Análise Comportamental de Código Malicioso Através da Monitoração de Chamadas de Sistema e Tráfego de Rede
Abstract
Malicious code (malware) spread through the Internet—such as viruses, worms and trojans—is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way that extends the analysis possibilities to cover malware samples that bypass current approaches and also fixes some issues with them, filling a gap in the field.
References
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E. and Vigna, G. (2010) “Efficient detection of split personalities in malware”, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd.
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, C. (2009), “A View on Current Malware Behaviors”, Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET). USA, April.
Bayer, U., Kruegel, C. and Kirda, E. (2006). “TTanalyze: A Tool for Analyzing Malware”, Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), 2006, pp. 180–192.
Bellard, F. (2005) “QEMU, a fast and portable dynamic translator”, In Proceedings of the Annual Conference on USENIX Annual Technical Conference, USENIX Association, p. 41-41.
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M. and Wang, L. (2010). “On the Analysis of the Zeus Botnet Crimeware Toolkit”. In the Proceedings of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010, Aug 17-19, Ottawa, ON, Canada, IEEE Press.
Blunden, B. (2009), “The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System”, Jones and Bartlett Publishers, Inc, 1th edition.
Choi, Y., Kim, I., Oh, J. and Ryou, J. (2008). “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD)”, Proceedings of the International Symposium on Computer Science and its Applications, p.28-31, October 13-15, 2008.
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). “Ether: Malware analysis via hardware virtualization extensions”. In In Proceedings of The 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, October 2008.
Father, H. (2004) “Hooking Windows API-Technics of Hooking API Functions on Windows”, CodeBreakers J., vol.1, no.2, [link].
Franklin, J., Paxson, V., Perrig, A. and Savage, S. (2007). “An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants”. In Conference on Computer and Communications Security (CCS), 2007.
Garfinkel, T. and Rosenblum, M. (2003) “A virtual machine introspection based architecture for intrusion detection”, In Proc. Network and Distributed Systems Security Symposium, p 191-206.
Hoglund, G. and Butler, J. (2005), “Rootkits: Subverting the Windows Kernel”, AddisonWesley Professional, 1th edition. Holz, T., Engelberth, M. and Freiling, F. (2008). “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones”. Reihe Informatik TR-2008-006, University of Mannheim, 2008.
JoeBox. (2010). http://www.joebox.org/, 2010.
Kang, M. G., Poosankam, P., and Yin, H., (2007). “Renovo: A hidden code extractor for packed exe-cutables”. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM 2007).
Kong, J. (2007), “Designing BSD Rootkits”, No Starch Press, 1th edition.
Leder, F. and Werner, T. (2009). “Know your enemy: Containing conficker”. http://www.honeynet.org/papers/. The Honeynet Project & Research Alliance.
Martignoni, L., Christodorescu, M., and Jha, S. (2007). “Omniunpack: Fast, generic, and safe unpack-ing of malware”. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
Microsoft PECOFF (2008), “Microsoft Portable Executable and Common Object File Format Specification”, [link], March 2008.
Moser, A., Kruegel, C., and Kirda, E., (2007). “Limits of Static Analysis for Malware Detection”, In ACSAC, pages 421--430. IEEE Computer Society.
SecureList (2007), Net-Worm.Win32.Allaple.a, Kaspersky Labs, http://www.securelist.com/en/descriptions/old145521, August 2007.
SoftPanorama (2009), Network Worm Allaple.B, [link], December 2009.
Song , D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P. and Saxena, P. (2008). “BitBlaze: A New Approach to Computer Security via Binary Analysis”, Proceedings of the 4th International Conference on Information Systems Security, December 16-20, 2008, Hyderabad, India.
Willems, C., Holz, T. and Freiling, F. (2007). "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, Mar./Apr. 2007.
Yegneswaran, V., Saidi, H., Porras, P. (2008). “Eureka: A framework for enabling static analysis on malware”. Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, Georgia Institute of Technology, April 2008.
