Advertisement
Published in:
2013 | OriginalPaper | Chapter
Tracking Memory Writes for Malware Classification and Code Reuse Identification
Authors : André Ricardo Abed Grégio, Paulo Lício de Geus, Christopher Kruegel, Giovanni Vigna
Published in: Detection of Intrusions and Malware, and Vulnerability Assessment
Publisher: Springer Berlin Heidelberg
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the limitations of static approaches, researchers have proposed dynamic analysis systems. These systems usually rely on a sandboxing environment that captures the system calls performed by a program under analysis.
In this paper, we propose a novel approach to capture and model malware behavior that is based on the monitoring of the data values that a certain subset of instructions writes to memory during program execution. We have implemented a malware clustering component and a component to detect code reuse between different malware families. To validate our proposed techniques, we analyzed 16,248 malware samples. We found that our techniques produce clusters with high accuracy, as well as interesting cases of code reuse among malicious programs.