Title :
Static Detection of API-Calling Behavior from Malicious Binary Executables
Author :
Fu, Wen ; Pang, Jianmin ; Zhao, Rongcai ; Zhang, Yichi ; Wei, Bo
Author_Institution :
Nat. Digital Switching Syst. Eng. & Technol. Res. Center, Zhengzhou
Abstract :
The broad spread of malware in recent years has presented a serious threat to our world. Because Windows API-calling sequence usually reflects the vicious behavior in a piece of particular code, more and more AV researchers like to detect malware based on API-calling behavior analysis. However, a great many of techniques, such as obfuscation, have been used by malware writers to evade this type of detection. These techniques makes the discovery of API-calling behavior become more complex than before. In this paper, we illustrate some methods which are commonly used by malware writers to obscure their API-calling behavior when they write their malware in assembly language. After that, we propose a new approach, which is more universal for capturing API-calling behaviors in Windows platform. This approach involves three databases and some special instruction patterns. Experimental results show that using this approach to extract API-calling behaviors from malicious executables and their variants is favorable and effective.
Keywords :
application program interfaces; assembly language; invasive software; operating systems (computers); API-calling behavior; Windows API-calling sequence; Windows platform; application program interfaces; assembly language; malware; malware writers; static detection; Assembly; Binary codes; Databases; Research and development; Switching systems; Systems engineering and theory; API-calling Behavior; Malware Detection; Obfuscation; Software Security; Static Analysis;
Conference_Titel :
Computer and Electrical Engineering, 2008. ICCEE 2008. International Conference on
Conference_Location :
Phuket
Print_ISBN :
978-0-7695-3504-3
DOI :
10.1109/ICCEE.2008.53
