Monitoração de comportamento de malware em sistemas operacionais Windows NT 6.x de 64 bits

  • Marcus Botacin UNICAMP
  • Vitor Afonso UNICAMP
  • Paulo Lício de Geus UNICAMP
  • André Grégio UNICAMP / CTI
DOI: https://doi.org/10.5753/sbseg.2014.20131

Abstract


Malware are persistent threats to systems security that are constantly evolving to prevent detection and dynamic analysis techniques. Currently, there is no known dynamic analysis system (publicly available or described in the literature) that supports 64-bits malware (PE+ format). It is difficult to monitor malware for Windows NT 6.x due to new security mechanisms introduced in these systems, making it expensive to build or port an actual analysis system/tool. In this paper, we present the design and implementation of a novel malware dynamic analysis system for Windows 8, as well as the obstacles and challenges we faced. We present the tests and results of the proposed system, evaluated with 2,937 32 and 64-bit malware samples.

References

Bayer, U., Kruegel, C., and Kirda, E. (2006). Ttanalyze: A tool for analyzing malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.

Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.

Filho, D. S. F., Grégio, A. R. A., Afonso, V. M., Santos, R. D. C., Jino, M., and de Geus, P. L. (2010). Análise comportamental de código malicioso através da monitoração de chamadas de sistema e tráfego de rede. Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.

Guarnieri, C. (2013). Cuckoo sandbox. http://www.cuckoosandbox.org/. Acesso em junho/2014.

Microsoft (2013a). CreateRemoteThread. http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx. Acesso em junho/2014.

Microsoft (2013b). Detours. http://research.microsoft.com/en-us/projects/detours/. Acesso em junho/2014.

Microsoft (2013c). Kernel patch protection for x64-based operating systems. http://technet.microsoft.com/pt-br/library/cc759759(v=ws.10).aspx. Acesso em junho/2014.

Microsoft (2014a). CmRegisterCallback. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541918(v=vs.85).aspx. Acesso em junho/2014.

Microsoft (2014b). CmRegisterCallbackEx. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx. Acesso em junho/2014.

Rossow, C., Dietrich, C. J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., and van Steen, M. (2012). Prudent Practices for Designing Malware Experiments: Status Quo and Outlook . In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P) , San Francisco, CA.

Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., and Endicott-Popovsky, B. (2007). Capture - a behavioral analysis tool for applications and documents. Digital Investigation, 4S:S23–S30.

Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy, 5:32–39.
Published
2014-11-03
How to Cite

Select a Format
BOTACIN, Marcus; AFONSO, Vitor; GEUS, Paulo Lício de; GRÉGIO, André. Monitoração de comportamento de malware em sistemas operacionais Windows NT 6.x de 64 bits. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 14. , 2014, Belo Horizonte. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2014 . p. 195-208. DOI: https://doi.org/10.5753/sbseg.2014.20131.

Most read articles by the same author(s)

1 2 3 > >>