Toward Automated Dynamic Malware Analysis Using CWSandbox

Willems, Carsten; Holz, Thorsten; Freiling, Felix C.

doi:10.1109/msp.2007.45

Cited by 605 publications

(314 citation statements)

References 3 publications

Supporting

Mentioning

282

Contrasting

Unclassified

Order By: Relevance

“…In-host solutions include DiskMon [24], part of the Sysinternals tools, and CWSandbox [28]; both provide disk access instrumentation capabilities for Windows systems. Similarly, Janus [11], DTrace [5], and Systrace [23] provide in-host instrumentation for Unix-based systems through system call interposition, also providing the ability to instrument disk accesses.…”

Section: Related Workmentioning

confidence: 99%

Dione: A Flexible Disk Monitoring and Analysis Framework

Mankin

Kaeli

2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date-even as new files are created, deleted, moved, or altered.Dione is the first disk monitoring infrastructure to provide rich, upto-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione's liveupdating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10%-in many cases less than 3%-even when processing complex sequences of file system operations.

show abstract

Section: Related Workmentioning

confidence: 99%

Dione: A Flexible Disk Monitoring and Analysis Framework

Mankin

Kaeli

2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

show abstract

“…CWSandbox [36] uses hooking to log the invocations of Windows API function. Similarly, Anubis [1] performs its analysis via virtual machine introspection [13] on an application that is executed in an emulated machine.…”

Section: Related Workmentioning

confidence: 99%

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Egele¹,

Wurzinger²,

Kruegel

et al. 2009

Lecture Notes in Computer Science

118

View full text Add to dashboard Cite

Abstract. Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim's computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

show abstract

“…These features characterize the obfuscation techniques frequently used in malicious PDF. The combination of static and runtime features will be more effective and robust than existing methods, which are either fully static [5] [4] [6] or fully dynamic [9] [13]. A more thorough comparison between our method and others is presented in Table I.…”

Section: Introductionmentioning

confidence: 99%

“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”

Section: Introductionmentioning

confidence: 99%

Detecting Malicious Javascript in PDF through Document Instrumentation

Liu

Wang

Stavrou

2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

View full text Add to dashboard Cite

Abstract-An emerging threat vector, embedded malware inside popular document formats, has become rampant since 2008. Owed to its wide-spread use and Javascript support, PDF has been the primary vehicle for delivering embedded exploits. Unfortunately, existing defenses are limited in effectiveness, vulnerable to evasion, or computationally expensive to be employed as an on-line protection system. In this paper, we propose a context-aware approach for detection and confinement of malicious Javascript in PDF. Our approach statically extracts a set of static features and inserts context monitoring code into a document. When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution. Thus, our detector can identify malicious documents by using both static and runtime features. To validate the effectiveness of our approach in a realworld setting, we first conduct a security analysis, showing that our system is able to remain effective in detection and be robust against evasion attempts even in the presence of sophisticated adversaries. We implement a prototype of the proposed system, and perform extensive experiments using 18623 benign PDF samples and 7370 malicious samples. Our evaluation results demonstrate that our approach can accurately detect and confine malicious Javascript in PDF with minor performance overhead.

show abstract

Toward Automated Dynamic Malware Analysis Using CWSandbox

Cited by 605 publications

References 3 publications

Dione: A Flexible Disk Monitoring and Analysis Framework

Dione: A Flexible Disk Monitoring and Analysis Framework

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Detecting Malicious Javascript in PDF through Document Instrumentation

Contact Info

Product

Resources

About