Metaware - An extensible malware detection and removal toolkit

Chan Lee Yee, Lee Ling Chuan, Mahamod Ismail, Kasmiran Jumari

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Malicious code is a threat to computer security globally. The threat is evolving and leaving challenges for security specialists to improve the detection accuracy. Hence, it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. Automatic protocol reverse-engineering is important for many security applications, including the verification of objects and detections of malware. In this paper, we propose a new approach to computer security via automating malware analysis. This project uses combination of auto-unpacked, heuristic, disassembler and emulator techniques to find and block malicious program before the malicious software executed locally. Auto-unpacked contains self-decryption algorithms, where the script codes help quickly decipher script bodies for further analysis. Heuristic analysis is designed to analyze disassemble code contain within a suspicious program. The disassemble code of the suspicious file is compared with a known virus signature database. If the disassemble code matches with the code of the database signature, the file is flagged. The emulator is design to scans code, imitates the way they are executing, and monitoring their actions, preventing any actual damage from being dealt to the computer system or user data. Verdicts on whether or not a program poses a threat are issued based on the results of behaviour analyses. The emulator makes it possible to find malicious code that are intentionally masked to prevent detection using encryption and obfuscated code. Overall, we present our motivation for designing the system and give an overview of the system architecture.

Original languageEnglish
Title of host publicationInternational Conference on Advanced Communication Technology, ICACT
Pages996-1000
Number of pages5
Publication statusPublished - 2011
Event13th International Conference on Advanced Communication Technology: Smart Service Innovation through Mobile Interactivity, ICACT 2011 - Gangwon-Do
Duration: 13 Feb 201116 Feb 2011

Other

Other13th International Conference on Advanced Communication Technology: Smart Service Innovation through Mobile Interactivity, ICACT 2011
CityGangwon-Do
Period13/2/1116/2/11

Fingerprint

Security of data
Reverse engineering
Viruses
Cryptography
Computer systems
Network protocols
Monitoring
Malware

Keywords

  • Computer System Security
  • Disassembler
  • Emulator
  • Malware Reverse Engineering
  • Virus Detection

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

Yee, C. L., Chuan, L. L., Ismail, M., & Jumari, K. (2011). Metaware - An extensible malware detection and removal toolkit. In International Conference on Advanced Communication Technology, ICACT (pp. 996-1000)

Metaware - An extensible malware detection and removal toolkit. / Yee, Chan Lee; Chuan, Lee Ling; Ismail, Mahamod; Jumari, Kasmiran.

International Conference on Advanced Communication Technology, ICACT. 2011. p. 996-1000.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yee, CL, Chuan, LL, Ismail, M & Jumari, K 2011, Metaware - An extensible malware detection and removal toolkit. in International Conference on Advanced Communication Technology, ICACT. pp. 996-1000, 13th International Conference on Advanced Communication Technology: Smart Service Innovation through Mobile Interactivity, ICACT 2011, Gangwon-Do, 13/2/11.
Yee CL, Chuan LL, Ismail M, Jumari K. Metaware - An extensible malware detection and removal toolkit. In International Conference on Advanced Communication Technology, ICACT. 2011. p. 996-1000
Yee, Chan Lee ; Chuan, Lee Ling ; Ismail, Mahamod ; Jumari, Kasmiran. / Metaware - An extensible malware detection and removal toolkit. International Conference on Advanced Communication Technology, ICACT. 2011. pp. 996-1000
@inproceedings{72cd3f9b89f14c73a67edf5a0e84940f,
title = "Metaware - An extensible malware detection and removal toolkit",
abstract = "Malicious code is a threat to computer security globally. The threat is evolving and leaving challenges for security specialists to improve the detection accuracy. Hence, it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. Automatic protocol reverse-engineering is important for many security applications, including the verification of objects and detections of malware. In this paper, we propose a new approach to computer security via automating malware analysis. This project uses combination of auto-unpacked, heuristic, disassembler and emulator techniques to find and block malicious program before the malicious software executed locally. Auto-unpacked contains self-decryption algorithms, where the script codes help quickly decipher script bodies for further analysis. Heuristic analysis is designed to analyze disassemble code contain within a suspicious program. The disassemble code of the suspicious file is compared with a known virus signature database. If the disassemble code matches with the code of the database signature, the file is flagged. The emulator is design to scans code, imitates the way they are executing, and monitoring their actions, preventing any actual damage from being dealt to the computer system or user data. Verdicts on whether or not a program poses a threat are issued based on the results of behaviour analyses. The emulator makes it possible to find malicious code that are intentionally masked to prevent detection using encryption and obfuscated code. Overall, we present our motivation for designing the system and give an overview of the system architecture.",
keywords = "Computer System Security, Disassembler, Emulator, Malware Reverse Engineering, Virus Detection",
author = "Yee, {Chan Lee} and Chuan, {Lee Ling} and Mahamod Ismail and Kasmiran Jumari",
year = "2011",
language = "English",
isbn = "9788955191554",
pages = "996--1000",
booktitle = "International Conference on Advanced Communication Technology, ICACT",

