iPanda: A comprehensive malware analysis tool

Malware analysis is the process of dissecting a given malware sample in order to determine its purpose and functionality. It is a necessary step to develop effective detection techniques of malicious code and removal tools. The public malware analysis systems are major sources for a user to understand a malware sample. However analysis reports of those analysis systems only include what operation system resources created or accessed by the submitted malware sample, which is insufficient for a malware analyst, who expects a comprehensive analysis report. In this paper, we present iPanda, an analysts oriented comprehensive malware analysis tool. Several prevalent static and dynamic malware analysis techniques, such as detection of evading analysis techniques used by malware authors, information flow tracking, functional code fragments identifying, network behavior analysis, etc., are implemented complementarily in iPanda so that it allows a comprehensive analysis of malware to generate an analysis report including structure profile and behavior profile of the samples. The results are paramount valuable for malware analysts to perform malware detection and containment.

[1]  Dawn Xiaodong Song,et al.  MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery , 2011, USENIX Security Symposium.

[2]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[3]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[4]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[5]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[6]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[7]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[8]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[9]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[10]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[11]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[12]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[13]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[14]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[15]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[16]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[17]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[19]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[20]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[21]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[22]  Lorenzo Martignoni,et al.  A Framework for Behavior-Based Malware Analysis in the Cloud , 2009, ICISS.

[23]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[24]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[25]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[26]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.