Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME TECHNOLOGY (IJCET) ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online) Volume 4, Issue 6, November - December (2013), pp. 110-120 © IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com IJCET ©IAEME MALWARES, VULNERABILITIES AND ITS ANALYSIS AND MITIGATION Pratik Karnik Department of Information Technology, K.J Somaiya College of Engineering, Vidyavihar (E) Mumbai India ABSTRACT Malwares and exploitation of vulnerabilities is on the rise. The number of malwares are exponentially increasing and the harm that they can cause is also exponentially increasing. A malware can exploit a system’s vulnerability and can cause damage to the system or make it perform illegitimate actions. In this paper various static and dynamic analysis for detection of malwares is put forth and how we can mitigate it. Along with it how attackers reinforce and improvise their malwares and malicious programs to prevent such detection is also put forth in the paper. A small insight into Android Malware Analysis is also stated. Keywords: Malware, Malware Analysis, Polymorphism, Obfuscation, Reverse Engineering. 1. INTRODUCTION Malicious Software or Malware refers to any unwanted software and executable code that is used to perform an unauthorized, often harmful action on a computing device. It is an umbrella-term for various types of harmful software, including viruses, worms, Trojans, rootkits and botnets. [1] Self - Spreading Non Spreading MEANS OF DISTRIBUTION Requires Host Virus Root – kit Trojan Horse Runs Independently Worm Dialer Spyware Keylogger In computer security domain, an internet vulnerability is a fallacy which allows an attacker or any external agent to jeopardize a system’s information and system’s working. Vulnerability is 110
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME basically convergence of three elements: a flaw in the system, how accessible is the flaw to the attacker and the ability of the attacker to harness the flaw. To effectively exploit the vulnerability the attacker uses an application, some tool or technique to take advantage of the system’s weakness and to cause malicious damage to the system. Malware Threat Attacker Protection ----------------> Firewall Counter Measure Resources ---------------> Vulnerability System Figure 1 . A system may have two or more vulnerabilities which can be used for its benefit by threats, attack or attackers. CIA which means Confidentiality, Integrity and Availability is the triad which is the foundation of Internet Security. When a vulnerability is exploited the confidentiality, integrity and availability of system is compromised. Once attacker gets to know about system’s vulnerability it can take advantage of the same and attack the system. An attack can be an active attack wherein the attacker maliciously changes the operations of system for his own benefit or it can be a passive attack wherein the attacker doesn’t alter anything just quietly snoops data.[2] As malwares and threats are on rise, efficient and effective detection and analysis of such malwares is essential. The main purpose of this paper is to highlight various detection and analysis techniques to prevent and detect malwares and also to give the other side of the story i.e how attackers improvise to make malwares stronger. In section 2 basic information regarding various malwares and primitive analysis technique is given. In section 2.1 various static analysis techniques are put forth for detection of malwares as well as how attackers can prevent such detection. In section 2.2 various dynamic analysis techniques are put forth for detection of malwares as well as how attackers can prevent such detection. In section 2.3 a new concept of system centric analysis and detection is put forth. In section 2.4 basic android malware analysis and detection is given. 2. MITIGATION FOR THREATS, VIRUSES, WORMS AND VULNERABILITIES Initially worms like Morris Worm etc. were just created to show off one’s coding skills and not to cause any harm. Sequence of bytes were used for representing viruses. So viruses could be detected at a high rate because of this. Common technique used for the same is signature based detection. Hash Functions to uniquely represent Virus. Viruses were first written in C then in Macro and other scripting languages. Signature based detection has database of signatures (regular expressions, byte patterns, hash functions, byte patterns) without raising too many false positive alarms. Program is scanned before execution, so if an patterns or sequences are found which match to those in the virus database then execution can be aborted thereby reducing the impact of the vulnerability exploited.[2] 2.1 STATIC ANALYSIS Reverse Engineering manually was done manually to detect viruses and thereby reduce chances of vulnerabilities getting exploited. 111
