WiLDCAT: An Integrated Stealth Environment For Dynamic Malware Analysis

Date

2007-08-23T01:56:20Z

Authors

Journal Title

Journal ISSN

Volume Title

Publisher

Computer Science & Engineering

Abstract

Malware -- a term that refers to viruses, trojans, worms, spyware or any form of malicious code -- is widespread today. Given the devastating effects that malware have on the computing world, detecting and countering malware is an important goal. Malware analysis is a challenging and multi-step process providing insight into malware structure and functionality, facilitating the development of an antidote. To successfully detect and counter malware, malware analysts must be able to analyze them in binary, in both a coarse- (behavioral) and fine-grained (structural) fashion. However, current research in coarse- and fine-grained code analysis (categorized into static and dynamic) have severe shortcomings in the context of malware. Static approaches have been tailored towards malware and allow exhaustive fine-grained malicious code analysis, but lack support for self-modifying code, have limitationsrelated to code-obfuscations and face the undecidability problem. Given that most if not all recent malware employ self-modifying code and code-obfuscations, poses the need to analyze them at runtime using dynamic approaches. Current dynamic approaches for coarse- and fine-grained code analysis are not tailored specifically towards malware and lack support for multithreading, self-modifying/self-checking (SM-SC) code and are easily detected and countered by ever-evolving anti-analysis tricks employed by malware.

To address this problem, we propose WiLDCAT, an integrated dynamic malware analysis environment that facilitates the analysis and combat of malware, that are ever-evolving, becoming evasive and increasingly hard to analyze. WiLDCAT cannot be detected or countered in any fashion and incorporates novel, patent pending strategies for both dynamic coarse- and fine-grained binary code analysis, while remaining completely stealth. The environment allows comprehensive analysis of malware code-streams while selectively isolating them from other code-streams in real-time. WiLDCAT is portable, efficient and easy-to-use supporting multithreading, SM-SC code and any form of code obfuscations in both user and kernel-mode on commodity operating systems. It advances the state of the art in research pertaining to malware analysis by providing the toolkit that was sorely missing in the arsenal of malware analysts, until now!

Description

Keywords

Citation