Automatically Identifying Trigger-based Behavior in Malware

  • David Brumley
  • Cody Hartwig
  • Zhenkai Liang
  • James Newsome
  • Dawn Song
  • Heng Yin
Part of the Advances in Information Security book series (ADIS, volume 36)


Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior

Currently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speed-up the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can:

(1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area


Symbolic Execution Feasible Path Intermediate Representation Malicious Code Trigger Condition 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blazingtools perfect keylogger. Scholar
  2. 2.
    QEMU. Scholar
  3. 3.
    Tribal flood network. Scholar
  4. 4.
    David Brumley, Cody Hartwig, Min Gyang Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, Dawn Song, and Heng Yin. Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, 2007.Google Scholar
  5. 5.
    David Brumley and James Newsome. Alias analysis for assembly. Technical Report CMU-CS-06-180, Carnegie Mellon University School of Computer Science, 2006.Google Scholar
  6. 6.
    Cristian Cadar, Vijay Ganesh, Peter Pawlowski, David Dill, and Dawson Engler. EXE: A system for automatically generating inputs of death using symbolic execution. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), October 2006.Google Scholar
  7. 7.
    Edmund Clarke, Daniel Kroening, and Flavio Lerda. A tool for checking ANSI-C programs. In Kurt Jensen and Andreas Podelski, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), volume 2988 of Lecture Notes in Computer Science, pages 168–176. Springer, 2004.Google Scholar
  8. 8.
    Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong. Temporal search: Detecting hidden malware timebombs with virtual machines. In Proceedings of the Twelfth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XII), October 2006.Google Scholar
  9. 9.
    Tony LeePeter Ferrie. Win32.Netsky.C. security_response/writeup.jsp?docid=2004-022417%-4628-99.Google Scholar
  10. 10.
    C. Flanagan and J.B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proceedings of the 28th ACM Symposium on the Principles of Programming Languages (POPL), 2001.Google Scholar
  11. 11.
    Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. Estended static checking for java. In ACM Conference on the Programming Language Design and Implementation (PLDI), 2002.Google Scholar
  12. 12.
    Vijay Ganesh and David Dill. STP: A decision procedure for bitvectors and arrays. Scholar
  13. 13.
    Scott Gettis. W32.Mydoom.B@mm. response/writeup.jsp?docid=2004-022011%-2447-99.Google Scholar
  14. 14.
    Patrice Godefroid, Nils Klarlund, and Koushik Sen. DART: Directed automated random testing. In Proc. of the 2005 Programming Language Design and Implementation Conference (PLDI), 2005.Google Scholar
  15. 15.
    Kevin Ha. Keylogger.Stawin. response/writeup.jsp?docid=2004-012915%-2315-99.Google Scholar
  16. 16.
    Neal Hindocha. Win32.Netsky.D. response/writeup.jsp?docid=2004-030110%-0232-99.Google Scholar
  17. 17.
    James King. Symbolic execution and program testing. Communications of the ACM, 19:386–394, 1976.Google Scholar
  18. 18.
    McAfee. W97M/Opey.C. ttp:// Scholar
  19. 19.
    Andreas Moser, Christopher Kruegel, and Engin Kirda. Exploring multiple execution paths for malware analysis. In IEEE Symposium on Security and Privacy. IEEE Press, 2007.Google Scholar
  20. 20.
    James Newsome, David Brumley, Jason Franklin, and Dawn Song. Replayer: Automatic protocol replay by binary analysis. In Proceedings of the13$th$ACM Conference on Computer and and Communications Security (CCS), October 2006.Google Scholar
  21. 21.
    Benjamin C Pierce. Types and Programming Languages. The MIT Press, 2002.Google Scholar
  22. 22.
    Koushik Sen, Darko Marinov, and Gul Agha. CUTE: A concolic unit testing engine for c. In ACM SIGSOFT Sympsoium on the Foundations of Software Engineering, 2005.Google Scholar
  23. 23.
    Symantec. Spyware.e2give. response/ writeup.jsp?docid=2004-102614-1006-99.Google Scholar
  24. 24.
    Symantec. Xeram.1664. writeup.jsp?docid=2000-121913-2839-99.Google Scholar
  25. 25.
    United States Department of Justice Press Release. Former computer network administrator at new jersey high-tech firm sentenced to 41 months for unleashing $10 million computer “time bomb”. Scholar
  26. 26.
    United States Department of Justice Press Release. Former lance, inc. employee sentenced to 24 months and ordered to pay $194,609 restitution in computer fraud case. Scholar
  27. 27.
    United States Department of Justice Press Release. Former technology manager sentenced to a year in prison for computer hacking offense. Scholar
  28. 28.
    Yichen Xie and Alex Aiken. Context-and path-sensitive memory leak detection. ACM SIGSOFT Software Engineering Notes, 30, 2005.Google Scholar
  29. 29.
    Junfeng Yang, Can Sar, Paul Twohey, Cristian Cadar, and Dawson Engler. Automatically generating malicious disks using symbolic execution. In IEEE Symposium on Security and Privacy, 2006.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • David Brumley
    • 1
  • Cody Hartwig
    • 1
  • Zhenkai Liang
    • 1
  • James Newsome
    • 1
  • Dawn Song
    • 1
  • Heng Yin
    • 1
  1. 1.Carnegie Mellon UniversityPA 15213

Personalised recommendations