An Optimal and Transparent Framework for Automatic Analysis of Malware

Authors

Abstract

Malware is the most important security threat in cyberspace. Some statistics show that over 315,000 malware are released, every day. Certainly, it is not possible to analyze all of these malware, manually. That's why the security vendors are obliged to use software capable of analyzing suspicious executable files. These software determine behavior of suspicious files automatically. Several tools such as Anubis and Cuckoo are produced in this area. The problem of these tools is lack of transparency. Some malware use this sort of weaknesses to recon analysis environments. To resolve this problem some solutions using hardware-assisted virtualization is presented. However, these solutions impose a great run time overhead on the program execution. In this paper an automated malware analysis framework is presented that is both transparent and optimal. This framework in addition to being resistant to malware with split personality features, may also be used to analyze the large amount of malware released every day without adding extra hardware resources. This framework uses dynamic analysis approaches with hardware assisted virtualization technology to analyze suspicious code. The dynamic analysis approaches used in this framework include sandboxing and system calls sequence analysis. Analysis based on hardware-assisted virtualization technology is applied to provide transparent analysis environment.

Keywords


Presti, K. “McAfee Sees Biggest Malware Increase In Four Years”; 4 September 2010. [Online]. Available: http://www.crn.com/news/security/240006717/mcafee-sees-biggest-malware-increase-in-four-years.htm?itc=refresh.##
“Number of the year: Kaspersky Lab is detecting 315,000 new malicious files every day”; 10 December 2013. [Online]. Available: http://www.kaspersky.com/about/news/virus/2013/number-of-the-year.##
Egele, M.; Scholte, T.; Kirda, E.; Kruegel, C. “A Survey on Automated Dynamic Malware”; ACM Computing Surveys, 2012, 44(2).##
Deng, Z.; Xu, D.; Zhang, X.; Jiang, X. “IntroLib: Efficient and Transparent Library Call Introspection for Malware Forensics”; in The Proceedings of the Twelfth Annual DFRWS Conference, 2012.##
Vishnani, K.; Pais, A.; Mohandas, R. “Detecting & Defeating Split Personality Malware”; in The Fifth International Conference on Emerging Security Information, Systems and Technologies, Saint-Laurent-du-Var, 2011.##
Balzarotti, D.; Cova, M.; Karlberger, C.; Kruegel, C.; Kirda, E.; Vigna, G. “Efficient Detection of Split Personalities in Malware”; in The 17th Annual Network & Distributed System Security Conference, San Diego, 2010.##
Fattori, A.; Paleari, R.; Martignoni, L.; Monga, M. “Dynamic and Transparent Analysis of Commodity”; in 25th IEEE/ACM International Conference on Automated, Antwerp. 2010.##
"Live and Trustworthy Forensic Analysis of Commodity Production Systems," in 13th International Symposium on Recent Advances in Intrusion Detection, Ottawa, 2010.##
Dinaburg, A.; Royal, P.; Sharif, M.; Lee, W. “Ether: Malware Analysis via Hardware Virtualization Extensions”; in 15th ACM Conference on Computer and Communications Security, 2008.##
Dai, S.-Y.; Fyodor, Y.; Wu, J.-S.; Lin, C.-H.; Huang, Y.; Kuo, S.-Y. “Holography: A Hardware Virtualization Tool for Malware Analysis”; in 15th IEEE Pacific Rim International Symposium on Dependable Computing, Shanghai, 2009.##
Pfoh, J.; Schneider, C.; Eckert, C. “Nitro: Hardware-Based System Call Tracing for Virtual Machines”; in 6th International Workshop on Advances in Information and Computer Security, Tokyo, 2011.##
Yan, L.-K.; Jayachandra, M.; Zhang, M.; Yin, H. “V2E: Combining Hardware Virtualization and Software Emulation for Transparent and Extensible Malware Analysis”; in VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. 2012.##
Schreiber, S. “Undocumented Windows 2000 secrets a programmers cookbook”; Addison-Wesley. 2001.##
Russinovich, M.; Solomon, D.; Ionescu, A. “Windows Internals”; Part 1, Microsoft Press, 2012.##
Zhang, J.; Liu, S.; Peng, J.; Guan, A. “Techniques of user-mode detecting System Service Descriptor Table”; in Proceedings of the 13th International Conference on Computer Supported Cooperative Work in Design. 2009.##
Pék, G.; Bencsáth, B.; Buttyán, L. “nEther: In-guest Detection of Out-of-the-guest Malware Analyzers”; in Proceedings of the Fourth European Workshop on System Security. 2011.##
Funk, C”; Garnaeva, M. “Kaspersky Security Bulletin 2013. Overall Statistics for 2013”; Kaspersky Lab, 10 December 2013. [Online]. Available: http://securelist.com/analysis/kaspersky-security-bulletin/58265/kaspersky-security-bulletin-2013-overall-statistics-for-2013/. [Accessed 2014 December 01].##