Architecture of malware tracker visualization for malware analysis

Chan Lee Yee, Mahamod Ismail, Nasharuddin Zainal, Lee Ling Chuan

Research output: Contribution to journalArticle

Abstract

Malware is a man-made malicious code designed for computer destructive purposes. The early destructive programs were developed either for pranks or experimental purposes. However, in this day and age, malware are created mainly for financial gain. Since years ago, the use of malware attack tools, such as keylogger, screen capture software, and trojan were rapidly used to commit cybercrimes. The figures are expected to increase significantly and the attack tools are becoming more sophisticated in order to evade the detection of current security tools. The malware debugger analysis process is an essential part of analyzing and comprehending the purpose and the destructive part of the malware. It is an exhausting and time consuming task; moreover, in-depth computer knowledge is required. With the popularity and variety of malware attacks over the Internet, the number of virus needed to be analyzed by computer security experts are rapidly increasing and has bottlenecked the effectiveness of the analysis process. In this paper, we present a method to visually explore the reverse engineering of a binary executable flow over time to aid in the identification and detection of malicious program on x86-32 platform. We first achieve the pre-execution analysis for a sketch of a program's behavior by combining static analysis and graphical visualization to construct a control flow graph (CFG) as an interface for the analyzed code. Each node in the CFG graph which represents a basic block allows analysts to be selective in the components they monitor. All nodes in the CFG express the complex relationships and causalities of the analyzed code. As the binary executes, those codes that are dynamically generated will be monitored and captured; thus, a fuller understanding of the execution's behavior will be provided. The backward track approach which allows analysts to restudy the changes of the executed instructions' memory during dynamic analysis provides a chance for analysts to restudy the execution behavior of the executed instructions. The overall architecture of the visualization debugger, both statically and dynamically will be explained in this paper. To the end of the paper, we analyze a malware test case; W32/NGVCK.dr.gen virus with our malware tracker visualization toolkit and the analysis results proves that our visualization malware tracker tool can simplify the analysis process by displaying the analyzed code in basic block approach. This work is a substantial step towards providing high-quality tool support for effective and efficient visualization malware analysis.

Original languageEnglish
Pages (from-to)11-22
Number of pages12
JournalJournal of Theoretical and Applied Information Technology
Volume52
Issue number1
Publication statusPublished - 2013

Fingerprint

Malware
Visualization
Flow graphs
Flow Graphs
Computer viruses
Attack
Virus
Architecture
Binary
Computer Security
Reverse Engineering
Tool Support
Reverse engineering
Static Analysis
Vertex of a graph
Causality
Static analysis
Dynamic Analysis
Security of data
Dynamic analysis

Keywords

  • Dynamic analysis
  • Malware analysis
  • Malware visualization debugger
  • Static analysis

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Architecture of malware tracker visualization for malware analysis. / Yee, Chan Lee; Ismail, Mahamod; Zainal, Nasharuddin; Chuan, Lee Ling.

In: Journal of Theoretical and Applied Information Technology, Vol. 52, No. 1, 2013, p. 11-22.

Research output: Contribution to journalArticle

@article{6ddee41ac6374939bb9dc6dca073e58d,
title = "Architecture of malware tracker visualization for malware analysis",
abstract = "Malware is a man-made malicious code designed for computer destructive purposes. The early destructive programs were developed either for pranks or experimental purposes. However, in this day and age, malware are created mainly for financial gain. Since years ago, the use of malware attack tools, such as keylogger, screen capture software, and trojan were rapidly used to commit cybercrimes. The figures are expected to increase significantly and the attack tools are becoming more sophisticated in order to evade the detection of current security tools. The malware debugger analysis process is an essential part of analyzing and comprehending the purpose and the destructive part of the malware. It is an exhausting and time consuming task; moreover, in-depth computer knowledge is required. With the popularity and variety of malware attacks over the Internet, the number of virus needed to be analyzed by computer security experts are rapidly increasing and has bottlenecked the effectiveness of the analysis process. In this paper, we present a method to visually explore the reverse engineering of a binary executable flow over time to aid in the identification and detection of malicious program on x86-32 platform. We first achieve the pre-execution analysis for a sketch of a program's behavior by combining static analysis and graphical visualization to construct a control flow graph (CFG) as an interface for the analyzed code. Each node in the CFG graph which represents a basic block allows analysts to be selective in the components they monitor. All nodes in the CFG express the complex relationships and causalities of the analyzed code. As the binary executes, those codes that are dynamically generated will be monitored and captured; thus, a fuller understanding of the execution's behavior will be provided. The backward track approach which allows analysts to restudy the changes of the executed instructions' memory during dynamic analysis provides a chance for analysts to restudy the execution behavior of the executed instructions. The overall architecture of the visualization debugger, both statically and dynamically will be explained in this paper. To the end of the paper, we analyze a malware test case; W32/NGVCK.dr.gen virus with our malware tracker visualization toolkit and the analysis results proves that our visualization malware tracker tool can simplify the analysis process by displaying the analyzed code in basic block approach. This work is a substantial step towards providing high-quality tool support for effective and efficient visualization malware analysis.",
keywords = "Dynamic analysis, Malware analysis, Malware visualization debugger, Static analysis",
author = "Yee, {Chan Lee} and Mahamod Ismail and Nasharuddin Zainal and Chuan, {Lee Ling}",
year = "2013",
language = "English",
volume = "52",
pages = "11--22",
journal = "Journal of Theoretical and Applied Information Technology",
issn = "1992-8645",
publisher = "Asian Research Publishing Network (ARPN)",
number = "1",

