Identifying Dormant Functionality in Malware Programs

Comparetti, Paolo Milani; Salvaneschi, Guido; Kirda, Engin; Kolbitsch, Clemens; Kruegel, Christopher; Zanero, Stefano

doi:10.1109/sp.2010.12

Cited by 83 publications

(50 citation statements)

References 32 publications

(50 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each sub-graph can be conveniently represented and efficiently matched using a hash. This technique is proven to be resilient against polymorphism [19] and was successfully used in recent samples by Comparetti et al in [6]. Finally, we normalize the API function names (e.g, removing 'A','W','Ex' suffixes referring to different versions of the same function).…”

Section: Database Of Behaviorsmentioning

confidence: 99%

“…In addition to the fingerprint information that is useful for fast indexing, we store the static information associated to each behavior as a set of offsets that identify the code into the binary. Therefore, this dictionary can be used to statically match behaviors, both in new, unseen binaries, or in binaries where such behaviors are implemented but "dormant" [6]. Notably, the ability to produce both a static and dynamic description of behaviors is useful because in this way we are not bound to dynamic analysis to identify behavior in samples.…”

Section: Step 3: Behavior Extractionmentioning

confidence: 99%

“…A conservative choice would be f = 1.00, which would mean that we use as a descriptor only APIs that appear in all the sequences of dataflowdependent API calls of the cluster. This, however, is brittle and decreases the amounts of behaviors found (as will be evident in §4.2): Indeed, it does not take into account dormant behaviors [6], or the possibility that a behavior contains multiple branches and thus alternative portions of code.…”

Section: Step 3: Behavior Extractionmentioning

confidence: 99%

“…A variety of staticand dynamic-analysis tools exist and are very useful to this end. Moreover, so-called "hybrid analysis" approaches can be used to balance their symmetric strengths and weaknesses [6,10,21,34]. We believe that hybrid approaches can be pushed forward and leveraged to obtain better reverse engineering tools.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

When analyzing an untrusted binary, reverse engineers usually rely on ad-hoc collections of interesting dynamic patterns-known as behaviors in the malware-analysis community-and static patterns-known as signatures in the antivirus community. Such patterns are often part of the skill set of the analyst, sometimes implemented in manually-created post-processing scripts. It would be desirable to be able to automatically find such behaviors, present them to analysts, and create a systematic catalog of matching rules and relevant implementations. We propose JACKDAW, a system that finds interesting dynamic patterns, and ranks them to unveil potentially interesting behaviors. Then, it annotates them with static information, capturing the distinct implementations of each across different malware families. Finally, JACKDAW associates semantic information to the behaviors, so as to create a descriptive summary that helps the analysts in querying the catalog of behaviors by type. To do this, it leverages the dynamic information and an indexed Web-based knowledge databases. We implement and demonstrate JACKDAW on the Win32 API (even if the technique can be generalized to any OS). On a dataset of 2,136 distinct binaries, including both malicious and benign libraries and executables, we compared the behaviors extracted automatically against a ground truth of 44 behaviors created manually by expert analysts. JACKDAW found 77.3% of them and was able to exclude spurious behaviors in 99.6% cases. We also discovered 466 novel behaviors, among which manual exploration and review by expert reverse engineers revealed interesting findings and confirmed the correctness of the semantic tagging.

show abstract

Section: Database Of Behaviorsmentioning

confidence: 99%

Section: Step 3: Behavior Extractionmentioning

confidence: 99%

Section: Step 3: Behavior Extractionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [35], Kolbitsch et al proposed a multipath execution scheme for Java-script-based malware. Other research [29,46] proposed techniques to enforce execution of different malware functionalities.…”

Section: Related Workmentioning

confidence: 99%

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Zhang

et al. 2014

Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

Abstract. A critical challenge when combating malware threat is how to efficiently and effectively identify the targeted victim's environment, given an unknown malware sample. Unfortunately, existing malware analysis techniques either use a limited, fixed set of analysis environments (not effective) or employ expensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a malware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GOLDENEYE, and evaluated it with a large real-world malware dataset. The experimental results show that GOLDENEYE outperforms existing solutions and can effectively and efficiently expose malware's targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat.

show abstract

Privacy theft malware multi-process collaboration analysis

Fan

Wang

Cheng

et al. 2013

Security Comm. Networks

View full text Add to dashboard Cite

Privacy theft malware has become a serious and challenging problem to cyber security. Previous methods are of different categories: one focuses on the outbound network traffic and the other one dives into the inside information flow of the program. We incorporate dynamic behavior analysis with network traffic analysis and present an abstract model called Privacy Petri Net (PPN), which is more applicable to various kinds of malware and more understandable to users. In consideration of the multi‐process technique adopted by new malware, we also model the collaborative behaviors between different malicious functionality modules with PPN. We apply our approach to real‐world malware, and the experiment result shows that our approach can effectively find categories, content, source, and destination of the privacy theft behavior of the malware sample. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Identifying Dormant Functionality in Malware Programs

Cited by 83 publications

References 32 publications

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Privacy theft malware multi-process collaboration analysis

Contact Info

Product

Resources

About