Building malware infection trees

Dynamic analysis of malware is an ever evolving and challenging task. A malware infection tree (MiT) can assist in analysis by identifying processes and files related to a specific malware sample. In this paper we propose an abstract approach to building a comprehensive MiT based on rules describing execution events essential to malware infection strategies of files and processes. The MiT is built using strong and weak bonds between processes and files which are based on transitivity of information and creator/created relationships. The abstract approach facilitates usage on any operating system platform. We implement the rules on the Windows Vista operating system using a custom built tool named MiTCoN which was used in a small scale analysis and infection tree creation of a diverse set of 5800 known malware samples. Results analysis revealed a significant occurrent of our rules within a very short span of time. We demonstrate our rule set can effectively and efficiently build infection trees linking all related processes and files of a specific malware sample with no false positives. We also tested the possible usability of a MiT in disinfecting a system which yielded a 100% success rate.