Abstract
Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.
Similar content being viewed by others
References
Bellard, F. Qemu, a fast and portable dynamic translator. In: Usenix Annual Technical Conference, 2005
Christodorescu, M., Jha, S. Static analysis of executables to detect malicious patterns. In: Usenix Security Symposium, 2003
Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R. Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, 2005
Collberg, C., Thomborson, C., Low, D. Manufacturing cheap, resilient, and stealthy opaque constructs. In: Conference on Principles of Programming Languages (POPL), 1998
Computer Economics. Malware report 2005: the impact of malicious code attacks, 2006. http://www.computereconomics.com/ article.cfm?id=1090
Hunt, G., Brubacher, D. Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium, 1999
Kaspersky Lab: antivirus software, 2006. http://www. kaspersky.com/
Kruegel, C., Robertson, W., Vigna, G. Detecting Kernel-level rootkits through binary analysis. In: Annual Computer Security Application Conference (ACSAC), 2004
Linn, C., Debray, S. Obfuscation of executable code to improve resistance to static disassembly. In: ACM Conference on Computer and Communications Security (CCS), 2003
Windows Device Driver Kit 2003, 2006. http://www.microsoft.com/whdc/devtools/ddk/
Microsoft IFS KIT, 2006. http://www.microsoft.com/whdc/ devtools/ifskit
Microsoft PECOFF. Microsoft Portable Executable and Common Object File Format Specification, 2006. http://www.microsoft.com/ whdc/system/platform/firmware/PECOFF.mspx
Microsoft Platform SDK, 2006. http://www.microsoft.com/ msdownload/platformsdk/
Nebbett G. (2000) Windows NT/2000 Native API Reference. New Riders Publishing, indianapolis
Neitzel, M.St. Analysis of win32/sober.y, 2005. http://www. eset.com/msgs/sobery.htm
Oberhumer, M., Molnar, L. UPX: Ultimate Packer for eXecutables, 2004. http://upx.sourceforge.net/
Robin, J., Irvine, C. Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Usenix Annual Technical Conference, 2000
Russinovich, M., Cogswell, B. Freeware Sysinternals, 2006. http://www.sysinternals.com/
Russinovich M., Solomon D. (2004) Microsoft Windows Internals: Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, Bellevue
Rutkowska, J. Red pill... or how to detect VMM using (almost) one CPU instruction, 2006. http://invisiblethings.org/ papers/redpill.html
Symantec. Internet security threat report, 2005. http://www. symantec.com/enterprise/threatreport/index.jsp
Szor P. (2005) The Art of Computer Virus Research and Defense. Addison Wesley, Reading
Vasudevan, A., Yerraballi, R. Stealth breakpoints. In: 21st Annual Computer Security Applications Conference, 2005
VMware: server and desktop virtualization, 2006. http://www. vmware.com/
Wang, C. A security architecture for survivability mechanisms. PhD Thesis, University of Virginia (2001)
Yetiser, T. Polymorphic Viruses – Implementation, detection, and protection, 1993. http://vx.netlux.org/lib/ayt01.html
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bayer, U., Moser, A., Kruegel, C. et al. Dynamic Analysis of Malicious Code. J Comput Virol 2, 67–77 (2006). https://doi.org/10.1007/s11416-006-0012-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0012-2