Towards understanding malware behaviour by the extraction of API calls

Proceedings - 2nd Cybercrime and Trustworthy Computing Workshop, CTC 2010

Volumn , Issue , 2010, Pages 52-59

  Alazab, Mamoun ^a   Venkataraman, Sitalakshmi ^a   Watters, Paul ^a  

^a UNIVERSITY OF BALLARAT   (Australia)

Author keywords

API calls; Code obfuscation; Feature extraction; Malware

Indexed keywords

ANTI VIRUS; API CALLS; API FUNCTION CALLS; ASSEMBLY LANGUAGE; AUTOMATED METHODS; AUTOMATED SYSTEMS; CODE OBFUSCATION; CURRENT DETECTION; DEEP KNOWLEDGE; EXECUTABLES; LABOUR-INTENSIVE; MALWARE DETECTION; MALWARES; PACKED EXECUTABLES; RECENT TRENDS; SOFTWARE TOOL;

APPLICATION PROGRAMMING INTERFACES (API); AUTOMATION; COMPUTER SOFTWARE; COMPUTER VIRUSES; VIRUSES;

FEATURE EXTRACTION;

EID: 78649888272     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CTC.2010.8     Document Type: Conference Paper

References (37)

1. G. McGraw and G. Morrisett, "Attacking malicious code: A report to the infosec research council", IEEE Software, 2000, 17(5), 33-44.
2. Bergeron, J.; Debbabi, M.; Desharnais, J.; Erhioui, M.; Lavoie, Y. & Tawbi, N., "Static detection of malicious code in executable programs", In Symposium on Requirements Engineering for Information Security, Citeseer, 2001, 184-189.
3. Vinod, P.; Jaipur, R.; Laxmi, V. & Gaur, M., "Survey on Malware Detection Methods", Hack. 2009, 74.
4. M. Christodorescu and S. Jha, "Testing malware detectors", In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), Boston, MA, USA, ACM Press, 2004, 34-44.
5. Christodorescu, M. & Jha, S., "Static analysis of executables to detect malicious patterns", Proceedings of the 12th conference on USENIX Security Symposium, 2003, 12, 169-186.
6. Alazab, M.; Venkatraman, S. & Watters, P., "Effective digital forensic analysis of the NTFS disk image", Ubiquitous Computing and Communication Journal, 2009, 4, 1.
7. Keizer, G., "Symantec false positive cripples thousands of Chinese PCs" http://www.computerworld.com/s/article/9019958/Symantec-false-po sitive-cripples-thousands-of-Chinese-PCs?intsrc=hm-list, August 2009.
8. Alazab, M., Venkatraman, S. and Watters, P., 'Digital Forensic Techniques for Static Analysis of NTFS Images, Proceedings of International Conference on Information Technology (ICIT2009). IEEE Computer Society, ISBN 9957-8583-0-0. 2009.
9. Sharif, M.; Yegneswaran, V.; Saidi, H.; Porras, P. & Lee, W., "Eureka: A framework for enabling static malware analysis", Computer Security - ESORICS, Lecture Notes in Computer Science LNCS, Springer, 2008, 5283/2008, 481-500.
10. Tamada, H.; Okamoto, K.; Nakamura, M.; Monden, A. & Matsumoto, K., M, "Dynamic software birthmarks to detect the theft of windows applications", International Symposium on Future Software Technology, 2004.
11. Okamoto, K.; Tamada, H.; Nakamura, M.; Monden, A. & Matsumoto, K., "Dynamic Software Birthmarks Based on API Calls", IEICE Transactions on Information and Systems, 2006, J89-D, 1751-1763.
12. Choi, S.; Park, H.; Lim, H. & Han, T., "A static birthmark of binary executables based on API call structure", Advances in Computer Science - ASIAN 2007. Computer and Network Security, Lecture Notes in Computer Science LNCS, Springer, 2008, 4846/2008, 2-16.
13. Wang, C.; Pang, J.; Zhao, R.; Fu, W. & Liu, X., "Malware Detection Based on Suspicious Behavior Identification", Education Technology and Computer Science, International Workshop on, IEEE Computer Society, 2009, 2, 198-202.
14. Li, W.; Wang, K.; Stolfo, S. & Herzog, B., "Fileprints: Identifying file types by n-gram analysis", the Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, 2005.
