Article

Article title MODEL OF MALWARE BASED ON SYSTEM FUNCTION AND METHOD OF IT IMPORTING
Authors L.K. Babenko, A.S. Kirillov
Section SECTION II. SECURITY OF INFORMATION SYSTEMS AND NETWORKS
Month, Year 12, 2013 @en
Index UDC 004.492
DOI
Abstract This article describes features of building malware model, which includes information of calling function and method of it importing. This model can be used to effectively detect and classify unknown malware, unlike more traditional models, this model will be more flexible, resistant to change, and not dependent on the packed and protected malware samples.This paper describes modern methods of dynamic malware analysis and highlights flaws and limitations of existing methods in relation to proposed model. Also, described developed system that collecting information about malware samples, described the criteria for constructing such systems and technologies used for implementation, in particular of the function interception system.

Download PDF

Keywords Malware; model; dynamic analysis; system functions.
References 1. Fortinet 2013 Cybercrime Report [Электронный ресурс] // URL: http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf (дата обращения: 23.05.2013).
2. Stuxnet [Электронный ресурс] // Википедия, свободная энциклопедия. – 2013. URL:
http://en.wikipedia.org/wiki/Stuxnet (дата обращения: 23.05.2013).
3. Бабенко Л.К., Кириллов А.С. Модели образцов вредоносного программного обеспечения на основе используемых системных функций и способов получения их адресов // Материалы XIII Международной начно-практической конференции «ИБ-2013» Ч. 1. – Таганрог: Изд-во ЮФУ, 2013. – C. 181-186.
4. Static Analysis vs Dynamic Imports – Part 1/3 (Technical Article) [Электронный ресурс] // Portcullis Computer Security. – 2013. URL: http://www.portcullis-security.com/static-
analysis-vs-dynamic-imports-part-1-technical-article/ (дата обращения: 23.05.2013).
5. Patent US8161548 - Malware detection using pattern classification [Электронный ресурс] // Google Patents. – 2012. URL: http://www.google.com/patents/US8161548 (дата обращения: 23.05.2013).
6. Windows API Sets (Windows) [Электронный ресурс] // Microsoft Windows Dev Center - Desktop. – 2012. URL: http://msdn.microsoft.com/en-us/library/windows/desktop/hh802935
(v=vs.85).aspx (дата обращения: 23.05.2013).
7. Hooking [Электронный ресурс] // Википедия, свободная энциклопедия. – 2013. URL:
http://en.wikipedia.org/wiki/Hooking (дата обращения: 25.10.2013).
8. Hunt G., Brubacher D. Detours: Binary Interception of Win32 Functions // WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium. – 1999. – Vol. 3. – C. 14-14.
9. Code Injection Techniques - InfoSec Institute [Электронный ресурс] // InfoSec Institute. – 2013. URL: http://resources.infosecinstitute.com/code-injection-techniques/ (дата обращения: 25.10.2013).

Comments are closed.