Automatically Identifying Trigger-based Behavior in Malware

Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behavior

[1]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[2]  G. McKee Time Bomb , 1988 .

[3]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[4]  J. Saxe,et al.  Extended static checking for Java , 2002, PLDI '02.

[5]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[8]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[9]  Alexander Aiken,et al.  Context- and path-sensitive memory leak detection , 2005, ESEC/FSE-13.

[10]  Dawson R. Engler,et al.  EXE: A system for automatically generating inputs of death using symbolic execution , 2006, CCS 2006.

[11]  David Brumley,et al.  Replayer: automatic protocol replay by binary analysis , 2006, CCS '06.

[12]  Zhendong Su,et al.  Temporal search: detecting hidden malware timebombs with virtual machines , 2006, ASPLOS XII.

[13]  EXE: automatically generating inputs of death , 2006, CCS '06.

[14]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[15]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).