15. Venkatraman, S., "Autonomic Context-Dependent Architecture for Malware Detection", Proceedings of International Conference on e-Technology (e-Tech2009), International Business Academics Consortium, ISBN 978-986-83038-3-6, 8-10 January, Singapore, 2009, 2927-2947.
16. Microsoft, 2007, "Understanding Anti-Malware Technologies", http://download.microsoft.com/download/0/c/0/0c040c8f-2109-4760-a750- 96443fd14ef2/Understanding Malware Research and Response at Microsoft.pdf, August 2009.
17. Bruschi, D.; Martignoni, L. & Monga, M., "Detecting self-mutating malware using control-flow graph matching", Lecture Notes in Computer Science, Springer, 2006, 4064, 129.
18. MetaPHOR, http://securityresponse.symantec.com/avcenter/venc/data/w32. simile.html, August 2009.
19. P. Ferrie and P. Ször. Zmist opportunities. Virus Bullettin, 2001.
20. Perriot, F. & Ferrie, P., "Principles and practise of x-raying", Virus Bulletin Conference, 2004, 51-56.
21. Turner, D. Semantic internet security threat report: Trends for january 06 - june 06. X. http://eval.symantec.com/mktginfo/enterprise/white-papers/ent- whitepaper-symantec-internet-security-threat-report-x-09-2006.en-us.pdf. 2006.
22. NEOx, PE Tools, http://www.uinc.ru, March 2010.
23. Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R. & Lee, W., "PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware", IEEE Computer Society, the 22nd Annual Computer Security Applications Conference (ACSAC'06), 2006, 289-300.
24. Kang, M.; Poosankam, P. & Yin, H. "Renovo: A hidden code extractor for packed executables", Workshop On Rapid Malcode WORM'07 Proceedings of the 2007 ACM workshop on Recurring malcode, 2007, 46 - 53.
25. Martignoni, L.; Christodorescu, M. & Jha, S., "OmniUnpack: Fast, Generic, and Safe Unpacking of Malware", Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
26. Dinaburg, A.; Royal, P.; Sharif, M. & Lee, W., "Ether: Malware analysis via hardware virtualization extensions", Proceedings of the 15th ACM conference on Computer and communications security, 2008, 51-62.
27. Snaker, Qwerton, Jibz & xineohP, PEiD, http://www.peid.info/, 2008.
28. Yan, W.; Zhang, Z.; Ansari, N. & Micro, T., "Revealing packed malware", IEEE Security & Privacy, 2008, 6, 65-69.
29. IDA Pro Dissasember, DataRescue, An Advanced Interactive Multiprocessor Disassembler, http://www.datarescue.com, October, 2009.
30. SQLite, www.sqlite.org/, February 2010.
31. Windows API Functions, MSDN, http://msdn.microsoft.com/en-us/library/ aa383749%28VS.85%29.aspx. January 2010.
32. Alazab, M., "Investigation techniques for static analysis of NTFS file system images", 2009 Annual Research Conference, Internet Security, University of Ballarat.
33. Purcell, D. & Lang, S., "Forensic Artifacts of Microsoft Windows Vista System", Lecture Notes in Computer Science, Springer, 2008, 5075, 304-319.
34. Wang, C.; Pang, J.; Zhao, R. & Liu, X. "Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior", 2009 International Conference on Communication Software and Networks, 2009, 544-548.
35. Choi, S.; Park, H.; Lim, H. & Han, T., "A static API birthmark for Windows binary executables", Journal of Systems and Software, Elsevier, 2009, 82, 862-873.
36. Stolfo, S.; Wang, K. & Li, W., "Towards Stealthy Malware Detection", Malware Detection, Springer, 2007, 27, 231-249.
37. Sun, L.; Ebringer, T. & Boztas, S., "An automatic anti-anti-VMware technique applicable for multi-stage packed malware", Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on, 2008, 17-23.