Skip to main content
SpringerLink
Log in

A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

In this paper obfuscation techniques used by novel malwares presented and compared. IAT smashing, string encryption and dynamic programing are explained in static methods and hooking at user and kernel level of OS with DLL injection, modifying of SSDT and IDT table addresses, filter IRPs, and possessor emulation are techniques in dynamic methods. This paper suggest Approach for passing through malware obfuscation techniques. In order that it can analyze malware behaviors. Our methods in proposed approach are detection presence time of a malware at user and kernel level of OS, dumping of malware executable memory at correct time and precise hook installing. Main purpose of this paper is establishment of an efficient platform to analyze behavior and detect novel malwares that by use of metamorphic engine, packer and protector tools take action for obfuscation and metamorphosis of themself. At final, this paper use a dataset embeds different kind of obfuscated and metamorphic malwares in order to prove usefulness of its methods experiments. Show that proposed methods can confront most malware obfuscation techniques. It evaluated success rate to unpacking, obfuscated malwares and it shows 85% success rate to recognize kernel level malwares.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Dalvik Execution.

  2. Portable Executable.

  3. Import Address Table.

  4. Export Address Table.

  5. Common Language Runtime.

  6. System Service Descriptor Table.

  7. I/O Request Packet.

  8. Interrupt Descriptor Table.

  9. Kernel Path Protection.

  10. Callback Functions.

  11. Callout Functions.

  12. Windows Filtering Platform.

References

  1. AV-Test - Malware statics and trends report, https://www.av-test.org/en/statistics/malware. Accessed 2016.

  2. Gandotra, E., Bansal, D., & Sofat, S. (2014). Malware analysis and classification: A survey. Journal of Information Security, 5, 56–64.

    Article  Google Scholar 

  3. Jung, J. H., Kim, J. Y., Lee, H. C., & Yi, J. H. (2013). Repackaging attack on android banking applications and its countermeasures. Journal of Wireless Personal Communication, 73(4), 1421–1437.

    Article  Google Scholar 

  4. Lu, H., Zhao, B., Sue, J., & Xie, P. (2013). Generating lightweight behavioral signature for malware detection in people-centric sensing. Journal of Wireless Personal Communication, 75(3), 1591–1609.

    Article  Google Scholar 

  5. Gupta, S., & Kumar, P. (2014). An immediate system call sequence based approach for detecting malicious program executions in cloud environment. Journal of Wireless Personal Communication, 81(1), 405–425.

    Article  Google Scholar 

  6. Bayer, U., Kruegel, C., & Kirda, E. (2006). TTAnalyze: A Tool for Analyzing Malware, M.Sc. Thesis, University of Vienna.

  7. Schultz, M., Eskin, E., Zadok, F., & Stolfo, S. (2001). Data mining methods for detection of new malicious executables. In Proceedings of 2001 IEEE symposium on security and privacy (pp. 38–49). Oakland.

  8. Siddiqui, M., Wang, M. C., & Lee, J. (2009). Detecting internet worms using data mining techniques. Journal of Systemics, Cybernetics and Informatics, 6, 48–53.

    Google Scholar 

  9. Gao, D., Yin, G., Dong, Y., & Kou, L. (2013). A research on the heuristic signature virus detection based on the PE structured. In Proceedings of international conference on electric and electronics (EEIC).

  10. Javaheri, D., & Parsa, S. (2014). A malware detection method based on static analysis of PE structure. Journal of Advanced Defense Science and Technology, Imam Hossein University, 2(3), 187–201.

    Google Scholar 

  11. Sikorski, M., & Honig, A. (2012). Practical malware analysis (pp. 21–26). William Pollock Publisher.

  12. Ilsun, Y., & Kangbin, Y. (2010). Malware obfuscation techniques: A brief survey. In Proceedings of international conference on broadband, wireless computing, communication and applications (pp. 297–300). Fukuoka, Japan.

  13. Xie, X., Lu, B., Gong, D., Luo, X., & Liu, F. (2016). Random table and hash coding-based binary code obfuscation against stack trace analysis. Journal of IET Information Security, 10, 18–27.

