been widely used in malware to avoid the detection of anti-virus engines and reverse analysis by researchers. Therefore, effective identification of hidden functions in malware is of great significance for malware code detection and in-depth analysis. However, in this field, the existing methods have more or less problems, such as inability to obtain high accuracy, poor robustness to data sets with small sample size or unbalanced distribution of sample categories. In order to implement a practical detection method for malicious software hidden functions, a novel identification method based on Siamese architecture is proposed to detect the type of hidden functions.This method can effectively improve the accuracy of hidden function recognition, and the introduction of Siamese architecture improves the problem of poor robustness of small sample size data sets. For the dataset of 15 common types of hidden functions extracted from malicious software, the experimental results show that the embedded vector generated by this method has better quality than the nearest embedded neural network SAFE, and this method has higher detection accuracy than several common hidden function detection tools.

Shanhu Shang,Ning Zheng,Jian Xu,Ming Xu,Haiping Zhang

DOI: https://doi.org/10.1109/malware.2010.5665787

2010-01-01

Abstract:Currently, signature-based malware scanning is still the dominant approach to identify malware samples in the wild due to its low false positive rate. However, this approach concentrates on programs' specific instructions, and lacks insight into high level semantics; it is enduring challenges from advanced code obfuscation techniques such as polymorphism and metamorphism. To overcome this shortcoming, this paper extracts a program's function-call graph as its signature. The paper presents a method to compute similarity between two binaries on basis of their function-call graph similarity. The proposed method relies on static analysis of a program, it first disassembles the program into assemble code, and then it uses a novel algorithm to construct the function-call graph from the assembly instructions. After that, it proposes a simple but effective graph matching method to compute similarity between two binaries. A prototype is implemented and evaluated on several well-known malware families and benign programs.

Youngjoon Ki,Eunjin Kim,Huy Kang Kim

DOI: https://doi.org/10.1155/2015/659101

IF: 1.938

2015-06-01

International Journal of Distributed Sensor Networks

Abstract:In the era of ubiquitous sensors and smart devices, detecting malware is becoming an endless battle between ever-evolving malware and antivirus programs that need to process ever-increasing security related data. For malware detection, various approaches have been proposed. Among them, dynamic analysis is known to be effective in terms of providing behavioral information. As malware authors increasingly use obfuscation techniques, it becomes more important to monitor how malware behaves for its detection. In this paper, we propose a novel approach for dynamic analysis of malware. We adopt DNA sequence alignment algorithms and extract common API call sequence patterns of malicious function from malware in different categories. We find that certain malicious functions are commonly included in malware even in different categories. From checking the existence of certain functions or API call sequence patterns matched, we can even detect new unknown malware. The result of our experiment shows high enough F-measure and accuracy. API call sequence can be extracted from most of the modern devices; therefore, we believe that our method can detect the malware for all types of the ubiquitous devices.

computer science, information systems,telecommunications

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

Chao DAI,Jian-min PANG,Yi-chi ZHANG,Liang ZHU,Feng YUE,Hong-wei TAO

2017-01-01

Abstract:The malware behavior analysis is composed of analysis in disassembly level and system-call level.Out of the finer grain,the analysis in disassembly level is irreplaceable in characterizing the code behavior.However,the existing analysis technologies in disassembly level is not good at coping with discontinuous instruction sequences.In view of this situation and characteristics of binary code,this paper proposes a method of behavior analysis in disassembly level based on pattern matching with wildcards and gap-length constrains,called CFG-refinedSAIL.It reconstructs the code structure by the recursive traversal disassembly algorithm first.Then the algorithm compares the opcode sequences in each basicblock of control flow with the opcode sequences of malware behavior in a refined way to find out the malware behavior in disassembly level.Finally,the test validates the effectiveness the algorithm,and its performance is good,which could provide the basis for subsequent analysis of malware.