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, C. (2009), “A View on Current Malware Behaviors”, Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET). USA, April.
Bayer, U., Kruegel, C. and Kirda, E. (2006). “TTanalyze: A Tool for Analyzing Malware”, Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), 2006, pp. 180–192.
Bellard, F. (2005) “QEMU, a fast and portable dynamic translator”, In Proceedings of the Annual Conference on USENIX Annual Technical Conference, USENIX Association, p. 41-41.
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M. and Wang, L. (2010). “On the Analysis of the Zeus Botnet Crimeware Toolkit”. In the Proceedings of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010, Aug 17-19, Ottawa, ON, Canada, IEEE Press.
Blunden, B. (2009), “The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System”, Jones and Bartlett Publishers, Inc, 1th edition.
Choi, Y., Kim, I., Oh, J. and Ryou, J. (2008). “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD)”, Proceedings of the International Symposium on Computer Science and its Applications, p.28-31, October 13-15, 2008.
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). “Ether: Malware analysis via hardware virtualization extensions”. In In Proceedings of The 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, October 2008.
Father, H. (2004) “Hooking Windows API-Technics of Hooking API Functions on Windows”, CodeBreakers J., vol.1, no.2, [link].
Franklin, J., Paxson, V., Perrig, A. and Savage, S. (2007). “An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants”. In Conference on Computer and Communications Security (CCS), 2007.
Garfinkel, T. and Rosenblum, M. (2003) “A virtual machine introspection based architecture for intrusion detection”, In Proc. Network and Distributed Systems Security Symposium, p 191-206.
Hoglund, G. and Butler, J. (2005), “Rootkits: Subverting the Windows Kernel”, AddisonWesley Professional, 1th edition. Holz, T., Engelberth, M. and Freiling, F. (2008). “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones”. Reihe Informatik TR-2008-006, University of Mannheim, 2008.
JoeBox. (2010). http://www.joebox.org/, 2010.
Kang, M. G., Poosankam, P., and Yin, H., (2007). “Renovo: A hidden code extractor for packed exe-cutables”. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM 2007).
Kong, J. (2007), “Designing BSD Rootkits”, No Starch Press, 1th edition.
Leder, F. and Werner, T. (2009). “Know your enemy: Containing conficker”. http://www.honeynet.org/papers/. The Honeynet Project & Research Alliance.
Martignoni, L., Christodorescu, M., and Jha, S. (2007). “Omniunpack: Fast, generic, and safe unpack-ing of malware”. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
Microsoft PECOFF (2008), “Microsoft Portable Executable and Common Object File Format Specification”, [link], March 2008.
Moser, A., Kruegel, C., and Kirda, E., (2007). “Limits of Static Analysis for Malware Detection”, In ACSAC, pages 421--430. IEEE Computer Society.
SecureList (2007), Net-Worm.Win32.Allaple.a, Kaspersky Labs, http://www.securelist.com/en/descriptions/old145521, August 2007.
SoftPanorama (2009), Network Worm Allaple.B, [link], December 2009.
Song , D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P. and Saxena, P. (2008). “BitBlaze: A New Approach to Computer Security via Binary Analysis”, Proceedings of the 4th International Conference on Information Systems Security, December 16-20, 2008, Hyderabad, India.
Willems, C., Holz, T. and Freiling, F. (2007). "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, Mar./Apr. 2007.
Yegneswaran, V., Saidi, H., Porras, P. (2008). “Eureka: A framework for enabling static analysis on malware”. Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, Georgia Institute of Technology, April 2008.
Published
2010-10-11
How to Cite
FERNANDES FILHO, Dario S.; GRÉGIO, André R. A.; AFONSO, Vitor M.; SANTOS, Rafael D. C.; JINO, Mário; GEUS, Paulo L. de.
Análise Comportamental de Código Malicioso Através da Monitoração de Chamadas de Sistema e Tráfego de Rede. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 311-324.
DOI: https://doi.org/10.5753/sbseg.2010.20596.
