Xiyue Deng and Jelena Mirkovic, Information Sciences Institute, University of Southern California
Malware is becoming more and more stealthy to evade detection and analysis. Stealth techniques often involve code transformation, ranging from equivalent code substitution and junk code injection, to continuously transforming code using a polymorphic or a metamorphic engine. Evasion techniques have a great impact on signature-based malware detection, making it very costly and often unsuccessful.
We propose to study a malware’s network behavior during its execution. While malware may transform its code to evade analysis, we contend that its behavior must mostly remain the same to achieve the malware’s ultimate purpose, such as sending spam, scanning for vulnerable hosts, etc. While live malware analysis is hard, we leverage our Fantasm platform on the Deterlab testbed to perform it safely and effectively. Based on ob- served network traffic we propose a behavior classification approach, which can help us interpret at a high level the malware’s actions and its ultimate purpose. We then apply our approach on 999 diverse samples from Georgia Tech Apiary project to understand current trends in malware behaviors.
