A Secure Environment for Behavioral Malware Analysis

Authors

1 Master's degree, Borujerd Islamic Azad University

2 Associate Professor, Iran University of Science and Technology

Abstract

In this article we propose a file analyzer based on sandbox in the client side. This analyzer environment is
used for safe execution of a suspicious application to find its behavior and determine if it is safe or not. This
sandbox can also be used for behavioral modeling of a malware by in hand execution for understanding
distractive and infecting pattern of malwares for creating disinfection and a cleaner method. The advantages
of proposed method is in reducing problems with malware detection specifically in detection of obfuscated
and metamorphic malwares that can’t be detected by signature and static base analysis methods. So this
contains the main goal of this article for providing platform of dynamic analysis. Proposed sandbox can
monitor and track incoming requests of an application in both user and kernel mode of operating system.
This article clusters incoming requests in 8 families with performing data mining on 21000 samples of
malwares and benign files and replying them with 5 policies y including logging, redirection, rejecting,
cheating and emulating of system resources. Our sandbox guarantees health of operation system during
execution and analysis of malwares. In addition this article discusses challenges on dynamic analysis and
analyzer environment and gives solutions for them. Most of the challenges focus on methods of detecting
and bypassing analyzer environments. At last, this article evaluates the proposed sandbox based on the
potentiality and capabilities of behavioral tracking and usage of system resources and compares it with some
top famous analyzers in the word.

Keywords

References

[1] Javaheri, D.; ―Design and Implementation a Secure and
Intelligent Environment for Malware Analysis.‖; M.Sc. Thesis,
Islamic Azad University, Borujerd Branch, Borujerd, Iran, 2014.
(In Persian)
[2] Infographic: The State of Malware, http://www.mcafee.com/
in/security-awareness/articles/state-of-malware-2013.aspx.,
2013.
[3] The Need for Speed: Incident Response Survey, FireEye.
http://www.inforisktoday.in/surveys/2013-incident-responsesurvey-
s-18, 2013.
[4] Mohammadzadeh Lajevardi, A. ―Design and Implementation of
a Behavior-Based Method for Malware Detection.‖; M.Sc.
Thesis, Iran University of Science and Technology, Tehran,
2013. (In Persian)
[5] ―Applications (Confining the Wily Hacker).‖; In Proc. of the
6th USENIX UNIX Security Symposium, 2011.
[6] Hoglund, G.; Butler, J. ―Rootkits: Subverting the windows
kernel.‖; 1st, 2005.
[7] Silberschatz, A.; Galvin, P.B.; Gagne, G. ―Operating System
Concepts.‖; 9th, 2012.
[8] Sanabria, A. ―Malware Analysis: Environment Design and
Architecture.‖; SANS Institute InfoSec Reading Room, 2007.
[9] ―Cuckoo Sandbox Book.‖; http://docs.cuckoosandbox.org/
en/latest/, 2013.
[10] Gooran Ourimi, A. ―Design and Implementation a File Analyzer
Based on Virtual Machine Hypervisor.‖; M.Sc. Thesis, Iran
University of Science and Technology, Tehran, 2014. (In
Persian)
[11] Schönbein, C. ―PyBox - A Python Sandbox‖; Diploma Thesis,
May 2011.
[12] Engelberth, M.; Göbel, J.; Schönbein, C.; Freiling, C. ―PyBox A
Python Sandbox.‖; In Proc. of Make Available to a Broad
Public Recent Findings in Informatics of Computer Science and
Information Systems, pp. 137-138, 2011.
[13] Plohmann, D.; Leder, F. ―GI Graduate Workshop on Reactive
Security for PyBox.‖; University of Bonn, Germany, 2010.
[14] Russinovich, M.; Solomon, D.; Ionescu, A. ―Windows Internals
Part1.‖; 6th, 2012.
[15] Blunden, A. ―The Rootkit Arsenal.‖; 2nd, 2012.
[16] Parsa, S.; Mohammadzadeh Lajevardi, A.; Amiri, M. J.
―Propose a Method for Attack to Malware Detector Tools with
Hiding System Calls.‖; In Proc. of 18th Iran Computer
Conference, Sharif University of Technology, 2013. (In Persian)
[17] Javaheri D.; Parsa S. ―Protection of Operation System against
Spywares.‖; Advanced Defense Science and Technology, vol. 5,
no. 2, pp. 171-181, 2014. (In Persian)
[18] ―Virus Sign Malware Data Base.‖; http://www.virussign.com/,
2014.
[19] Malware Data Base, http://borax.poluxhosting.com/madchat/
vxdevl/vxsrc, 2008.
[20] Salmani Balu, A.; Lazemi, S.; Parsa, S. ―Disinfect Infector
Viruses with PE Header.‖; In Proc. of 2nd Sofware Security,
Shiraz University, Shiraz, pp. 97-102, 2014. (In Persian)
[21] Javaheri D.; Parsa S. ―A Malware Detection Method Based on
Static Analysis of PE Structure‖; Passive Defense Science and
Technology, 2014, vol. 5. (In Persian)
[22] Sharifi, M.; Salimi, H.; Saberi, A.; Gharibshah, J. ―VMM
Detection Using Privilege Rings and Benchmark Execution
Times.‖; Int. J. Communication Networks and Distributed
Systems, 2014.
[23] Petzold, C., ―Programming Windows.‖; 6th, 2013.
[24] Berdajs, J.; Bosnić, Z. ―Extending Applications Using an
Advanced Approach to Dll Injection and Api Hooking,
Software: Practice and Experience.‖; vol. 40, pp. 567-584, 2010.
[25] Martin Arnold, T.; ―A Comparative Analysis of Rootkit
Detection Techniques.‖; M.S Thesis, The University of Houston
Clear Lake, May 2011.
Electronic and Cyber Defense
Volume 2, Issue 3 - Serial Number 3
February 2020
Pages 65-76

Files

History

  • Receive Date: 09 June 2014
  • Revise Date: 04 July 2023
  • Accept Date: 19 September 2018
  • Publish Date: 22 November 2014

Share

How to cite

Statistics