Professional Documents
Culture Documents
389
homonymy function, as the second data of the structure. v irus_ st art label by t e
When an API is called, Bozano will call the homonymy azt ec:
function at first. In this function, two instructions will be ...
executed. The first two data will be executed as one instruc- lea edi,[ebp +@ @ O ffset z]
tion Mov eax, ?. The source operand of this instruction has lea esi,[ebp +@ @ N am ez]
been re-assigned to the relocation address of this API be- ...
forehand. Then an instruction jmp EAX will be executed. p ush eax
Finally, the homonymy function transfers control to the rel- call [ebp +_ Fin dFirst FileA ]
evant API through the execution of this unconditional jump ...
instruction. @ @ N am ez label by t e
@ Fin dFirst FileA db " Fin dFirst FileA " ,0
To sum up, Bozano achieves its calling to one API
@ Fin dN ex t FileA db " Fin dN ex t FileA " ,0
through two instructions: one mov and one jmp. Specially, ...
these two instructions are constructed in an unusual way. It @ @ O ffset z label by t e
can easily puzzle a disassembly process and finally escape _ Fin dFirst FileA dd 00000000h
from static detection. We consider this as an obfuscation _ Fin dN ex t FileA dd 00000000h
method for API-calling behavior. ...
390
PE exec utable the scanner will just go on with the next bytes.
391
with an assigned id. By using integer representation, we
can avoid the costly operations of string comparison. Table 2.√Malware Detection using Different AV
Tools ( means success, × means failure )
5. Experimental results
Malware Variants Rising ClamAV AAS
√
To do our experiment, we download some malicious Hortiga.4805 × × √
Hortiga
Hortiga.4800 × ×
code with indirect API calls from the VX Heavens √ √ √
website[2]. We analyze these malware and their variants Fosforo.a √ √ √
in our system. Fosforo.b √
Fosforo
Firstly, our system AAS can successfully recover the tar- Fosforo.c × × √
Fosforo.d × ×
get API functions the CALL instructions invokes. We com- √ √
pare our system with IDA pro. None of the API calls has Doser.4542 × √
been recognized and recovered by IDA pro. The result is Doser.4540 ×
√ × √
shown in Table 1. Doser.4539.a ×
√ √
Doser
Doser.4539.b ×
√ √
Doser.4535 √ × √
Table 1. Recovery
√ of API calls using IDA Doser.4188 √ × √
pro and AAS ( means recovery success, × Doser.4183 ×
means recovery failure )
Malware IDA pro AAS However, how to efficiently compare the similarity of a
√
Win32.Aztec × sequence we get after analysis, with the sequences stored
√ in the API sequences DB, is one of the work which is in-
Win32.Bozano ×
√ adequate in AAS now. This technology has been proposed
W95/Boza.A ×
√ by some researchers. We will go on with this work in the
Hortiga.4805 ×
√ future, and we believe that this part of work will make our
Hortiga.4800 ×
√ system more efficient and more practical.
Fosforo.a ×
√
Fosforo.b ×
√ References
Fosforo.c ×
√
Fosforo.d ×
√ [1] M. Christodorescu and S. Jha. Testing malware detectors. In
Doser.4542 ×
√ Proceedings of the ACM SIGSOFT Symposium on Software
Doser.4540 ×
√ Testing and Analysis (ISSTA’04), Boston, Massachusetts,
Doser.4539.a ×
√ USA, Jul. 2004.
Doser.4539.b ×
√ [2] V. heavens. http://vx.netlux.org.
Doser.4535 × [3] K. Rozinov. Efficient static analysis of executables for detect-
√
Doser.4188 × ing malicious behaviors. Master’s thesis, POLYTECHNIC
√
Doser.4183 × UNIVERSITY, Jun. 2005.
[4] F. S., H. S.A., S. A., and L. T.A. A sense of self for unix
processes. In Proceedings of the 1996 IEEE Symposium on
Next, our system AAS successfully extracts API-calling Security and Privacy, pages 120–128, Washington, DC, USA,
behaviors from these binary executables and detects these 1996. IEEE Computer Society.
malware and their variants. Table 2 shows the detection [5] H. S.A., F. S., and S. A. Intrusion detection using sequences
results using different AV tools. From these experiments, of system calls. Computer Security, 6(3):151–180, 1998.
we can conclude that our approach is sound and efficient in [6] A. Sung, J. Xu, P. Chavez, and S. Mukkamala. Static analyzer
detecting malware and its metamorphic versions. of vicious executables (save). In 20th Annual Computer Se-
curity Applications Conference, pages 326–334, Dec. 2004.
[7] P. Szor. The Art of Computer: Virus Research and Defense.
6. Conclusions and future work Symantec Press, USA, first edition, 2005.
[8] B. Zhang, J. Yin, J. Hao, D. Zhang, and S. Wang. Using sup-
This paper propose an approach on how to extract and port vector machine to detect unknown computer viruses. In-
analyze API-calling behaviors from malicous binary exe- ternational Journal of Computational Intelligence Research,
cutables for malware detection. This technique has been 2(1):100–104, 2006.
[9] Q. Zhang and D. S.Reeves. MetaAware: Identifying meta-
implemented as part of our system AAS. Experimental re- morphic malware. In Proceedings of ACSAC’07, pages 411–
sults prove that our approach is effective on capturing API- 420, Florida USA, Dec. 2007.
calling behavior from malicious code.
392