Hi,
I am performing malware analysis and classification of internet of things malware, I have done static malware analysis.
For dynamic malware analysis, some people suggest that because its a slow and time taking process, so they suggested not to go for that.
But my question is does it really worth to analyse malware dynamically?
What kind of information I may get from dynamic analysis which I can miss in static analysis?
Any improvements which you think may benefit me a lot in terms of malware analysis in terms of IoT?
Regards
Dear Syed,
- There are many reasons for dynamic malware analytics, depending on the project goal. For instance, static malware analysis is proper for detection, yet dynamic malware analysis provides more detail info for classification/identification purposes, or provides behavioral data for the malware, which can itself branched into various types of R&D in malware such as anti-malware, malware sandboxes, malware monitoring systems, understanding of the system changes for detection of unknown objects, among others.
- On the other hand, complexities and architectures of new malware create the cause for further pushing the dynamic analysis forward.
Best,
J.
https://link.springer.com/chapter/10.1007/978-3-642-22424-9_8
Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete. The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.
In compare to static analysis, dynamic analysis is happened with the execution of application i.e. it covers all the path of executed trap.
http://ieeexplore.ieee.org/document/7976989/
http://www.sciencedirect.com/science/article/pii/S1877050916001071
you are right sir , dynamic analysis is slow as it need to install application first in system .After installation its behavior can be recorded . for dynamic analysis you can monitor what network traffic they are sending and receiving. with what kind of URL or server they are communicating . you can also check that after installation app is doing what means try to reboot or if it is try to change some internal file format or trying to run some privilege instruction.
please read paper : http://dl.acm.org/citation.cfm?id=3007763
Dear All,
Thanks a lot for clarifying about this and giving me opportunity to learn more.
Regards
Hi Guys,
I have another question related to dynamic malware analysis. I have malware samples in ELF format (Linux executable), could anyone please suggest any Sandbox to execute these malware and extract features into a CSV file?
Regards
Moving from syntax based analysis of malware to its Semantics thereby giving its impact is the requirement to understand the various Malware morphisims like - Polymorphism type of behaviours etc.
See cuckoo Dynamic analysis open source tool, documentation.
The tool has many has many add on possibilities like volatity add on for memeory forensics, Mc. learning addon etc. lot of devlopment acroos this tool is happening and is a useful tool.
How do you intend to cater for heterogeneity of systems architecture , device heterogeneity in your static analysis, say Mal-ware for X86 , ArM etc....
....
- Badges
- Science topic