Dynamic Analysis of Malicious Code

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda
DOI: https://doi.org/10.1007/s11416-006-0012-2
2006-05-16
Journal in Computer Virology
Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.
What problem does this paper attempt to address?
The problems that this paper attempts to solve are several key challenges in the process of automated malware analysis. Specifically, the paper focuses on developing a tool that can automatically analyze the behavior of malware in order to quickly understand the purpose and functions of unknown malware. This is especially important in the current security environment because the number of malware samples that need to be analyzed every day is huge, and traditional manual analysis methods can no longer meet the demand. In addition, malware authors often use various techniques to detect and evade the analysis environment, making automated analysis more difficult. The tool TTAnalyze introduced in the paper aims to overcome these challenges and provide an efficient, accurate dynamic analysis method that is difficult for malware to detect. ### Main problems: 1. **Automation requirement**: As the number of malware samples that need to be analyzed daily continues to increase, methods that rely entirely on manual analysis are no longer feasible, so automated solutions are required. 2. **Malware detection and evasion**: Many malware have the ability to detect virtual machines or simulated operating system environments. Once these environments are detected, the malware will change its behavior, resulting in inaccurate analysis results. 3. **Comprehensive monitoring**: Existing automated analysis tools often cannot comprehensively monitor the interaction between malware and the operating system, which may cause the malware to evade analysis. 4. **Transparency of the execution environment**: The analysis tool needs to run without the malware's knowledge to avoid being detected and evaded. ### Solutions: - **TTAnalyze**: This is a tool based on a PC emulator that can completely run unknown binary files and their operating system environments in software. In this way, the malware cannot detect the existence of the analysis environment. - **Comprehensive monitoring**: TTAnalyze not only monitors Windows API calls but also native system calls, ensuring that all behaviors of the malware are comprehensively recorded. - **Non - invasive**: This tool does not modify the code of the analyzed program nor set breakpoints, thus avoiding the risk of being detected by malware. - **Function call injection**: TTAnalyze supports function call injection and can modify the execution of the program in specific situations to improve the accuracy of analysis. ### Key features: - **Using an emulator**: TTAnalyze uses Qemu as an emulation component and can completely run the Windows operating system in software, providing a high - precision emulation environment. - **Accurate tracking**: By using the CR3 register to accurately track the execution of malicious processes, it distinguishes the instructions of malicious processes from those of other processes. - **Non - invasive monitoring**: By comparing the value of the instruction pointer register of the virtual processor with the starting address of the monitored operating system function, non - invasive monitoring of operating system function calls is achieved. Through these methods, TTAnalyze can effectively automate the dynamic analysis process of malware, provide detailed behavior reports, and help security analysts quickly understand the functions and impacts of unknown malware.