}

TY - GEN

T1 - Metaware - An extensible malware detection and removal toolkit

AU - Yee, Chan Lee

AU - Chuan, Lee Ling

AU - Ismail, Mahamod

AU - Jumari, Kasmiran

PY - 2011

Y1 - 2011

N2 - Malicious code is a threat to computer security globally. The threat is evolving and leaving challenges for security specialists to improve the detection accuracy. Hence, it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. Automatic protocol reverse-engineering is important for many security applications, including the verification of objects and detections of malware. In this paper, we propose a new approach to computer security via automating malware analysis. This project uses combination of auto-unpacked, heuristic, disassembler and emulator techniques to find and block malicious program before the malicious software executed locally. Auto-unpacked contains self-decryption algorithms, where the script codes help quickly decipher script bodies for further analysis. Heuristic analysis is designed to analyze disassemble code contain within a suspicious program. The disassemble code of the suspicious file is compared with a known virus signature database. If the disassemble code matches with the code of the database signature, the file is flagged. The emulator is design to scans code, imitates the way they are executing, and monitoring their actions, preventing any actual damage from being dealt to the computer system or user data. Verdicts on whether or not a program poses a threat are issued based on the results of behaviour analyses. The emulator makes it possible to find malicious code that are intentionally masked to prevent detection using encryption and obfuscated code. Overall, we present our motivation for designing the system and give an overview of the system architecture.

AB - Malicious code is a threat to computer security globally. The threat is evolving and leaving challenges for security specialists to improve the detection accuracy. Hence, it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. Automatic protocol reverse-engineering is important for many security applications, including the verification of objects and detections of malware. In this paper, we propose a new approach to computer security via automating malware analysis. This project uses combination of auto-unpacked, heuristic, disassembler and emulator techniques to find and block malicious program before the malicious software executed locally. Auto-unpacked contains self-decryption algorithms, where the script codes help quickly decipher script bodies for further analysis. Heuristic analysis is designed to analyze disassemble code contain within a suspicious program. The disassemble code of the suspicious file is compared with a known virus signature database. If the disassemble code matches with the code of the database signature, the file is flagged. The emulator is design to scans code, imitates the way they are executing, and monitoring their actions, preventing any actual damage from being dealt to the computer system or user data. Verdicts on whether or not a program poses a threat are issued based on the results of behaviour analyses. The emulator makes it possible to find malicious code that are intentionally masked to prevent detection using encryption and obfuscated code. Overall, we present our motivation for designing the system and give an overview of the system architecture.

KW - Computer System Security

KW - Disassembler

KW - Emulator

KW - Malware Reverse Engineering

KW - Virus Detection

UR - http://www.scopus.com/inward/record.url?scp=79955682598&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79955682598&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9788955191554

SP - 996

EP - 1000

BT - International Conference on Advanced Communication Technology, ICACT

ER -