Abstract
Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior. Currently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speedup the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can: (1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2–16 (2006)
Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: A system for automatically generating inputs of death using symbolic execution. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS) (2006)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: K. Jensen, A. Podelski (eds.) Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer (2004)
Crandall, J.R., Wassermann, G., de Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: Detecting hidden malware timebombs with virtual machines. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-XII, pp. 25–36 (2006)
Dittrich, D.: The ”tribe flood network” distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/tfn.analysis.txt (1999)
Ferrie, T.L.: Win32.Netsky.C. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022417-4628-99
Gettis, S.: W32.Mydoom.B@mm. http://www.symantec.com/security_response/writeup.jsp?docid=2004-022011-2447-99
Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Proc. of the 2005 Programming Language Design and Implementation Conference (PLDI) (2005)
Ha, K.: Keylogger.Stawin. http://www.symantec.com/security_response/writeup.jsp?docid=2004-012915-2315-99
Hindocha, N.: Win32.Netsky.D. http://www.symantec.com/security_response/writeup.jsp?docid=2004-030110-0232-99
King, J.: Symbolic execution and program testing. Communications of the ACM 19, 386–394 (1976)
McAfee: W97M/Opey.C. http://vil.nai.com/vil/content/v_10290.htm
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland’07) (2007)
Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic protocol replay by binary analysis. In: R. Write, S.D.C. di Vimercati, V. Shmatikov (eds.) In the Proceedings of the 13th ACM Conference on Computer and and Communications Security (CCS), pp. 311–321 (2006)
Blazingtools perfect keylogger. http://www.blazingtools.com/bpk.html
Sen, K., Marinov, D., Agha, G.: CUTE: A concolic unit testing engine for c. In: ACM SIGSOFT Sympsoium on the Foundations of Software Engineering (2005)
Symantec: Spyware.e2give. http://www.symantec.com/security_response/writeup.jsp?docid=2004-102614-1006-99
Symantec: Xeram.1664. http://www.symantec.com/security_response/writeup.jsp?docid=2000-121913-2839-99
United States Department of Justice Press Release: Former computer network administrator at new jersey high-tech firm sentenced to 41 months for unleashing $10 million computer “time bomb”. http://www.usdoj.gov/criminal/cybercrime/lloydSent.htm
United States Department of Justice Press Release: Former lance, inc. employee sentenced to 24 months and ordered to pay $194,609 restitution in computer fraud case. http://www.usdoj.gov/criminal/cybercrime/SullivanSent.htm
United States Department of Justice Press Release: Former technology manager sentenced to a year in prison for computer hacking offense. http://www.usdoj.gov/criminal/cybercrime/sheaSent.htm
Xie, Y., Aiken, A.: Context- and path-sensitive memory leak detection. ACM SIGSOFT Software Engineering Notes 30 (2005)
Yang, J., Sar, C., Twohey, P., Cadar, C., Engler, D.: Automatically generating malicious disks using symbolic execution. In: IEEE Symposium on Security and Privacy (2006)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2013 The Author(s)
About this chapter
Cite this chapter
Yin, H., Song, D. (2013). Analysis of Trigger Conditions and Hidden Behaviors. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_6
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5523-3_6
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5522-6
Online ISBN: 978-1-4614-5523-3
eBook Packages: Computer ScienceComputer Science (R0)