Malware Behavior Through Network Trace Analysis

Abstract

AbstractMalware continues to be a major threat to information security. To avoid being detected and analyzed, modern malware is continuously improving its stealthiness. A high number of unique malware samples detected daily suggests a likely high degree of code reuse and obfuscation to avoid detection. Traditional malware detection techniques relying on binary code signatures are greatly hindered by encryption, packing, code polymorphism, and similar other obfuscation techniques. Although obfuscation greatly changes a malware’s binary, its functionalities remain intact.We propose to study malware’s network behavior during its execution, to understand the malware’s functionality. While malware may transform its code to evade analysis, we contend that its key network behaviors must endure through the transformations to achieve the malware’s ultimate purpose, such as sending victim information, scanning for vulnerable hosts, etc. While live malware analysis is risky, we leverage the Fantasm platform on the DeterLab testbed to perform it safely and effectively. Based on observed network traffic we propose an encoding of malware samples. This encoding can help us classify malware flows and samples, identify code reuse and genealogy, and develop behavioral signatures for malware defense. We apply our approach to more than 8,000 diverse samples from the Georgia Tech Apiary project. We find that over 60% of malware is multi-purposed (e.g. downloading new payload and uploading user data). We also illustrate how our encoding and malware flow clustering can be used to identify behavioral signatures for malware defense. KeywordsMalwareNetworkPolymorphicGenealogy