Tzu-Ling Wan,Tao Ban,Shin-Ming Cheng,Yen-Ting Lee,Bo Sun,Ryoichi Isawa,Takeshi Takahashi,Daisuke Inoue

DOI: https://doi.org/10.1109/ojcs.2020.3033974

2020-01-01

IEEE Open Journal of the Computer Society

Abstract:Simple implementation and autonomous operation features make the Internet-of-Things (IoT) vulnerable to malware attacks. Static analysis of IoT malware executable files is a feasible approach to understanding the behavior of IoT malware for mitigation and prevention. However, current analytic approaches based on opcodes or call graphs typically do not work well with diversity in central processing unit (CPU) architectures and are often resource intensive. In this paper, we propose an efficient method for leveraging machine learning methods to detect and classify IoT malware programs. We show that reliable and efficient detection and classification can be achieved by exploring the essential discriminating information stored in the byte sequences at the entry points of executable programs. We demonstrate the performance of the proposed method using a large-scale dataset consisting of 111K benignware and 111K malware programs from seven CPU architectures. The proposed method achieves near optimal generalization performance for malware detection (99.96 accuracy) and for malware family classification (98.47 accuracy). Moreover, when CPU architecture information is considered in learning, the proposed method combined with support vector machine classifiers can yield even higher generalization performance using fewer bytes from the executable files. The findings in this paper are promising for implementing light-weight malware protection on IoT devices with limited resources.

Huabiao Lu,Xiaofeng Wang,Baokang Zhao,Fei Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2013.03.008

2013-01-01

Mathematical and Computer Modelling

Abstract:Malware obfuscation obscures malware into different versions, making traditional syntactic nature based detection ineffective. Furthermore, with the huge and exponentially growing number of malware samples, existing malware detection systems are either evaded by malware obfuscation, or overwhelmed by numerous malware samples. This paper proposes an anti-obfuscation, scalable and collaborative malware detection system—ENDMal. ENDMal identifies the program that behaves suspiciously in end-hosts and similarly between a group of suspicious programs in a wide area as malicious. We present the Iterative Sequence Alignment (ISA) method to defeat malware obfuscation. Instead of using complex behavior graph, we propose the Handle dependences and Probabilistic Ordering Dependence (HPOD) technology to represent the program behaviors. In addition, we design a novel information sharing infrastructure, RENShare, to collaboratively congregate the group characteristics of programs spreading over different network areas. Our experimental results show that ENDMal can detect unknown malwares much faster than the centralized detection system and is more effective than the existing distributed detection system.

Zhi Xin,Huiyu Chen,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-18178-8_16

2011-01-01

Abstract:Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

David Korczynski

DOI: https://doi.org/10.48550/arXiv.1908.09204

2019-08-24

Cryptography and Security

Abstract:Run time packing is a common approach malware use to obfuscate their payloads, and automatic unpacking is, therefore, highly relevant. The problem has received much attention, and so far, solutions based on dynamic analysis have been the most successful. Nevertheless, existing solutions lack in several areas, both conceptually and architecturally, because they focus on a limited part of the unpacking problem. These limitations significantly impact their applicability, and current unpackers have, therefore, experienced limited adoption. In this paper, we introduce a new tool, called Minerva, for effective automatic unpacking of malware samples. Minerva introduces a unified approach to precisely uncover execution waves in a packed malware sample and produce PE files that are well-suited for follow-up static analysis. At the core, Minerva deploys a novel information flow model of system-wide dynamically generated code, precise collection of API calls and a new approach for merging execution waves and API calls. Together, these novelties amplify the generality and precision of automatic unpacking and make the output of Minerva highly usable. We extensively evaluate Minerva against synthetic and real-world malware samples and show that our techniques significantly improve on several aspects compared to previous work.

Peidai Xie,Xicheng Lu,Yongjun Wang,Jinshu Su,Meijian Li

DOI: https://doi.org/10.1007/978-3-642-35795-4_55

2013-01-01

Abstract:Anti-debugging techniques are broadly used by malware authors to prevent security researchers from reversing engineering their created malware samples. However, the countermeasures to identify anti-debugging code patterns are insufficient, and mainly manual, which is an expensive, time-consuming, and error-prone process. There are no automatic approaches which can be used to detect anti-debugging code patterns in malware samples effectively. In this paper, we present an approach, based on instruction traces derived from dynamic malware analysis and an instruction-based pattern matching method, to detect anti-debugging tricks automatically. We evaluate this approach with a large number of malware samples collected in the wild. The experience shows that our proposed approach is effective and about 40% of malware samples in our experimental data set has been embedded anti-debugging code. © Springer-Verlag Berlin Heidelberg 2013.

Yang Zhao,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.04.001

2013-01-01

Abstract:This paper proposes a method to automatically detect anti-analysis malware.This approach records the traces of system calls and instructions executed by malware across four different analysis platform based on two monitoring and recording technologies.At first,the system call traces are compared.If a deviation exists,further comparison on instruction traces is needed to determine whether the root cause is anti-analysis or not.Experimental results have demonstrated that the approach can detect varies of analysis evasion technology.