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME 2.1.1 REVERSE ENGINEERING It’s about extracting the properties of program by doing inverse process of assembling i.e dissemble a program. Disassembly means taking a binary blob, setting code and data apart and translating machine code to mnemonics instructions. With disassembled program we identify functions, jumps, local variables thus we get to know program behaviour without running it. As viruses or any threats can maliciously enter a system or a program under execution by SQL, OS or LDAP Injection and can trick the compiler to execute unwanted or malicious commands we need to do reverse engineering. For reverse engineering we make use of a Linear Algorithm i.e Linear Sweep[3] The Linear Sweep algorithm locates instructions where one instruction begins and the other ends. It assumes that everything in the section marked as code actually represents machine instructions. The algorithm starts disassembling from the first byte in the code section in a linear way thereby giving a complete cover of program. The algorithm basically tries to interpret everything as code and disassembles it. It interprets data also as code so data shouldn’t be mixed with code. As viruses and attack agents can maliciously change the control flow of execution of a program it is very important to scan and analyse the control flow. For this Recursive Traversal Algorithm. A flow of a program includes sequential flows which means flow of control to the instruction that follows, conditional branching which means if condition is true branch is taken otherwise flow of execution continues in a linear fashion or unconditional branching means the branch is taken without any condition. Basically this algorithm goes with the normal flow of execution and unlike Linear Sweep this algorithm distinguishes between code and data and thereby helps in further static analysis. Also CFG or control flow graphs can be used. A CFG is a representation of flow of execution of the program which includes all program statements as well as predicates. CFG helps us to perform sophisticated program analysis like Optimization (constant propagation, dead code elimination through reachability analysis) , Slicing which helps to determine what instructions operate on sensitive data thereby helping us provide more security and attention to such operands. CFG can also be used to compare structure of malware or viruses. So if CFG of the present program has a similar structure so by rough comparison of it was possible to detect viruses. So Reverse Engineering as a whole it breaks down the program or statement into various components and each component is analysed for malicious or unwanted behaviour so as to prevent damage to the system. For reverse engineering and specifically for recursive traversal algorithm there is a software IDA Pro (Interactive Disassembler Professional)[3]. Though specific to recursive traversal it gives a very detailed preliminary analysis and hence can be used in generic cases as well. This is provided the program isn’t heavily obfuscated to find function boundaries, library calls and argument types. It builds control flow graph as well as call graph for static analysis. It also adds code and data cross references and know if any other part of code is referencing this good. This helps to know if a person is in a loop or entry point of a block. It can even patch a binary so as to illegally write a CD and let it go undetected. 2.1.2 POLYMORPHISM To prevent malwares and viruses from being detected, attackers and hackers have started creating variances of their malware i.e malwares perform the same original work but are syntactically different. 112
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME For polymorphism the attackers encrypt the pay load or the real malicious component of the virus with a key which is generated independently in each infection cycle. This encryption makes static analysis and reverse engineering very difficult as we have a blob of code and no way to disassemble it. So to do static analysis one has to find a decryption routine and execute it and then later on perform static analysis. There be a single or multiple encryption routines. In polymorphism there is a decryptor and an encryptor routine and then there is a payload which is encrypted so only the payload changes. So it is easy for an antivirus to create a signature and later use it for detecting this virus. However in metamorphism the whole virus changes, all instructions are replaced with equivalent instructions of different syntax so it is difficult to create a unique instruction for the same. Besides encryption one can use code Obfuscation to make process of reverse engineering harder.