• DocumentCode
    2286343
  • Title

    Static Detection of API-Calling Behavior from Malicious Binary Executables

  • Author

    Fu, Wen ; Pang, Jianmin ; Zhao, Rongcai ; Zhang, Yichi ; Wei, Bo

  • Author_Institution
    Nat. Digital Switching Syst. Eng. & Technol. Res. Center, Zhengzhou
  • fYear
    2008
  • fDate
    20-22 Dec. 2008
  • Firstpage
    388
  • Lastpage
    392
  • Abstract
    The broad spread of malware in recent years has presented a serious threat to our world. Because Windows API-calling sequence usually reflects the vicious behavior in a piece of particular code, more and more AV researchers like to detect malware based on API-calling behavior analysis. However, a great many of techniques, such as obfuscation, have been used by malware writers to evade this type of detection. These techniques makes the discovery of API-calling behavior become more complex than before. In this paper, we illustrate some methods which are commonly used by malware writers to obscure their API-calling behavior when they write their malware in assembly language. After that, we propose a new approach, which is more universal for capturing API-calling behaviors in Windows platform. This approach involves three databases and some special instruction patterns. Experimental results show that using this approach to extract API-calling behaviors from malicious executables and their variants is favorable and effective.
  • Keywords
    application program interfaces; assembly language; invasive software; operating systems (computers); API-calling behavior; Windows API-calling sequence; Windows platform; application program interfaces; assembly language; malware; malware writers; static detection; Assembly; Binary codes; Databases; Research and development; Switching systems; Systems engineering and theory; API-calling Behavior; Malware Detection; Obfuscation; Software Security; Static Analysis;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer and Electrical Engineering, 2008. ICCEE 2008. International Conference on
  • Conference_Location
    Phuket
  • Print_ISBN
    978-0-7695-3504-3
  • Type

    conf

  • DOI
    10.1109/ICCEE.2008.53
  • Filename
    4741013