[Back]


Contributions to Proceedings:

P. Milani Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Krügel, S. Zanero:
"Identifying Dormant Functionality in Malware Programs";
in: "Proceedings of the 2010 IEEE Symposium on Security and Privacy", issued by: IEEE; IEEE Computer Society, Oakland, 2010, ISBN: 978-0-7695-4035-1, 61 - 76.



English abstract:
To handle the growing flood of malware, security
vendors and analysts rely on tools that automatically identify
and analyze malicious code. Current systems for automated
malware analysis typically follow a dynamic approach, ex-
ecuting an unknown program in a controlled environment
(sandbox) and recording its runtime behavior. Since dynamic
analysis platforms directly run malicious code, they are resilient
to popular malware defense techniques such as packing and
code obfuscation. Unfortunately, in many cases, only a small
subset of all possible malicious behaviors is observed within the
short time frame that a malware sample is executed. To mitigate
this issue, previous work introduced techniques such as multi-
path or forced execution to increase the coverage of dynamic
malware analysis. Unfortunately, using these techniques is
potentially expensive, as the number of paths that require
analysis can grow exponentially.
In this paper, we propose REANIMATOR, a novel solution to
determine the capabilities (malicious functionality) of malware
programs. Our solution is based on the insight that we can
leverage behavior observed while dynamically executing a
specific malware sample to identify similar functionality in
other programs. More precisely, when we observe malicious
actions during dynamic analysis, we automatically extract and
model the parts of the malware binary that are responsible
for this behavior. We then leverage these models to check
whether similar code is present in other samples. This allows
us to statically identify dormant functionality (functionality
that is not observed during dynamic analysis) in malicious
programs. We evaluate our approach on thousands of real-
world malware samples, and we show that our system is
successful in identifying additional, malicious functionality. As
a result, our approach can significantly improve the coverage
of malware analysis results.


Electronic version of the publication:
http://publik.tuwien.ac.at/files/PubDat_190210.pdf



Related Projects:
Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats