Dynamic Analysis of Malicious Code

Abstract

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

DOI: 10.1007/s11416-006-0012-2

Extracted Key Phrases

1 Figure or Table

0204020072008200920102011201220132014201520162017
Citations per Year

168 Citations

Semantic Scholar estimates that this publication has 168 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@article{Bayer2006DynamicAO, title={Dynamic Analysis of Malicious Code}, author={Ulrich Bayer and Andreas Moser and Christopher Kr{\"{u}gel and Engin Kirda}, journal={Journal in Computer Virology}, year={2006}, volume={2}, pages={67-77} }