•  
  •  
 

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis tools to focus on hiding the presence of the tool itself from being detected by the malware, and not on recording the detection and recording of analysis avoidance techniques. In addition, the coverage of anti-anti-analysis techniques in common tools and plugins is much less than the number of analysis avoidance techniques that exist. The purpose of this paper is to suggest that the discovery of the intent of deception may be a very good indicator of an underlying malicious objective of the software under investigation.

References

Bayer, U. (2009). Anubis A platform the analysis of malicious code. Journal. Retrieved from http://www.ossir.org/paris/supports/2009/2009-06- 09/ANUBIS-OSSIR-EN-June-2009-v1.1.00.pdf

Compuware. (2008). SoftIce.

Eagle, C. (2004). Honeynet Scan of the Month 32 Analysis. Retrieved October 19, 2007, from http://honeynet.org/scans/scan32/sols/1- Chris_Eagle/analysis.html

Eagle, C. (2008). The IDA Book: No Starch Press.

Eilam, E. (2005). Reversing : Secrets of Reverse Engineering. Indianapolis: Wiley Publishing, Inc.

Falliere, N. (2007). Windows Anti-Debug Reference. Retrieved October 1, 2007 from http://www.securityfocus.com/infocus/1893

Ferrie, P. (2008). Anti-Unpacker Tricks. Paper presented at the 2nd International Caro Workshop. from http://www.datasecurityevent.com/uploads/unpackers.pdf

Harbour, N. (2007). Stealth Secrets of the Malware Ninjas. Retrieved October 20, 2007 from https://www.blackhat.com/presentations/bh-usa-07/Harbour/Presentation/bh-usa-07-harbour.pdf

Hex-Rays. (2008). IDA Pro.

Hoglund, G., & Butler, J. (2005). Rootkits: Subverting the Windows Kernel. Upper Saddle River, NJ: Addison Wesley Professional.

Hudak, T. (2009a, May 2009). Automating Malware Analysis. Hakin9, 3/2009 (22), pp. 50-57.

Hudak, T. (2009b, July 2009). Automating Malware Analysis. Hakin9, 4/2009 (23), pp. 64-69.

Innes, S., & Valli, C. (2006). Honeypots: How do you know when you are inside one? Paper presented at the 4th Australian Digital Forensics Conference, Edith Cowan University, Perth, Western Australia.

International Secure Systems Lab, Vienna University of Technology, Eurecom France, & UC Santa Barbara. (2008). Anubis: Analyzing Unknown Binaries. Retrieved October 4, 2008, from http://anubis.iseclab.org/

Mandiant. (2007). Red Curtain. Retrieved October 20, 2007, from http://www.mandiant.com/mrc

MaRKuS. (2006). Olly Advanced.

Microsoft. (2008). windbg.

Newger, J. (2008). IDA Stealth Plugin.

Norman. (2009). Norman Green Book on Analyzing Malware Executive Whitepaper 2009. Retrieved 07 Sept 2009, from http://download.norman.no/whitepapers/sb_executive_folder.pdf

Pietrek, M. (n.d.). PEdump.

Rutkowska, J. (2006). Introducing Stealth Malware Taxonomy. Retrieved April 12 2009 from http://www.invisiblethings.org/papers/malwaretaxonomy.pdf

Seitz, J. (2009). Gray Hat Python. San Francisco: No Starch Press.

Smith, S., & Quist, D. (2006). Hacking Malware: Offense is the new Defense. Retrieved July 24, 2007 from http://www.offensivecomputing.net/dc14/valsmith__dquist_hacking_malware_ us06.pdf

Vuksan, M., Peričin, T., & Milunovic, V. (2009). Fast & Furious Reverse Engineering with TitanEngine. Black Hat USA 2009, from http://www.reversinglabs.com/blackhat/TitanEngine_BlackHat-USA-09- Slides.pdf

Wysopal, C. (2009). Good Obfuscation, Bad Code. Retrieved May 03 2009, from http://www.securityfocus.com/columnists/498?ref=oc

Yan, W., Zhang, Z., & Ansari, N. (2008). Revealing Packed Malware. IEEE Security and Privacy 6 (5), 65-69.

Yason, M. (2007). The Art of Unpacking. Retrieved Feb 12, 2008 from https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa- 07-yason-WP.pdf

Yin, H., Song, D., Egele, M., Kruegel, C., & Kirda, E. (2007). Panorama: capturing system-wide information flow for malware detection and analysis. Paper presented at the Proceedings of the 14th ACM conference on Computer and communications security.

yoda. (2005). LordPE.

Yuschuk, O. (2008). OllyDbg.

Zeltser, L. (2007). Reverse Engineering Malware: Tools and Techniques Hands-On. Bethesda: SANS Institute.

Zhou, Y., & Meador Inge, W. (2008). Malware detection using adaptive data compression. Paper presented at the Proceedings of the 1st ACM workshop on Workshop on AISec.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.