}

TY - JOUR

T1 - Architecture of malware tracker visualization for malware analysis

AU - Yee, Chan Lee

AU - Ismail, Mahamod

AU - Zainal, Nasharuddin

AU - Chuan, Lee Ling

PY - 2013

Y1 - 2013

N2 - Malware is a man-made malicious code designed for computer destructive purposes. The early destructive programs were developed either for pranks or experimental purposes. However, in this day and age, malware are created mainly for financial gain. Since years ago, the use of malware attack tools, such as keylogger, screen capture software, and trojan were rapidly used to commit cybercrimes. The figures are expected to increase significantly and the attack tools are becoming more sophisticated in order to evade the detection of current security tools. The malware debugger analysis process is an essential part of analyzing and comprehending the purpose and the destructive part of the malware. It is an exhausting and time consuming task; moreover, in-depth computer knowledge is required. With the popularity and variety of malware attacks over the Internet, the number of virus needed to be analyzed by computer security experts are rapidly increasing and has bottlenecked the effectiveness of the analysis process. In this paper, we present a method to visually explore the reverse engineering of a binary executable flow over time to aid in the identification and detection of malicious program on x86-32 platform. We first achieve the pre-execution analysis for a sketch of a program's behavior by combining static analysis and graphical visualization to construct a control flow graph (CFG) as an interface for the analyzed code. Each node in the CFG graph which represents a basic block allows analysts to be selective in the components they monitor. All nodes in the CFG express the complex relationships and causalities of the analyzed code. As the binary executes, those codes that are dynamically generated will be monitored and captured; thus, a fuller understanding of the execution's behavior will be provided. The backward track approach which allows analysts to restudy the changes of the executed instructions' memory during dynamic analysis provides a chance for analysts to restudy the execution behavior of the executed instructions. The overall architecture of the visualization debugger, both statically and dynamically will be explained in this paper. To the end of the paper, we analyze a malware test case; W32/NGVCK.dr.gen virus with our malware tracker visualization toolkit and the analysis results proves that our visualization malware tracker tool can simplify the analysis process by displaying the analyzed code in basic block approach. This work is a substantial step towards providing high-quality tool support for effective and efficient visualization malware analysis.

AB - Malware is a man-made malicious code designed for computer destructive purposes. The early destructive programs were developed either for pranks or experimental purposes. However, in this day and age, malware are created mainly for financial gain. Since years ago, the use of malware attack tools, such as keylogger, screen capture software, and trojan were rapidly used to commit cybercrimes. The figures are expected to increase significantly and the attack tools are becoming more sophisticated in order to evade the detection of current security tools. The malware debugger analysis process is an essential part of analyzing and comprehending the purpose and the destructive part of the malware. It is an exhausting and time consuming task; moreover, in-depth computer knowledge is required. With the popularity and variety of malware attacks over the Internet, the number of virus needed to be analyzed by computer security experts are rapidly increasing and has bottlenecked the effectiveness of the analysis process. In this paper, we present a method to visually explore the reverse engineering of a binary executable flow over time to aid in the identification and detection of malicious program on x86-32 platform. We first achieve the pre-execution analysis for a sketch of a program's behavior by combining static analysis and graphical visualization to construct a control flow graph (CFG) as an interface for the analyzed code. Each node in the CFG graph which represents a basic block allows analysts to be selective in the components they monitor. All nodes in the CFG express the complex relationships and causalities of the analyzed code. As the binary executes, those codes that are dynamically generated will be monitored and captured; thus, a fuller understanding of the execution's behavior will be provided. The backward track approach which allows analysts to restudy the changes of the executed instructions' memory during dynamic analysis provides a chance for analysts to restudy the execution behavior of the executed instructions. The overall architecture of the visualization debugger, both statically and dynamically will be explained in this paper. To the end of the paper, we analyze a malware test case; W32/NGVCK.dr.gen virus with our malware tracker visualization toolkit and the analysis results proves that our visualization malware tracker tool can simplify the analysis process by displaying the analyzed code in basic block approach. This work is a substantial step towards providing high-quality tool support for effective and efficient visualization malware analysis.

KW - Dynamic analysis

KW - Malware analysis

KW - Malware visualization debugger

KW - Static analysis

UR - http://www.scopus.com/inward/record.url?scp=84878974336&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84878974336&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:84878974336

VL - 52

SP - 11

EP - 22

JO - Journal of Theoretical and Applied Information Technology

JF - Journal of Theoretical and Applied Information Technology

SN - 1992-8645

IS - 1

ER -