Summary
This paper is a survey on automated dynamic malware analysis, written by Manuel Egele et al. in 2012. The paper first introduces the types of malware and then discusses the analysis techniques and tools. The types of malware are classified into:
- Worm.
- Virus.
- Trojan horse.
- Spyware.
- Bot.
- Rootkit.
Specific malware instances may exhibit the characteristics of multiple types. The analysis techniques for these malwares are classified into function call monitoring, function parameter analysis, information flow tracking, instruction trace, and autostart extensibility points. However, the sophisticated authors of malware also strived to evade investigation. For example, malwares may exhibit nonmalicious behavior when they detect analysis tools, and they are packed and obfuscated to encumber analysis conducted on them. Implementing a malware analysis system requires different design decisions that have far-reaching consequences. An analysis component that executes at a higher privilege level than the program under analysis cannot be accessed by this program. Implementing the analysis functionality on an emulator or virtual machine allows the analysis to conceal itself even from malware that executes in kernel space. The implementation strategies involve:
- Analysis in user/kernel space.
- Analysis in an emulator.
- Analysis in a virtual machine.
The technique for resetting the analysis environment is also essential because results are only comparable if each sample is executed in an identical environment. Moreover, the network simulation method simulates the network so that the malware’s behavior requiring the network can be observed. Generic detection and reconstruction of packed code are devised to deobfuscate binaries that are obfuscated with unknown packers. There are many tools using the different techniques mentioned above. The paper gives a summary describing which strategies are implemented for each tool. A discussion on the approaches, possible evasion techniques, and advantages over other approaches is given as well.
English Learning
-
words:
vendor
discriminate, differentiate, distinguish, discrepency
malicious, malware, malvolent
legitimate
spam (spam email)
surreptitiously
credential (banking credential)
sophisticated (knowledgeable)
mitigation (the detection and mitigation of malicious sorftware)
tedious (a tedious and error-prone task)
inherently (naturally)
tailored (specifically tailored malware, tailored suit)
coordinated (in a coordinated manner)
tamper (interfere, tamper with operating system)
commodity (commodity off-the-shelf operating system)
nefarious
lure
evasion, circumvent (evade), disguise, conceal
flaw (demerit)
ambiguous (uncertain)
exacerbate (make worse)
thwart, intercept, encumber (burden), preclude, cease (stop)
resilient (flexible)
intricate, curbersome, elaborate, opaque (complex)
applicability, feasibility
viable (workable)
leak
cloak -
phrases:
pose a threat to
employ techniques
strive to do (make every effort)
time-consuming (tedious)
error-prone
at the expense of
in combat against
familiarize … with … (familiarize the reader with the technology that we will be using in the remainder of this work)
point of view
shed light on
tamper-proof
handle over
cloak the slowdown
steer number of (a large number of)
exhibit the characteristics of -
technical words:
orthogonal
obfuscate (encrypt), deobfuscate (decrypt)
taxonomy
emulator
overlay -
technical phrases:
intended function
reconvergence point
analysis component, analysis functionality