Abstract
The fact that new malware appear every day demands a strong response from anti-malware forces. For that sake, an analysis of new samples must be performed. Usually, one tries to replay the behavior of malware in a safe environment. However, some samples activate a malicious function only if they receive some particular inputs from its command and control server. The problem is then to get some grasp on the interactions between the malware and its environment. For that sake, we propose to work in four steps. First, we enumerate all possible execution path following the reception of a message. Second, we describe for all execution path the set of corresponding messages. Third, we build an automaton that discriminate types of runs given an arbitrary word. Finally, we unify some equivalent run, and simplify the underlying automaton.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
But \(\mathtt{eip } \) which is treated apart.
- 2.
Idem.
- 3.
Possibly due to a length limit.
- 4.
This is the set equality up to the equivalence \(\approx \).
- 5.
Because \(E\) is a partial function, \(E\left( \iota ,m\right) \) does not always exist for any \(m \in \textsc {Bytes}^{*}\).
- 6.
Namely \(\sim \) is not the equality.
References
Angluin, D.: Inductive inference of formal languages from positive data. Inf. Control 45(2), 117–135 (1980)
Bardin, S., Philippe, H.: OSMOSE: automatic structural testing of executables. Softw. Test. Verification Reliab. 21(1), 29–54 (2011)
Bardin, S., Herrmann, P., Védrine, F.: Refinement-based CFG reconstruction from unstructured programs. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 54–69. Springer, Heidelberg (2011)
Beaucamps, P., Gnaedig, I., Marion, J.-Y.: Abstraction-based malware analysis using rewriting and model checking. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 806–823. Springer, Heidelberg (2012)
Bonfante, G., Marion, J.-Y., Ta, T.D.: PathExplorer
Caballero, J., Poosankam, P., Kreibich, C., Xiaodong Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: CCS (2009)
Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: CCS (2007)
Calvet, J.: Analyse Dynamique de Logiciels Malveillants (2013)
Comparetti, P.M., Wondracek, G., Krügel, C., Kirda, E.: Prospex: protocol specification extraction. In: SSP (2009)
Preda, M.D., Giacobazzi, R., Debray, S., Coogan, K., Townsend, G.M.: Modelling metamorphism by abstract interpretation. In: Cousot, R., Martel, M. (eds.) Static Analysis. LNCS, vol. 6337, pp. 218–235. Springer, Heidelberg (2010)
Falliere, N., Chien, E.: Zeus: King of the Bots. Technical report (2009)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI (2005)
IOActive. Reversal and Analysis of Zeus and SpyEye Banking Trojans. Technical report (2012)
Kinder, J., Zuleger, F., Veith, H.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 214–228. Springer, Heidelberg (2009)
Lecomte, S.: Élaboration d’une représentation intermédiaire pour l’exécution concolique et le marquage de données sous Windows (2014)
Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: NDSS (2008)
Luk, C.-K., Cohn, R.S., Muth, R., Patil, H., Klauser, A., Lowney, P.G., Wallace, S., Reddi, V.J., Hazelwood, K.M.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI (2005)
Moser, A., Krügel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: SSP (2007)
Reps, T., Balakrishnan, G.: Improved memory-access analysis for X86 executables. In: Hendren, L. (ed.) Compiler Construction. LNCS, vol. 4959, pp. 16–35. Springer, Heidelberg (2008)
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution. In: SSP (2010)
Song, F., Touili, T.: Pushdown model checking for malware detection. STTT 16(2), 147–173 (2014)
Valiant, L.G.: A theory of the learnable. CACM 27, 1134–1142 (1984)
Wang, Z., Jiang, X., Cui, W., Wang, X., Grace, M.: ReFormat: automatic reverse engineering of encrypted messages. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 200–215. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bonfante, G., Marion, JY., Ta, T.D. (2015). Malware Message Classification by Dynamic Analysis. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)