nach oben

Erschienen in:

2013 | OriginalPaper | Buchkapitel

6. Analysis of Trigger Conditions and Hidden Behaviors

verfasst von : Heng Yin, Dawn Song

Erschienen in: Automatic Malware Analysis

Verlag: Springer New York

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior. Currently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speedup the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can: (1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Hooking Behavior Analysis

Nächstes Kapitel Concluding Remarks

Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2–16 (2006)

Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: A system for automatically generating inputs of death using symbolic execution. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS) (2006)

Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: K. Jensen, A. Podelski (eds.) Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer (2004)

Crandall, J.R., Wassermann, G., de Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: Detecting hidden malware timebombs with virtual machines. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-XII, pp. 25–36 (2006)

Dittrich, D.: The ”tribe flood network” distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/tfn.analysis.txt (1999)

Ferrie, T.L.: Win32.Netsky.C. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022417-4628-99

Gettis, S.: W32.Mydoom.B@mm. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022011-2447-99

Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Proc. of the 2005 Programming Language Design and Implementation Conference (PLDI) (2005)

Ha, K.: Keylogger.Stawin. http://www.symantec.com/security_response/writeup.jsp?docid=2004-012915-2315-99

10.

Hindocha, N.: Win32.Netsky.D. http://www.symantec.com/security_response/writeup.jsp?docid=2004-030110-0232-99

11.

King, J.: Symbolic execution and program testing. Communications of the ACM 19, 386–394 (1976)CrossRef

12.

McAfee: W97M/Opey.C. http://vil.nai.com/vil/content/v_10290.htm

13.

Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland’07) (2007)

14.

Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic protocol replay by binary analysis. In: R. Write, S.D.C. di Vimercati, V. Shmatikov (eds.) In the Proceedings of the 13^th ACM Conference on Computer and and Communications Security (CCS), pp. 311–321 (2006)

15.

Blazingtools perfect keylogger. http://www.blazingtools.com/bpk.html

16.

Sen, K., Marinov, D., Agha, G.: CUTE: A concolic unit testing engine for c. In: ACM SIGSOFT Sympsoium on the Foundations of Software Engineering (2005)

17.

Symantec: Spyware.e2give. http://www.symantec.com/security_response/writeup.jsp?docid=2004-102614-1006-99

18.

Symantec: Xeram.1664. http://www.symantec.com/security_response/writeup.jsp?docid=2000-121913-2839-99

19.

United States Department of Justice Press Release: Former computer network administrator at new jersey high-tech firm sentenced to 41 months for unleashing $10 million computer “time bomb”. http://www.usdoj.gov/criminal/cybercrime/lloydSent.htm

20.

United States Department of Justice Press Release: Former lance, inc. employee sentenced to 24 months and ordered to pay $194,609 restitution in computer fraud case. http://www.usdoj.gov/criminal/cybercrime/SullivanSent.htm

21.

United States Department of Justice Press Release: Former technology manager sentenced to a year in prison for computer hacking offense. http://www.usdoj.gov/criminal/cybercrime/sheaSent.htm

22.

Xie, Y., Aiken, A.: Context- and path-sensitive memory leak detection. ACM SIGSOFT Software Engineering Notes 30 (2005)

23.

Yang, J., Sar, C., Twohey, P., Cadar, C., Engler, D.: Automatically generating malicious disks using symbolic execution. In: IEEE Symposium on Security and Privacy (2006)

Titel: Analysis of Trigger Conditions and Hidden Behaviors
verfasst von: Heng Yin
Dawn Song
Verlag: Springer New York
Buch: Automatic Malware Analysis
Print ISBN: 978-1-4614-5522-6

Electronic ISBN: 978-1-4614-5523-3

Copyright-Jahr: 2013
DOI: https://doi.org/10.1007/978-1-4614-5523-3_6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"