Authors:
Shun Yonamine
1
;
Youki Kadobayashi
1
;
Daisuke Miyamoto
2
and
Yuzo Taenaka
1
Affiliations:
1
Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, Nara 630-0192 and Japan
;
2
The University of Tokyo, 2-11-16 Yayoi, Bunkyo, Tokyo, 113-8658 and Japan
Keyword(s):
Malware Characterization, Virtual Machine Introspection, Taint Analysis, Malware Analysis.
Abstract:
One of the goals of malware analysis is to figure out the intention of an attacker, namely high-level mechanism. Since malicious activities are typically performed by combining multiple APIs, to identify the malicious intention, it is needed to inspect the series of APIs to analyze its semantics. In traditional malware analysis, this task generally relies on manual efforts of experts. There is no methodology for associating multiple APIs and identifying the malicious intention in an automated manner. In this paper, we propose a virtual machine introspection-based method for automatically identifying high-level mechanisms. We developed Spaniel, a prototype system, which uses taint analysis to track malicious processing that derives from the data read from a specified file and collects the traces of malicious activities. For evaluation, we used adversary behavior models defined in ATT&CK and Spaniel identified key indicators that cover 26% of those models.