Anticipating Dormant Functionality in Malware: A Semantics Based Approach

Abstract

One of the challenges in malware analysis has been finding out the dormant functionality of the malware. Requirement of manual analysis along with code obfuscation and encryption rules out static analysis as it may not be effective and scalable in the face of continuously rising number of malware produced daily. Dynamic analysis on the other hand relies on the exhibited behavior of the malware, which may not exhibit the true functionality of the malware, as malware may sense the analysis environment or performs differently under different circumstances (User interaction, logic bombs and specific target etc). Finding out the complete function of a malware in case of Advanced Persistent Threat (APT) becomes imperative, to know the potential target of the APT and techniques being used by the malware authors, so that appropriate defense can be mounted proactively. Various approaches have been used to extract the dormant functionality of malware such as multiple runs and multipath or forced execution, but they have not been effective due to rigorous and exponential increase in number of paths required to be analyzed and thus are not scalable. They are costlier in terms of processing and are significantly constrained to analyze large numbers of malware samples being found daily. Structural attributes of the disassembled code may be analyzed to predict the dormant behavior but same functionality may be implemented using different structures and this approach will not be effective then. Semantics based formal techniques have a potential to identify and classify both hidden and exhibited malware behavior as they refer to a high level view of the malware attributes and behavior and are not dependent upon signature based models and even analyze new and unseen malware effectively. This paper presents a review of all efforts at adopting semantics based models for automated malware analysis and defines future work directions of the research.