[4] Obfuscation refers to techniques that preserve program’s semantics and functionality while at the same time making it difficult for an analyst to comprehend or extract information about program and its structure. One way to hamper static analysis is to insert junk bytes into the program. If junk bytes are not complete but just partial instructions then when assembling the program it shouldn’t report an error. However x86 architecture has a property that it self-repairs itself after a certain number of steps. So while inserting junk bytes it should be inserted so as to create maximum confusion which is intended. The junk bytes which are inserted must be partial instructions and must be unreachable at run time by inserting a conditional jumps that skip over the partial instructions otherwise there might be an error reported by the CPU. This technique helps get rid of linear sweep algorithm but not recursive traversal algorithm as recursive traversal follows flow of execution. One technique to fool recursive traversal algorithm is to use branch functions whose work is to camouflage original conditional jumps. In this the original branch function is replaced by a dummy function that encodes the logic to change the return address of the callee. So basically the recursive traversal algorithm will also not hit the partial instructions and will keep disassembling different parts of the program as due to branch functions algorithm is referenced to it. We can also use Opaque functions. Opaque functions are basically functions which go in only one direction which means they are either completely true or completely false. However it is difficult to determine that at static time. So program gets executed along both its branches thereby increasing program complexity. Branching Function can be as follows Given a finite map λ= {a1 -> b1, …. ,an->bn} a branch function fλis a function such that a1 : jump b1 a2 : jump b2 an : jump bn a1: call fλ ……… is replaced by ----------------------> a2 : call fλ ………. an : call fλ Example of fλ : F : push1 %eax mov 8(%esp), %eax add %eax, 4(%esp) pop %eax ret #1 : save original eax into the stack and get disp to target b_i #2 : add disp to ret-addr #3 : restore original eax #4 : jump to the target 113 ……… ……….
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME When execution of a stops it jumps to b, however recursive traversal algorithm cannot see this as it can only see the function fλand so it will disassemble that part and also disassemble whatever follows it and not that of b as it cannot see or understand whats there a b. 2.2 DYNAMIC ANALYSIS Since Signature based detection is insufficient, packing is now considered to unpack malware and detect it. Packing can be considered to be an evolution of polymorphism. Polymorphism was mainly related to encrypting payload of the malware or the malicious software. With packing we can add several layers, one or more compression and encryption layers and decryption and decompression is performed at run time. Thus packing aims at hampering any attempts for reverse engineering. One way to unpack a packed malware is to follow algorithmic unpacking. In this we implement a routine semantically equivalent to a packing routine but we reverse the order of operation. Using this we can even recover original code. However to know algorithmic unpacking it is essential to study packing techniques so to avoid all this more dynamic analysis techniques evolved. However once unpacking of program or blocks of code is done if it is malicious the block mutates itself by polymorphism or metamorphism. For this the malware analyses its own code, then it splits the code in blocks and then each block is mutated separately. And each mutation of the block uses semantically different replacements so as to give an impression that they are different mutants whereas they perform same task. The need for dynamic analysis came as static analysis wasn’t sufficient for protection against threats and attackers. So for this we use Algorithmic-Agnostic Unpacking Techniques which rely on concept of exploiting virtual memory in subsystems work. OmniUnpack is one the generic algorithmic agnostic unpacking technique[5]. OmniUnpack works such that when malware is loaded on system, all pages in memory of malware are erased with all permissions so every page has no permission at all. So if malware tried do to do any malicious activity there is a trap which can be further analysed. Execution trace of Malware x(i) represents execution of page i in memory w(i) represents write to page i in memory si represents system call {x(0),w(2),s0,w(1),x(1),s1,x(2),s2,…} TABLE 1. PAGE NUMBER ACCESS W 0 1 2 WX @ @ @ @ s1 is OpenFile , s2 is OpenKey and s3 is DeleteFile Using OmniUnpack Algorithm we analyse the system calls. As s1 and s2 are considered benign no action is taken according to the algorithm. However as s3 raises flag an analysis is done to check if the executed and written pages have codes or patterns which represent a malware 114
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME Some softwares available which automatically emulate itself and mutate into a different form on unpacking. This isn’t done for malicious purposes. It can also be done by authors of code protecting privacy of their code against reverse engineering Best solution is to combine signature based detection and dynamic analysis for holistic comprehension and detection of threats and malwares. Signature based detection and static analysis techniques are easy to defeat so we there was a complete shift towards dynamic analysis and behaviour based analysis techniques. One of the most promising and effective technique to check if a vulnerability has been exploited is to monitor the execution of system call as system call is the only way process can