ABSTRACT
Malwares pose a grave threat to security of a network and host systems. Many events such as Distributed Denial-of-Service attacks, spam emails etc., often have malwares as their root cause. So a great deal of research is being invested in detection and removal of malwares. Thus many malware detection systems or antivirus softwares have come up. But the drawback of these antivirus softwares is they rely upon signature matching approach for malware detection which can be easily defeated using simple code obfuscation techniques. This has given rise to a new generation of metamorphic and polymorphic malwares. In this paper we proposed the approach of monitoring interdependent system calls to detect obfuscated malicious programs. We took some sample malwares and some common obfuscation techniques. We tested these obfuscated malwares against open source antivirus ClamAV and our detection model. The results obtained have been elaborated further in the paper. Again how our algorithm is sound against many drawbacks of the API call monitoring approach such as API call reordering, garbage API call insertion etc., are also described.
- http://www.symantec.com/connect/blogs/w32stuxnet-installation-details.Google Scholar
- http://www.clamav.net/.Google Scholar
- http://www.datarescue.com/idabase/.Google Scholar
- http://www.ollydbg.de/.Google Scholar
- https://www.virtualbox.org/.Google Scholar
- http://vx.netlux.org/.Google Scholar
- http://msdn.microsoft.com/en-us/library/ms123401.aspx.Google Scholar
- D. Bruschi, L. Martignoni, and M. Monga. Detecting self-mutating malware using control flow graph matching. In PROCEEDINGS OF THE CONFERENCE ON DETECTION OF INTRUSIONS AND MALWARE AND VULNERABILITY ASSESSMENT (DIMVA), IEEE COMPUTER SOCIETY, pages 129--143, 2006. Google ScholarDigital Library
- M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In In Proceedings of the 12th USENIX Security Symposium, pages 169--186, 2003. Google ScholarDigital Library
- M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In In Proceedings of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 5--14, 2007. Google ScholarDigital Library
- M. Christodorescu, S. Jha, S. A. Seshia, D. X. Song, and R. E. Bryant. Semantics-aware malware detection. In IN IEEE SYMPOSIUM ON SECURITY AND PRIVACY, pages 32--46, 2005. Google ScholarDigital Library
- C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host.Google Scholar
- A. Lakhotia and E. U. Kumar. Abstract stack graph to detect obfuscated calls in binaries. In In Proc. 4th. IEEE International Workshop on Source Code Analysis and Manipulation, pages 17--26. IEEE Computer Society, 2004. Google ScholarDigital Library
- J. Lee, K. Jeong, and H. Lee. Detecting metamorphic malwares using code graphs. In Proceedings of the 2010 ACM Symposium on Applied Computing, SAC '10, pages 1970--1977, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- L. O. M. Nicolas Falliere and E. Chien. W32.stuxnet dossier. Technical report, Symantec, 2011.Google Scholar
- K. Rozinov. Reverse code engineering: An in-depth analysis of the bagle virus. Technical report, Bell Labs, 2004.Google Scholar
- P. Szűr and P. Ferrie. Hunting for metamorphic. In In Virus Bulletin Conference, pages 123--144, 2001.Google Scholar
- I. You and K. Yim. Malware obfuscation techniques: A brief survey. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, pages 297--300, nov. 2010. Google ScholarDigital Library
- z0mbie. http://z0mbie.host.sk.Google Scholar
Index Terms
Obfuscated malware detection using API call dependency
Recommendations
Towards Understanding Malware Behaviour by the Extraction of API Calls
CTC '10: Proceedings of the 2010 Second Cybercrime and Trustworthy Computing WorkshopOne of the recent trends adopted by malware authors is to use packers or software tools that instigate code obfuscation in order to evade detection by antivirus scanners. With evasion techniques such as polymorphism and metamorphism malware is able to ...
Testing malware detectors
In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Testing malware detectors
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysisIn today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Comments