Tracing malicious injected threads using alkanet Malware analyzer

Yuto Otsuki, Eiji Takimoto, Takehiro Kashiyama, Shoichi Saito, Eric W. Cooper, Koichi Mouri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.

Original languageEnglish
Title of host publicationIAENG Transactions on Engineering Technologies - Special Issue of the World Congress on Engineering and Computer Science 2012
PublisherSpringer Verlag
Pages283-299
Number of pages17
ISBN (Print)9789400768178
DOIs
Publication statusPublished - Jan 1 2014
Externally publishedYes
EventWorld Congress on Engineering and Computer Science, WCECS 2012 - San Francisco, CA, United States
Duration: Oct 24 2012Oct 26 2012

Publication series

NameLecture Notes in Electrical Engineering
Volume247 LNEE
ISSN (Print)1876-1100
ISSN (Electronic)1876-1119

Other

OtherWorld Congress on Engineering and Computer Science, WCECS 2012
CountryUnited States
CitySan Francisco, CA
Period10/24/1210/26/12

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Industrial and Manufacturing Engineering

Cite this

Otsuki, Y., Takimoto, E., Kashiyama, T., Saito, S., Cooper, E. W., & Mouri, K. (2014). Tracing malicious injected threads using alkanet Malware analyzer. In IAENG Transactions on Engineering Technologies - Special Issue of the World Congress on Engineering and Computer Science 2012 (pp. 283-299). (Lecture Notes in Electrical Engineering; Vol. 247 LNEE). Springer Verlag. https://doi.org/10.1007/978-94-007-6818-5_21