Ddasdsdsd Sd Sd Sad Dads Sd D
J Comput Virol (2006) 2:67–77
DOI 10.1007/s11416-006-0012-2
ORIGINAL PAPER
Dynamic analysis of malicious code
Ulrich Bayer · Andreas Moser ·
Christopher Kruegel · Engin Kirda
Received: 13 January 2006 / Accepted: 27 March 2006 / Published online: 16 May 2006
© Springer-Verlag France 2006
Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and timeintensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its
(security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment,
U. Bayer (B)
Ikarus Software,
Fillgradergasse 7, 1060, Vienna, Austria e-mail: ulli@seclab.tuwien.ac.at
A. Moser · C. Kruegel · E. Kirda
Secure Systems Lab,
Technical University Vienna,
Vienna, Austria e-mail: andy@seclab.tuwien.ac.at
C. Kruegel e-mail: chris@seclab.tuwien.ac.at
E. Kirda e-mail: ek@seclab.tuwien.ac.at
which leads to
DOI 10.1007/s11416-006-0012-2
ORIGINAL PAPER
Dynamic analysis of malicious code
Ulrich Bayer · Andreas Moser ·
Christopher Kruegel · Engin Kirda
Received: 13 January 2006 / Accepted: 27 March 2006 / Published online: 16 May 2006
© Springer-Verlag France 2006
Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and timeintensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its
(security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment,
U. Bayer (B)
Ikarus Software,
Fillgradergasse 7, 1060, Vienna, Austria e-mail: ulli@seclab.tuwien.ac.at
A. Moser · C. Kruegel · E. Kirda
Secure Systems Lab,
Technical University Vienna,
Vienna, Austria e-mail: andy@seclab.tuwien.ac.at
C. Kruegel e-mail: chris@seclab.tuwien.ac.at
E. Kirda e-mail: ek@seclab.tuwien.ac.at
which leads to
References: 1. Bellard, F.: Qemu, a fast and portable dynamic translator. In: Usenix Annual Technical Conference, 2005 3. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, 2005 4. Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Conference on Principles of Programming Languages (POPL), 1998 malicious code attacks, 2006. http://www.computereconomics.com/ article.cfm?id=1090 7. Kaspersky Lab: antivirus software, 2006. http://www. and Communications Security (CCS), 2003 10 11. Microsoft IFS KIT, 2006. http://www.microsoft.com/whdc/ devtools/ifskit 12. Microsoft PECOFF. Microsoft Portable Executable and Common Object File Format Specification, 2006 Publishing, indianapolis, 2000 15 Conference, 2000 18 Press, Bellevue (2004) 20 (almost) one CPU instruction, 2006. http://invisiblethings.org/ papers/redpill.html 21. Symantec. Internet security threat report, 2005. http://www. Wesley, Reading (2005) 23 Computer Security Applications Conference, 2005 24 PhD Thesis, University of Virginia (2001) 26 protection, 1993. http://vx.netlux.org/lib/ayt01.html