Malware Behavioral Analysis (Chinese Version)



The battle between hackers and security researchers never ends [1]. The present analysis methodology can be categorized into two types: static analysis (also known as code analysis), and dynamic analysis (also known as behavioral analysis). In a static analysis, the detection is based on information extracted explicitly or implicitly from the executable binary/source code. In a dynamic analysis, detection is based on information collected from the operating system at runtime (i.e. during the execution of the program), such as system calls, network access and files, and memory modifications [2, 3]. It is then analyzed for malware behavior in the network traffic, and monitored to find changed files or registers in the infected system. This technique focuses on obtaining reliable and accurate information from the execution of malicious programs.

Indeed, much research provides malware analysis for monitoring malware action while running it under a controlled environment, like the Virtual Machine (VM) or the emulator. This method has been used for many years and is popular among researchers, because malware can be executed and analyzed on them without having to reinstall the production systems every time. In most cases, malware can easily escape from the detection of VMM, and block the behavior of the propagation. In so, the detected malicious behavior from VM-based malware analysis may sometimes be different from the results of the physical environment. To address the problems above and conquer those challenges, the simplest obfuscation technology is to fool current malware, collect their behavior information or logs, then mine the information for statistical analysis. This is done to corroborate the features of footprint and to select suitable machine learning classifiers, to detect malware and its malicious processes during a run time [4].

There are several free malware analysis services and tools that can examine malicious artifacts automatically, and they may use VM systems to analyze malware behaviors. They can save time and provide an overview of the specimens’ capabilities, so that analysts can decide where to focus their manual analysis efforts, as described in the following section:

·        On-Line Malware Behavioral Analysis Service:

o   XecScan (http://scan.xecure-lab.com): It is a free online APT scanning service capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats. Furthermore, with the use of patent-pending exploit analysis engine, XecScan provides forensic data, such as the built-time of the malware, program call graph, embedded exploits, and communication hops involved.

o   ThreatExpert (http://www.threatexpert.com/submit.aspx): It is an advanced automated threat analysis system (ATAS) designed to analyze and report the behavior of computer viruses, worms, Trojans, adware, spyware, and other security-related risks in a fully automated mode.

o   EUREKA (http://eureka.cyber-ta.org): It is a binary static analysis preparation framework that implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API obfuscation capabilities to facilitate the structural analysis of underlying malware logic.

o   Anubis (https://anubis.iseclab.org): Anubis is a tool for analyzing the behavior of Windows PE-executables, with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file, that contains enough information to give a human user a very good understanding of the purpose and the actions of the analyzed binary.

o   Malwr (https://malwr.com): It is a free malware analysis service that launched its community in January 2011. Existing online analysis services are all based on closed and commercial technologies, often with intents to leverage people's data to their own profit, with no transparency on how the data is being used.


·        On-Line Mobile Malware Behavioral Analysis Service:

o   SandDroid (http://sanddroid.xjtu.edu.cn)

o   Andrubis (http://anubis.iseclab.org)

o   CopperDroid (http://copperdroid.isg.rhul.ac.uk)

o   MobileSandbox (http://mobilesandbox.org)

o   NVISO ApkScan (https://apkscan.nviso.be)

o   MobiSec Eacus (http://www.mobiseclab.org)

o   AndroidSandbox (http://www.androidsandbox.net)

o   APK Analyzer (http://www.apk-analyzer.net)

o   Dynodroid (http://pag-www.gtisc.gatech.edu/dynodroid)

o   Visual Threat (http://www.visualthreat.com)

·        Free Analysis Tools:

o   Cuckoo (http://www.cuckoosandbox.org): It is a simple tool that allows you to throw any suspicious file at it, and in a matter of seconds Cuckoo will provide you with detailed results outlining the file behavior when executed inside an isolated environment.

o   CuckooDroid (https://github.com/idanr1986/cuckoo-droid): Android extension for Cuckoo.

o   Malheur (http://www.mlsec.org/malheur/): It is a tool for automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment).

o   Zero Wine (http://sourceforge.net/projects/zerowine/): It is a malware behavior analysis tool. Simply upload your suspicious PE file (windows executable) through the web interface, and it will analyze the behavior of the process.

o   REMnux (https://sourceforge.net/projects/remnux/): It is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Also, it incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript.

o   AndroGuard: https://github.com/androguard/androguard

o   Androwarn: https://github.com/maaaaz/androwarn/

o   ApkAnalyser: https://github.com/sonyxperiadev/ApkAnalyser

o   FlowDroid: http://sseblog.ec-spride.de/tools/flowdroid/

o   Droidbox: https://code.google.com/p/droidbox/

o   Drozer: https://www.mwrinfosecurity.com/products/drozer/

o   Android Hooker: https://github.com/AndroidHooker/hooker


  1. A. Shabtai, E. Menahem, and Y. Elovici, "F-Sign: Automatic, Function-Based Signature Generation for Malware," IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, vol. 41, no. 4, pp. 494-508, 2011.
  2. H.-D. Huang, C.-S. Lee, M.-H. Wang, and H.-Y. Kao, "IT2FLS-based Malware Analysis Mechanism: Malware Analysis Network in Taiwan (MiT)," 2013 IEEE International Conference on Systems, Man, and Cybernetics (IEEE SMC 2013), Manchester, United-Kingdom, 13-16 Oct., 2013.
  3. H.-D. Huang, C.-S. Lee, M.-H. Wang, and H.-Y. Kao, "IT2FS-based ontology with soft-computing mechanism for malware behavior analysis," Soft Computing, vol. 18, no. 2, pp. 267-284, 2013.
  4. F. Shahzad, M. Shahzad, and M. Farooq, "In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS," Information Sciences, vol. 231, no. 0, pp. 45-63, 5/10/ 2013.