    Article  Google Scholar 

  14. Pang, S., Komosny, D., Zhu, L. Zhang, R., Sharrafzadeh, A., Ban, T., & Inoue, D. (2016). Malicious events grouping via behavior based Darknet traffic flow analysis. Journal of Wireless Personal Communication, 1–19. doi:10.1007/s11277-016-3744-4.

  15. Jung, H. M., Lee, H. G., & Choi, J. W. (2017). Efficient malicious packet capture through advanced DNS sinkhole. Journal of Wireless Personal Communication, 93(1), 21–34. doi:10.1007/s11277-016-3443-1.

    Article  Google Scholar 

  16. Ghiasi, M., Sami, A., Salehi, Z. (2012). Dynamic malware detection using registers values set analysis. In Proceedings of 9th international ISC conference on information security and cryptology (ISCISC) (pp. 54–59).

  17. Zolkipli, M. F., & Jantan, A. (2011). An approach for malware behavior identification and classification. In Proceedings of 3rd international conference on computer research and development (pp. 191–194). Shanghai, China.

  18. Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic Analysis of Malware Behavior Using Machine Learning. Journal of Computer Security, 19, 639–668.

    Article  Google Scholar 

  19. Tian, R., Islam, M. R., Batten, L., & Versteeg, S. (2010). Differentiating malware from clean wares using behavioral analysis. In Proceedings of 5th international conference on malicious and unwanted software (malware) (pp. 23–30). Nancy, France.

  20. Huda, S., Abawajy, J., Alazab, M., Abdollalihian, M., Islam, R., & Yearwood, J. (2016). Hybrids of support vector machine wrapper and filter based framework for malware detection. Journal of Future Generation Computer Systems, 55, 376–390.

    Article  Google Scholar 

  21. Russinovich, M., Solomon, D., & Ionescu, A. (2012). Windows internals part 1 (6th ed., pp. 133–138). Microsoft Press.

  22. Hoglund, G., & Butler, J. (2005). Rootkits: Subverting the windows kernel (pp. 82–83, 270–274). Addison Wesley Professional.

  23. Priyadarshi, S. (2011). Metamorphic detection via emulation, M.Sc. Thesis, Jose State University.

  24. Mohammadzadeh Lajevardi, A. (2013). Design and implementation of a behavior-based method for malware detection, M.Sc. Thesis, Iran University of Science and Technology, Tehran, Iran.

  25. Gooran Ourimi, A. (2014). Propose an optimal and transparent framework for automatic malware analysis, M.Sc. Thesis, Iran University of Science and Technology, Tehran, Iran.

  26. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S., & Ustuner, A. (2006). Thorough static analysis of device drivers, ‘ACM SIGOPS operating systems review’. In Proceedings of ACM SIGOPS/EuroSys European conference on computer systems (Vol. 40, Issue No. 4, pp. 73–85). New York, USA.

  27. Virus Sign Malware Data Base, http://www.virussign.com. Accessed 2014.

  28. Adminus Malware Database, http://www.adminus.net. Accessed 2015.

  29. Virus Share Malware Database, http://www.virusshare.com. Accessed 2015.

  30. Reeves, R. D. (2010). Windows 7 Device Driver (pp. 106–110). Addison-Wesley Publisher.

  31. Song, D., Heng Yin, D., Caballero, J., Jager, I., Kang, M. G., Liang, Z., et al. (2008). BitBlaze: A new approach to computer security via binary analysis. Journal of Information Systems Security, Springer, 5352, 1–25.

    Google Scholar 

  32. Blunden, B. (2012). The Rootkit Arsenal: Escape and evasion in the dark corners of the system (2nd ed., pp. 240–245). Jones and Bartlett Publishers.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran, Iran

    Danial Javaheri

  2. Iran University of Medical Sciences, Tehran, Iran

    Mehdi Hosseinzadeh

  3. Computer Science, University of Human Development, Sulaimaniyah, Iraq

    Mehdi Hosseinzadeh

Authors
  1. Danial Javaheri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mehdi Hosseinzadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mehdi Hosseinzadeh.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Javaheri, D., Hosseinzadeh, M. A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers. Wireless Pers Commun 98, 119–137 (2018). https://doi.org/10.1007/s11277-017-4859-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-017-4859-y

Keywords

Search

Navigation