Abstract :
In most cases, one of the major goals of behavioral malware analysis is to extract from malware samples the intelligence critical to identify the nature of malware. Given the increasing complexity of operating system and its services that creates a significant volume of noise in the background, malware intelligence gathering process is required to minimise non malware related information while not missing malware related events. Another highly demanded attribute in behavioral analysis is the analysis scalability that enables automated analysis on sizable sample volumes. It is also desirable to perform the analysis in unobstructed manner providing resiliency to rootkits and analysis-specific evasion techniques. This paper introduces an efficient behavioral malware analysis method, Execution Tracking, that creates critical malware intelligence with minimum volume of unnecessary information and maximum accuracy, which helps acquiring baseline information for further deep analysis, automating analysis process for a high malware volume lab, and producing strategies to mitigate the threats. This method is demonstrated by a reference implementation, Malware Expert.
Keywords :
data acquisition; invasive software; operating systems (computers); analysis specific evasion technique; automated sizeable sample volume analysis; automating analysis process; baseline information acquisition; behavioral malware analysis; critical malware intelligence; execution tracking; malware intelligence gathering process; malware sample extraction; operating system; resiliency; rootkits; scalability analysis; unnecessary information; Malware Expert Behavioral Analysis Execution Tracking;
