Skip to main content
SpringerLink
Log in

API Chaser: Anti-analysis Resistant Malware Analyzer

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

API (Application Programming Interface) monitoring is an effective approach for quickly understanding the behavior of malware. It has been widely used in many malware countermeasures as their base. However, malware authors are now aware of the situation and they develop malware using several anti-analysis techniques to evade API monitoring. In this paper, we present our design and implementation of an API monitoring system, API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g. stolen code and code injection. We have evaluated API Chaser with several real-world malware and the results showed that API Chaser is able to correctly capture API calls invoked from malware without being evaded.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Sathyanarayan, V.S., Kohli, P., Bruhadeshwar, B.: Signature Generation and Detection of Malware Families. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 336–349. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Suenaga, M.: A Museum of API Obfuscation on Win32. In: Proceedings of 12th Association of Anti-Virus Asia Researchers International Conference, AVAR 2009 (2009)

    Google Scholar 

  3. Yason, M.V.: The Art of Unpacking. In: Black Hat USA Briefings (2007)

    Google Scholar 

  4. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005 (2005)

    Google Scholar 

  5. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st European Conference on Computer Systems, EuroSys 2006 (2006)

    Google Scholar 

  6. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, EICAR 2006 (2006)

    Google Scholar 

  7. Song, D., et al.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  8. Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Oakland (2006)

    Google Scholar 

  9. Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy 5, 32–39 (2007)

    Article  Google Scholar 

  10. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007 (2007)

    Google Scholar 

  11. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D.X., Yin, H.: Automatically Identifying Trigger-based Behavior in Malware. In: Botnet Detection (2007)

    Google Scholar 

  12. Lastline Whitepaper: Automated detection and mitigation of execution-stalling malicious code, http://www.lastline.com/papers/antistalling_code.pdf

  13. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, NDSS 2005 (2005)

    Google Scholar 

  14. Carrier, B.: The slueth kit(tsk), http://www.sleuthkit.org/

  15. Iwamura, M., Itoh, M., Muraoka, Y.: Towards Efficient Analysis for Malware in the Wild. In: Proceedings of IEEE International Conference on Communications, ICC 2011 (2011)

    Google Scholar 

  16. Hex-Rays: IDA, https://www.hex-rays.com/

  17. The Undocumented Functions, http://undocumented.ntinternals.net/

  18. React OS Project, http://www.reactos.org/

  19. The Volatility Framework, https://code.google.com/p/volatility/

  20. Themida, http://www.oreans.com/themida.php

  21. Microsoft: Intorduction to hotpatching, http://technet.microsoft.com/en-us/library/cc781109(v=ws.10).aspx

    Google Scholar 

  22. Ermolinskiy, A., Katti, S., Shenker, S., Fowler, L.L., McCauley, M.: Towards Practical Taint Tracking. Technical Report UCB/EECS-2010-92, EECS Department, University of California, Berkeley (2010)

    Google Scholar 

  23. Joe Security LLC: Joebox sandbox, http://www.joesecurity.org/

  24. Vasudevan, A., Yerraballi, R.: Stealth Breakpoints. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2005 (2005)

    Google Scholar 

  25. Anubis: Analyzing unknown binaries, http://anubis.iseclab.org/

  26. Norman Sandbox White Paper, http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf

  27. Ferrie, P.: Attacks on Virtual Machine Emulators. In: Symantec Security Response (2006)

    Google Scholar 

  28. Kawakoya, Y., Iwamura, M., Itoh, M.: Memory Behavior-Based Automatic Malware Unpacking in Stealth Debugging Environment. In: Proceedings of 5th IEEE International Conference on Malicious and Unwanted Software (2010)

    Google Scholar 

  29. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting Return-Oriented Programming Malicious Code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  30. Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS 2011 (2011)

    Google Scholar 

  31. Slowinska, A., Bos, H.: Pointless Tainting?: Evaluating the Practicality of Pointer Tainting. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NTT Secure Platform Laboratories, 3-9-11 Midori-Cho, Musashino-Shi, Tokyo, Japan

    Yuhei Kawakoya, Makoto Iwamura, Eitaro Shioji & Takeo Hariu

Authors
  1. Yuhei Kawakoya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Makoto Iwamura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eitaro Shioji
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Takeo Hariu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kawakoya, Y., Iwamura, M., Shioji, E., Hariu, T. (2013). API Chaser: Anti-analysis Resistant Malware Analyzer. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation