Dynamic Analysis of Malware - Research Paper Example

? Dynamic Analysis of Malware Dynamic Analysis of Malware Malware is a generic term referring to kinds of unwanted softwares. Dynamic malware analysis came about due to problems arising in reference to manual malware analysis. Dynamic malware analysis comprises of methods that analyze large amounts of malware in a fast and reliable fashion. The main focus of researchers is on different types of dynamic malware analysis (Hartmann, 2009). Dynamic Malware Analysis Techniques Dynamic analysis is the term used to describe the act of analyzing the actions performed by a program while being executed. There are different approaches and techniques applicable in performing dynamic analysis. Function Call Monitoring A function comprises of a code that executes a certain task like creating a file or calculating factorial value of a number. In the use of functions easy code re-usability, and easier maintenance can result. The property that makes functions interesting for program analysis is that they are usually used to abstract from execution particulars to a semantically richer representation. For example, so long as the outcome corresponds to the sorted input, the particular algorithm which a sort function implements might not be essential. When it comes to analyzing code, such abstractions help in gaining an overview of the behavior of the program when analyzing a code. By intercepting these calls, one can monitor what functions are called by a program. Hooking is the process of intercepting function calls. A hook function is invoked when the analyzed program is manipulated in addition to the anticipated function (Hunt, Thomas, & Cunningham, 1999). Application Programming Interface (API) This hook function is responsible for putting into action the necessary analysis functionality like analyzing its input parameters or recording its stats to a log file. Application Programming Interface (API) are groups of functions that form a logical set of functionality, like communicating over the network or file manipulation. In most cases, operating systems provide several APIs that can be used by applications to perform familiar tasks and can be found on diverse layers of abstraction. The term API on windows OS, refers to a set of APIs which give access to varying functional groupings like system services, networking, management and security (Leyden, 2001). System Calls System calls is usually categorized into two, and it is the software execution on computer systems which run commodity of the shelf OS. These two categories are user-mode and kernel-mode. User-mode is used in executing general applications like image manipulation programs or word processors. The only code that is executed in kernel-mode has direct entry to the system state. This partition prohibits the user-mode process from interacting with the system and its environment. For example, since it is impossible to create or directly open a file for a user-space process, the operating system (OS) provides a unique well defined API-the system call interface. A user-mode application is able to request the OS to perform a small set of tasks on its behalf, by using system calls. A user-mode application has to invoke the precise system-call showing the file’s path, name and access method in order to create a file. As soon as the system call is invoked, it is changed into kernel-mode. The OS carries out the task on behalf of the user-mode applications when there are enough access rights for the desired action upon verification (Nick, 2006). Anubis Anubis is a critical component/tool which is used for studying/analyzing Windows PE-executable’s behavior, main focus being on malware analysis. Anubis execution results in the making of report files that have enough information, thus enabling a user to have a clear idea about the use and actions of the analyzed binary. The report has detailed data regarding enhancements made to the Windows registry or file system. This analysis relays on running and watching the binary in an emulated environment. The analysis’ main focus is on security aspects of a program's actions, making the analysis process less cumbersome, and allowing for more accurate end results since the domain is extra fine-grained. It can generally be said that Anubis is a service for analyzing malware. A person can decide whether to manually analyze a sample in depth or otherwise. Some of the benefits of dynamic code analysis with Anubis are: ANUBIS is capable in handling basic user interactions if necessary during analysis. ANUBIS has scalable approach which is not affected by runtime packers, anti-debug mechanisms or code obfuscation of modern malware. Anubis has advanced features, where it records and analyses samples network traffic and storage of analysis reports in relation to DB, like files created, modified and deleted. It incorporates many report formats such as XML, HTML, MHT, PDF and TXT. It integrates static analysis with AV scanner/PE scan URL analysis In its architecture and capabilities, Anubis has got 5 main building blocks which include: XML which enables the generation of numerous statistics Malware storage Archives which uploads and analyzes samples Report storage Archives report/result Victim server for certain services, keeping malicious traffic local! Multiple Worker (VM) Snapshot technology which can revert to the known state in seconds Anubis was designed to assist human experts to give fast overview of a sample’s behavior. Anubis is used in data tainting, which a powerful technique used in tracing data flows of a program like how network data is processed by a program, and also makes us able to find out if for infection, a malware uses random file names during a single analysis run. Anubis can also provide the feature known as “clustering”. This feature is used in finding and partitioning a given set of malware samples into subsets, so that subsets share some common traits. Features in malware clustering are behavior based, which require prior Anubis analysis, which uses LSH (Locality Sensitive Hashing), which enables avoidance of computing all n2/2 distances, suitable for clustering real-world malware collections. In conclusion, Anubis offers technology to hasten malware analysis due to automatic processing of samples saving time; it improves the traditional analysis procedure flow because of its features. The feature of clustering is only unique to Anubis, and it can also offer added functionality for “in the cloud” services, which are used in academic research projects. Anubis has two versions, the public version which is not premium based and offers limited features with no customization, and the commercial version which is available on request and offers more features. Anubis is the ideal tool for the virus and malware fascinated individual to get a fast knowledge of the objective of an unknown binary (Rooney, 2011). References Hartmann, A. K. (2009). Practical Guide to Computer Simulations. Singapore: World Scientific. Hunt, A., Thomas, D., and Cunningham, W. (1999). The Pragmatic Programmer. From Journeyman to Master. Amsterdam: Addison-Wesley Longman. Leyden, J. (2001). Highly destructive Linux worm mutating. Retrieved from http://www.theregister.co.uk/2001/03/28/highly_destructive_linux_worm_mutating Nick, F. (2006). Linux worm targets PHP flaw. Retrieved from http://www.theregister.co.uk/2006/02/20/linux_worm/ Rooney, B. (2011). Malware Is Posing Increasing Danger. Retrieved from http://online.wsj.com/article/SB10001424052748704904604576332812592346714.html Read More