A generic binary analysis method for malware
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Cloaking malware with the trusted platform module
SEC'11 Proceedings of the 20th USENIX conference on Security
Dynamic behavior matching: a complexity analysis and new approximation algorithms
CADE'11 Proceedings of the 23rd international conference on Automated deduction
Linear obfuscation to combat symbolic execution
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Research challenges towards the Future Internet
Computer Communications
Detecting malware's failover C&C strategies with squeeze
Proceedings of the 27th Annual Computer Security Applications Conference
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Static detection of unsafe component loadings
CC'12 Proceedings of the 21st international conference on Compiler Construction
Quantitative analysis for privacy leak software with privacy Petri net
Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics
PeerPress: utilizing enemies' P2P strength against them
Proceedings of the 2012 ACM conference on Computer and communications security
Down to the bare metal: using processor features for binary analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Lines of malicious code: insights into the malicious software industry
Proceedings of the 28th Annual Computer Security Applications Conference
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Extraction of statistically significant malware behaviors
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
To handle the growing flood of malware, security vendors and analysts rely on tools that automatically identify and analyze malicious code. Current systems for automated malware analysis typically follow a dynamic approach, executing an unknown program in a controlled environment (sandbox) and recording its runtime behavior. Since dynamic analysis platforms directly run malicious code, they are resilient to popular malware defense techniques such as packing and code obfuscation. Unfortunately, in many cases, only a small subset of all possible malicious behaviors is observed within the short time frame that a malware sample is executed. To mitigate this issue, previous work introduced techniques such as multi-path or forced execution to increase the coverage of dynamic malware analysis. Unfortunately, using these techniques is potentially expensive, as the number of paths that require analysis can grow exponentially. In this paper, we propose Reanimator, a novel solution to determine the capabilities (malicious functionality) of malware programs. Our solution is based on the insight that we can leverage behavior observed while dynamically executing a specific malware sample to identify similar functionality in other programs. More precisely, when we observe malicious actions during dynamic analysis, we automatically extract and model the parts of the malware binary that are responsible for this behavior. We then leverage these models to check whether similar code is present in other samples. This allows us to statically identify dormant functionality (functionality that is not observed during dynamic analysis) in malicious programs. We evaluate our approach on thousands of real-world malware samples, and we show that our system is successful in identifying additional, malicious functionality. As a result, our approach can significantly improve the coverage of malware analysis results.