Abstract
API (Application Programming Interface) monitoring is an effective approach for quickly understanding the behavior of malware. It has been widely used in many malware countermeasures as their base. However, malware authors are now aware of the situation and they develop malware using several anti-analysis techniques to evade API monitoring. In this paper, we present our design and implementation of an API monitoring system, API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g. stolen code and code injection. We have evaluated API Chaser with several real-world malware and the results showed that API Chaser is able to correctly capture API calls invoked from malware without being evaded.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Sathyanarayan, V.S., Kohli, P., Bruhadeshwar, B.: Signature Generation and Detection of Malware Families. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 336–349. Springer, Heidelberg (2008)
Suenaga, M.: A Museum of API Obfuscation on Win32. In: Proceedings of 12th Association of Anti-Virus Asia Researchers International Conference, AVAR 2009 (2009)
Yason, M.V.: The Art of Unpacking. In: Black Hat USA Briefings (2007)
Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005 (2005)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st European Conference on Computer Systems, EuroSys 2006 (2006)
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, EICAR 2006 (2006)
Song, D., et al.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)
Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Oakland (2006)
Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy 5, 32–39 (2007)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007 (2007)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D.X., Yin, H.: Automatically Identifying Trigger-based Behavior in Malware. In: Botnet Detection (2007)
Lastline Whitepaper: Automated detection and mitigation of execution-stalling malicious code, http://www.lastline.com/papers/antistalling_code.pdf
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, NDSS 2005 (2005)
Carrier, B.: The slueth kit(tsk), http://www.sleuthkit.org/
Iwamura, M., Itoh, M., Muraoka, Y.: Towards Efficient Analysis for Malware in the Wild. In: Proceedings of IEEE International Conference on Communications, ICC 2011 (2011)
Hex-Rays: IDA, https://www.hex-rays.com/
The Undocumented Functions, http://undocumented.ntinternals.net/
React OS Project, http://www.reactos.org/
The Volatility Framework, https://code.google.com/p/volatility/
Themida, http://www.oreans.com/themida.php
Microsoft: Intorduction to hotpatching, http://technet.microsoft.com/en-us/library/cc781109(v=ws.10).aspx
Ermolinskiy, A., Katti, S., Shenker, S., Fowler, L.L., McCauley, M.: Towards Practical Taint Tracking. Technical Report UCB/EECS-2010-92, EECS Department, University of California, Berkeley (2010)
Joe Security LLC: Joebox sandbox, http://www.joesecurity.org/
Vasudevan, A., Yerraballi, R.: Stealth Breakpoints. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2005 (2005)
Anubis: Analyzing unknown binaries, http://anubis.iseclab.org/
Norman Sandbox White Paper, http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf
Ferrie, P.: Attacks on Virtual Machine Emulators. In: Symantec Security Response (2006)
Kawakoya, Y., Iwamura, M., Itoh, M.: Memory Behavior-Based Automatic Malware Unpacking in Stealth Debugging Environment. In: Proceedings of 5th IEEE International Conference on Malicious and Unwanted Software (2010)
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting Return-Oriented Programming Malicious Code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)
Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS 2011 (2011)
Slowinska, A., Bos, H.: Pointless Tainting?: Evaluating the Practicality of Pointer Tainting. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kawakoya, Y., Iwamura, M., Shioji, E., Hariu, T. (2013). API Chaser: Anti-analysis Resistant Malware Analyzer. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)