APICapture - A tool for monitoring the behavior of malware

Abstract

Malware is one of the most serious threats to the security of computer systems. Many approaches have been provided and various systems have been designed to detect intrusion from anomalous behavior of system calls which provide the interface between a process and the operating system. Though these techniques look quite effective, a key element seems to be missing - the inclusion and utilization of the system call arguments to create a richer, more valuable signature and analyze the behavior of malware more accurately. Based on this problem, this paper presents APICapture, a tool for monitoring the behavior of malware based on a whole system emulator without changing the system kernel, and automatically recording the system call arguments and some important attributes, for example, the return values, the error statue, etc. Experimental results show that APICapture has a good transparency and accuracy. Transparency means the monitoring method is transparent to target process, making it more difficult to be detected by malware. Moreover, the information obtained can accurately and completely describe the functionality of the malware.