Ddasdsdsd Sd Sd Sad Dads Sd D

Only available on StudyMode
  • Download(s) : 91
  • Published : February 26, 2013
Open Document
Text Preview
J Comput Virol (2006) 2:67–77
DOI 10.1007/s11416-006-0012-2

ORIGINAL PAPER

Dynamic analysis of malicious code
Ulrich Bayer · Andreas Moser ·
Christopher Kruegel · Engin Kirda

Received: 13 January 2006 / Accepted: 27 March 2006 / Published online: 16 May 2006 © Springer-Verlag France 2006

Abstract Malware analysis is the process of determining the
purpose and functionality of a given malware sample (such
as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete

malware from an infected machine. Traditionally, malware
analysis has been a manual process that is tedious and timeintensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the

behavior of Windows executables. To this end, the binary
is run in an emulated operating system environment and its
(security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API
functions that the program invokes. One important feature
of our system is that it does not modify the program that
it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment,
U. Bayer (B)
Ikarus Software,
Fillgradergasse 7, 1060, Vienna, Austria
e-mail: ulli@seclab.tuwien.ac.at
A. Moser · C. Kruegel · E. Kirda
Secure Systems Lab,
Technical University Vienna,
Vienna, Austria
e-mail: andy@seclab.tuwien.ac.at
C. Kruegel
e-mail: chris@seclab.tuwien.ac.at
E. Kirda
e-mail: ek@seclab.tuwien.ac.at

which leads to excellent emulation accuracy. These factors
make TTAnalyze an ideal tool for quickly understanding the
behavior of an unknown malware.
Keywords Malware · Analysis · API · Virus worm ·
Static analysis · Dynamic analysis
1 Introduction
Malware is a generic term to denote all kinds of unwanted
software (e.g., viruses, worms, or Trojan horses). Such software poses a major security threat to computer users. According to estimates, the financial loss caused by malware has been as high as 14.2 billion US dollars in the year 2005 [5]. Unfortunately, the problem of malicious code is likely to

grow in the future as malware writing is quickly turning into a profitable business [21]. Malware authors can sell their
creations to miscreants, who use the malicious code to compromise large numbers of machines that can then be abused as platforms to launch denial-of-service attacks or as spam
relays. Another indication of the significance of the problem is that even people without any special interest in computers are aware of worms such as Nimda or Sasser. This is because
security incidents affect millions of users and regularly make the headlines of mainstream news.
The most important line of defence against malicious code
are virus scanners. These scanners typically rely on a database of descriptions, or signatures, that characterize known malware instances. Whenever an unknown malware sample
is found in the wild, it is usually necessary to update the
signature database accordingly so that the novel malware
piece can be detected by the scan engine. To this end, it is of paramount importance to be able to quickly analyze an
unknown malware sample and understand its behavior and
effect on the system. In addition, the knowledge about the

68

functionality of malware is important for removal. That is, to be able to cleanly remove a piece of malware from an infected machine, it is usually not enough to delete the binary itself. It is also necessary to remove the residues left...
tracking img