Hypervisor-assisted dynamic malware analysis

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

Download Full-text

Analisis Penyalahgunaan Data Pribadi Dalam Aplikasi Fintech Ilegal Dengan Metode Hibrid

Jurnal Ilmiah SINUS ◽

10.30646/sinus.v18i1.433 ◽

2020 ◽

Vol 18 (1) ◽

pp. 1

Author(s):

Hendro Wijayanto ◽

Abdul Haris Muhammad ◽

Dedy Hariyadi

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Service Providers ◽

Personal Data ◽

Malware Analysis ◽

Hybrid Analysis ◽

Customer Data ◽

Family Work ◽

The Public ◽

Work Up

Penetration of internet usage in Indonesia has increased by 10.12% from 2017 to 2018. This has led to very rapid technological growth, such as the growth of online loan services or Financial Technology (Fintech). This condition makes the emergence of illegal fintech services built by certain groups to reap profits. Illegal fintech service providers stand building applications with a lot of personal data requested at registration. Starting from personal data, family, work up to banking are accompanied by photo evidence and contact numbers. Hybrid analysis is needed to see the extent in which the fintech application treats customer data. In this technique, there are static analysis and dynamic analysis. Static analysis is used to see the extent in which the fintech application runs on Smartphone devices with required data and other policies. Dynamic analysis is used to view the activity of tiles and permissions of fintech applications from source code, malware analysis, and permission analysis. Hybrid analysis results show that all fintech applications have a huge potential for misuse of customer's personal data. This is indicated by the existence of a data collection URL that can be accessed by the public, there are malware activities, READ_PHONE_STATE and READ_CONTACS permissions so that fintech application providers freely monitor all contact activities, locations on the customer's Smartphone. The results of the analysis can be used to recommend fintech service users to be careful of fintech applications. Moreover, it can be used as a reference for making illegal fintech detection frameworks.

Download Full-text

Demadroid: Object Reference Graph-Based Malware Detection in Android

Security and Communication Networks ◽

10.1155/2018/7064131 ◽

2018 ◽

Vol 2018 ◽

pp. 1-16 ◽

Cited By ~ 6

Author(s):

Huanran Wang ◽

Hui He ◽

Weizhe Zhang

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Graph Matching ◽

Daily Life ◽

Malware Analysis ◽

Dynamic Information ◽

Android Malware ◽

Actual Use ◽

Reference Graph ◽

Object Reference

Smartphone usage has been continuously increasing in recent years. In addition, Android devices are widely used in our daily life, becoming the most attractive target for hackers. Therefore, malware analysis of Android platform is in urgent demand. Static analysis and dynamic analysis methods are two classical approaches. However, they also have some drawbacks. Motivated by this, we present Demadroid, a framework to implement the detection of Android malware. We obtain the dynamic information to build Object Reference Graph and propose λ-VF2 algorithm for graph matching. Extensive experiments show that Demadroid can efficiently identify the malicious features of malware. Furthermore, the system can effectively resist obfuscated attacks and the variants of known malware to meet the demand for actual use.

Download Full-text

DrPin: A dynamic binary instumentator for multiple processor architectures

10.5753/wscad.2020.14074 ◽

2020 ◽

Author(s):

Luis Fernando Antonioli ◽

Ricardo Pannain ◽

Rodolfo Azevedo

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Binary Code ◽

Binary Analysis ◽

Linux Kernel ◽

Processor Architectures ◽

Backward Compatibility ◽

Analysis Tools ◽

Multiple Processor ◽

Dynamic Binary Analysis

Modern applications rely heavily on dynamically loaded shared libraries, making static analysis tools used to debug and understand applications no longer sufﬁcient. As a consequence, dynamic analysis tools are being adopted and integrated into the development and study of modern applications. Building tools that manipulate and instrument binary code at runtime is difﬁcult and error-prone. Because of that, Dynamic Binary Instrumentation (DBI) frameworks have become increasingly popular. Those frameworks provide means of building dynamic binary analysis tools with low effort. Among them, Pin 2 has been by far the most popular and easy to use one. However, since the release of the Linux Kernel 4 series, it became unsupported, and Pin 3 broke backward compatibility. In this work we focus on studying the challenges faced when building a new DBI (DrPin) that seeks to be compatible with Pin 2 API, without the restrictions of Pin 3, that also runs multiple architectures (x86-64, x86, Arm, Aarch64), and on modern Linux systems.

Download Full-text