Tracking memory writes for malware classification and code reuse identification

Authors:
André Ricardo Abed Grégio;Paulo Lício de Geus;Christopher Kruegel;Giovanni Vigna
Affiliations:
Center for Information Technology Renato Archer, Brazil,University of Campinas, Brazil;University of Campinas, Brazil;University of California, Santa Barbara;University of California, Santa Barbara
Venue:
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2012

Citing 12
Cited 0

Data clustering: a review

ACM Computing Surveys (CSUR)
Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
Learning and Classification of Malware Behavior

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Gray Hat Python: Python Programming for Hackers and Reverse Engineers

Gray Hat Python: Python Programming for Hackers and Reverse Engineers
Automated classification and analysis of internet malware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Fast malware classification by automated behavioral graph matching

Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Behavioral clustering of HTTP-based malware and signature generation using malicious network traces

NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Malware detection using assembly and API call sequences

Journal in Computer Virology
BitShred: feature hashing malware for scalable triage and semantic analysis

Proceedings of the 18th ACM conference on Computer and communications security
Malware classification based on call graph clustering

Journal in Computer Virology
FORECAST: skimming off the malware cream

Proceedings of the 27th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the limitations of static approaches, researchers have proposed dynamic analysis systems. These systems usually rely on a sandboxing environment that captures the system calls performed by a program under analysis. In this paper, we propose a novel approach to capture and model malware behavior that is based on the monitoring of the data values that a certain subset of instructions writes to memory during program execution. We have implemented a malware clustering component and a component to detect code reuse between different malware families. To validate our proposed techniques, we analyzed 16,248 malware samples. We found that our techniques produce clusters with high accuracy, as well as interesting cases of code reuse among malicious programs.