Skip to main content
SpringerLink
Log in

Dynamic Analysis of Malicious Code

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bellard, F. Qemu, a fast and portable dynamic translator. In: Usenix Annual Technical Conference, 2005

  2. Christodorescu, M., Jha, S. Static analysis of executables to detect malicious patterns. In: Usenix Security Symposium, 2003

  3. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R. Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, 2005

  4. Collberg, C., Thomborson, C., Low, D. Manufacturing cheap, resilient, and stealthy opaque constructs. In: Conference on Principles of Programming Languages (POPL), 1998

  5. Computer Economics. Malware report 2005: the impact of malicious code attacks, 2006. http://www.computereconomics.com/ article.cfm?id=1090

  6. Hunt, G., Brubacher, D. Detours: binary interception of Win32 functions. In: 3rd USENIX Windows NT Symposium, 1999

  7. Kaspersky Lab: antivirus software, 2006. http://www. kaspersky.com/

  8. Kruegel, C., Robertson, W., Vigna, G. Detecting Kernel-level rootkits through binary analysis. In: Annual Computer Security Application Conference (ACSAC), 2004

  9. Linn, C., Debray, S. Obfuscation of executable code to improve resistance to static disassembly. In: ACM Conference on Computer and Communications Security (CCS), 2003

  10. Windows Device Driver Kit 2003, 2006. http://www.microsoft.com/whdc/devtools/ddk/

  11. Microsoft IFS KIT, 2006. http://www.microsoft.com/whdc/ devtools/ifskit

  12. Microsoft PECOFF. Microsoft Portable Executable and Common Object File Format Specification, 2006. http://www.microsoft.com/ whdc/system/platform/firmware/PECOFF.mspx

  13. Microsoft Platform SDK, 2006. http://www.microsoft.com/ msdownload/platformsdk/

  14. Nebbett G. (2000) Windows NT/2000 Native API Reference. New Riders Publishing, indianapolis

    Google Scholar 

  15. Neitzel, M.St. Analysis of win32/sober.y, 2005. http://www. eset.com/msgs/sobery.htm

  16. Oberhumer, M., Molnar, L. UPX: Ultimate Packer for eXecutables, 2004. http://upx.sourceforge.net/

  17. Robin, J., Irvine, C. Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Usenix Annual Technical Conference, 2000

  18. Russinovich, M., Cogswell, B. Freeware Sysinternals, 2006. http://www.sysinternals.com/

  19. Russinovich M., Solomon D. (2004) Microsoft Windows Internals: Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, Bellevue

    Google Scholar 

  20. Rutkowska, J. Red pill... or how to detect VMM using (almost) one CPU instruction, 2006. http://invisiblethings.org/ papers/redpill.html

  21. Symantec. Internet security threat report, 2005. http://www. symantec.com/enterprise/threatreport/index.jsp

  22. Szor P. (2005) The Art of Computer Virus Research and Defense. Addison Wesley, Reading

    Google Scholar 

  23. Vasudevan, A., Yerraballi, R. Stealth breakpoints. In: 21st Annual Computer Security Applications Conference, 2005

  24. VMware: server and desktop virtualization, 2006. http://www. vmware.com/

  25. Wang, C. A security architecture for survivability mechanisms. PhD Thesis, University of Virginia (2001)

  26. Yetiser, T. Polymorphic Viruses – Implementation, detection, and protection, 1993. http://vx.netlux.org/lib/ayt01.html

Download references

Author information

Authors and Affiliations

  1. Ikarus Software, Fillgradergasse 7, 1060, Vienna, Austria

    Ulrich Bayer

  2. Secure Systems Lab, Technical University Vienna, Vienna, Austria

    Andreas Moser, Christopher Kruegel & Engin Kirda

Authors
  1. Ulrich Bayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas Moser
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ulrich Bayer.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bayer, U., Moser, A., Kruegel, C. et al. Dynamic Analysis of Malicious Code. J Comput Virol 2, 67–77 (2006). https://doi.org/10.1007/s11416-006-0012-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-006-0012-2

Keywords

Search

Navigation