Malware Behavioral Analysis (Chinese Version) The battle between hackers and security researchers never ends [1]. The present analysis methodology can be categorized into two types: static analysis (also known as code
analysis), and dynamic analysis (also
known as behavioral analysis). In a static analysis, the detection is based on information
extracted explicitly or implicitly from the executable binary/source code. In a dynamic analysis,
detection is based on information collected from the operating system at
runtime (i.e. during the execution
of the program), such as system calls, network access and files, and memory
modifications [2, 3]. It is then analyzed
for malware behavior in the network traffic, and monitored to
find changed files or registers
in the infected system. This technique focuses
on obtaining reliable and accurate information from the execution of malicious programs. Indeed, much research provides malware analysis for monitoring malware action
while running it under a controlled environment, like the Virtual Machine (VM)
or the emulator. This method has been used for many years and is popular among
researchers, because malware can be executed and analyzed on them without
having to reinstall the production systems every time. In most cases, malware can easily escape from
the detection of VMM, and block the behavior of the propagation. In so, the
detected malicious behavior from VM-based malware analysis may sometimes be
different from the results of the physical environment. To address the
problems above and conquer those challenges, the simplest obfuscation
technology is to fool current malware, collect their behavior information or
logs, then mine the information for statistical analysis. This is done to
corroborate the features of footprint and to select suitable machine learning
classifiers, to detect malware and its malicious processes during a run time [4]. There are several free malware analysis services and tools that can
examine malicious artifacts automatically, and they may use VM systems to analyze
malware behaviors. They can save time and provide an overview of the specimens’
capabilities, so that analysts can decide where to focus their manual analysis
efforts, as described in the following section: · On-Line Malware Behavioral Analysis Service: o XecScan (http://scan.xecure-lab.com): It is a free online APT scanning service capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats. Furthermore, with the use of patent-pending exploit analysis engine, XecScan provides forensic data, such as the built-time of the malware, program call graph, embedded exploits, and communication hops involved. o ThreatExpert (http://www.threatexpert.com/submit.aspx): It is an advanced automated threat analysis system (ATAS) designed to analyze and report the behavior of computer viruses, worms, Trojans, adware, spyware, and other security-related risks in a fully automated mode. o EUREKA (http://eureka.cyber-ta.org): It is a binary static analysis preparation framework that implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API obfuscation capabilities to facilitate the structural analysis of underlying malware logic. o Anubis (https://anubis.iseclab.org): Anubis is a tool for analyzing the behavior of Windows PE-executables, with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file, that contains enough information to give a human user a very good understanding of the purpose and the actions of the analyzed binary. o Malwr (https://malwr.com): It is a free malware analysis service that launched its community in January 2011. Existing online analysis services are all based on closed and commercial technologies, often with intents to leverage people's data to their own profit, with no transparency on how the data is being used. · On-Line Mobile Malware Behavioral Analysis Service: o SandDroid (http://sanddroid.xjtu.edu.cn) o Andrubis (http://anubis.iseclab.org) o CopperDroid (http://copperdroid.isg.rhul.ac.uk) o MobileSandbox (http://mobilesandbox.org) o NVISO ApkScan (https://apkscan.nviso.be) o MobiSec Eacus (http://www.mobiseclab.org) o AndroidSandbox (http://www.androidsandbox.net) o APK Analyzer (http://www.apk-analyzer.net) o Dynodroid (http://pag-www.gtisc.gatech.edu/dynodroid) o Visual Threat (http://www.visualthreat.com) · Free Analysis Tools: o Cuckoo (http://www.cuckoosandbox.org): It is a simple tool that allows you to throw any suspicious file at it, and in a matter of seconds Cuckoo will provide you with detailed results outlining the file behavior when executed inside an isolated environment. o CuckooDroid (https://github.com/idanr1986/cuckoo-droid): Android extension for Cuckoo. o Malheur (http://www.mlsec.org/malheur/): It is a tool for automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). o Zero Wine (http://sourceforge.net/projects/zerowine/): It is a malware behavior analysis tool. Simply upload your suspicious PE file (windows executable) through the web interface, and it will analyze the behavior of the process. o REMnux (https://sourceforge.net/projects/remnux/): It is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Also, it incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. o AndroGuard: https://github.com/androguard/androguard o Androwarn: https://github.com/maaaaz/androwarn/ o ApkAnalyser: https://github.com/sonyxperiadev/ApkAnalyser o FlowDroid: http://sseblog.ec-spride.de/tools/flowdroid/ o Droidbox: https://code.google.com/p/droidbox/ o Drozer: https://www.mwrinfosecurity.com/products/drozer/ o Android Hooker: https://github.com/AndroidHooker/hooker
|