Identifying Dormant Functionality in Malware Programs

Identifying Dormant Functionality in Malware Programs
Guido Salvaneschi
PhD Student

DEI - Seminar room
November 16th, 2010


To handle the growing flood of malware, security vendors and analysts rely on tools that automatically identify and analyze malicious code. Current systems for automated malware analysis typically follow a dynamic approach, executing an unknown program in a controlled environment (sandbox) and recording its runtime behavior. Since dynamic analysis platforms directly run malicious code, they are resilient to popular malware defense techniques such as packing and code obfuscation. Unfortunately, in many cases, only a small subset of all possible malicious behaviors is observed within the short time-frame that a malware sample is executed.
In this work, we propose Reanimator, an efficient solution to learn more about the capabilities (malicious functionality) of malware programs. Our solution is based on the insight that we can leverage behavior observed while dynamically executing a specific malware sample to identify similar functionality in other programs. More precisely, when we observe malicious actions during dynamic analysis, we automatically extract and model the parts of the malware binary that are responsible for this behavior. We then leverage these models to check whether similar code is present in other samples. This allows us to statically identify dormant behaviors (i.e., those that are not observed during dynamic analysis) in malicious programs.

Guido Salvaneschi

Research area:
Advanced software architectures and methodologies