Automated Analyses of Malicious Code

Abstract

Sophisticated software with malicious intentions (malware) that can easily and aggressively spread to a large set of hosts is located all over the Internet. Such software struggles to avoid malware analysts to continue its malicious actions without interruption. It is difficult for analysts to find the locations of machines infected with unknown and alien malware. Likewise, it is hard to estimate the prevalence of the outbreak of the malware. Currently, the processes are done using resource demanding manual work, or simply rough guessing. Automating these tasks is one possible way to reduce the necessary resources. This thesis presents an in-depth study of which properties such a system should have. A system design is made based on the findings, and an implementation is carried out as a proof of concept system. The final system runs (malicious) software, and at the same time observes network traffic originating from the software. A signature for intrusion detection systems (IDSes) is generated using data from the observations. When loaded in an IDS, the signature localises hosts that are infected with the same malware type, making network administrators able to find and repair the hosts. The thesis also covers a deep introductory study of the malware problem and possible countermeasures, focusing on a malware analyst's point of view.