Abstract
A malware is deployed ubiquitously to steal safety or liability-critical information and damage the compromised systems. In this paper, we present a portable, scalable and transparent system for dynamic analysis of malware targeting Windows OS. The portability feature is enabled by introducing a driver capable of collecting the behavioural activities of analysed samples in low kernel level and detection of a new malware in the latest version of Windows OS is guaranteed without waiting for its signature update. A large volume and variety of malicious behaviour is monitored and analysed by the presented virtual, scalable and automated system deployment. End-to-end design is presented and functional tests of portability feature are conducted by compiling the developed kernel driver component in the analysis machine. Evaluation is performed by using recently captured malware samples that are automatically analysed and detected on a Windows 8 Ultimate 64-bit and Windows 10 OS.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Internet Security Threat Report (2016). Symantec: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf. Accessed 15 June 2016
Sukwong, O., Kim, H., Hoe, J.: Commercial antivirus software effectiveness: an empirical study. Computer 44, 63–70 (2011)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5, 32–39 (2007)
Cuckoo Foundation, Cuckoo Sandbox. http://www.cuckoosandbox.org/. Accessed 1 June 2016
Seiferta, C., Steensona, R., Welcha, I., Komisarczuka, P., Endicott-Popovskyb, B.: A behavioral analysis tool for applications and documents. Digit. Invest. Int. J. Digit. Forensics Incident Response 4, 23–30 (2007)
Tirli, H., Pektaş, A., Falcone, Y., Erdogan, N.: Virmon: a virtualization-based automated dynamic malware analysis system. In: The Proceedings of the 6th International Information Security & Cryptology Conference, Istanbul, Turkey, pp. 1–6 (2013)
Microsoft Corporation, Writing Preoperation and Postoperation Callback Routines. https://msdn.microsoft.com/windows/hardware/drivers/ifs/writing-preoperation-and-postoperation-callback-routines. Accessed 1 Mar 2013
Lazarevic, A., Kumar, V., Srivastava, J.: Intrusion detection: a survey. Massive Comput. 5, 19–78 (2005)
Open Information Security Foundation, Suricata IDS. http://suricata-ids.org/. Accessed 1 Jan 2012
Bro Project, The Bro Network Security Monitor. http://www.bro.org/. Accessed 15 Feb 2014
Chen, B., Lee, J., Wu, A.S.: Active event correlation in Bro IDS to detect multi-stage attacks. In: The Fourth IEEE International Workshop on Information Assurance (2006)
Oracle, Oracle VM Virtual Box. https://www.virtualbox.org
Hesperbot malware sample: Google Corp., Antivirus scan results for 186c097b9d85b3501efcc4d8d374afe1. https://www.virustotal.com/en/file/a34f954ffb49f5c0b8f42376e062971284c9bec864e1d90a7e8d2910ae7c2077/analysis/
White, A.: Identifying the unknown in user space memory. Institute for Future Environments Science and Engineering, Faculty Queensland University of Technology, pp. 138–140 (2013)
Ligh, M.H., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. Wiley Publishing Inc, Indianapolis (2011)
Cyrptolocker malware sample: Google Corp., Antivirus scan results for 76387075c90533aad14e82a5d94e8486. https://www.virustotal.com/en/file/09fe21dd9561603217cc8b419f01c7996b1440aa3e64967f136e38e7f306d625/analysis/
Acknowledgements
The authors gratefully acknowledge the support of Galatasaray University, scientific research support program under grant #16.401.004.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Pektaş, A., Acarman, T. (2018). Portable Dynamic Malware Analysis with an Improved Scalability and Automatisation. In: Kurzynski, M., Wozniak, M., Burduk, R. (eds) Proceedings of the 10th International Conference on Computer Recognition Systems CORES 2017. CORES 2017. Advances in Intelligent Systems and Computing, vol 578. Springer, Cham. https://doi.org/10.1007/978-3-319-59162-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-59162-9_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59161-2
Online ISBN: 978-3-319-59162-9
eBook Packages: EngineeringEngineering (R0)