interact with the operating system and can cause various actions[6]. It can also cause malicious actions like deleting a file, opening socket to connect to internet and on mobile platform it can be illegitimately sending SMS, placing calls etc. We can collect data on system calls as well as its parameters and compute statistical models on the same to infer behaviour of the program. Also we can detect high level malwares through their behaviour as all of them share a same behaviour of stealing sensitive information etc. Thus if a specific behaviour can be tagged as threatening and any statement or program showing that behaviour can be detected and eliminated to protect the system. Thus for dynamic analysis program needs to be executed and monitored by studying its interaction with the environment and OS (system calls etc.) Dynamic analysis thus enables to monitor code and data flow as it is executed and thus we can perform a more deep analysis as well have contextual information about it as well. It also helps in finding bugs in the code as program is executed or to enrich the program by instrumenting its code to enforce policies like taint tracking. Taint Tracking is used to detect integrity and confidentiality violations[7]. In taint tracking along with monitoring of system calls we can track how information flows throughout system and to check whether sensitive information is being transported or no. For eg. Detecting sending information out on the internet as it can be a sign of information leaks. Taint source is the interesting data source which we want to track. Taint sinks are the points where we want to check where data flows or where to enforce policies. Propagation rules is how data propagates throughout the system. A few Propagation Rules are as below 1. Explicit (data) flows x=y; 2. Control dependent (data) flows if(x==value) { expression;} 3. Implicit flows ( w gets same value of y ) x=0; z=0 if (y==1) x=1; else z=1; if (x==0) w=0; if(z==0) w=1; Implicit flow is basically letting a variable have a value of a tainted variable without actually propagating tainted information as propagation is done by unexecuted or hidden paths and as we are doing dynamic analysis we cannot see these paths. 115
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME Thus many authors of malwares and attacks use implicit flow as it can get difficult to track them by taint analysis We can analyse the various processes in the system and what they do. With this analysis we can find out if any process is communicating with a remote system etc. In Linux we use netstat command for the same or Profile system which gives us detailed information about network traffic etc. We can monitor sequence of system calls or sequence of dynamic library functions. Ltrace on linux intercepts and records dynamic library calls which are called by the executed process and the signals which are received by that process. Thus basically monitoring of system calls can be used for anomaly based detection as in this program is executed and its behaviour is inferred and for other instances where the same program is executed, the behaviour is seen if it deviates from the initial non-malicious behaviour to detect malware. Strace is a system call tracer in linux which intercepts and records system calls which are called by a process and the signals which are received by the process. Strace tool helps to trace system call parameters as well as its child processes and also processes attached to one process. So by tracing we come to know if program is writing an file or opening any file which can be analysed for subsequent execution. Debugging is a way we can monitor single process execution. In debugging breakpoints can be set up to stop a program whenever a particular point in program is reached or it can set up watchpoints to stop a program whenever the value of a particular variable or expression changes or it can even set up catchpoints to stop the program whenever a particular event occurs to analyse CPU environment like the memory, registers etc. On linuxgdb is the most known debugger and on Windows we have ImmuntityDebugger. In Linux to set up a breakpoint a software interrupt is used. So when CPU transfers control routine associated. So then debuggers analyse memory and registers. Breakpoint is usually done by instruction int3. After breakpoint pointer is referenced to instruction following breakpoint. In linux we have another tool ptrace to trace one process (the tracing process) to control another (traced process). The ptrace() system call provides a means by which a parent process may observe and control execution of another process and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing. Ptrace can also be used to patch program to bypass checkpoints. Syntax of ptrace is #include<sys/ptrace.h> longptrace(enum __ptrace_request request, pid_tpid, void *addr, void *data); request : determines action to be performed pid: pid of process to debug addr: depends on the request data: depends on request Whenever an event is hit, a system call is reached, tracer is invoked and the process is traced and we can analyse what action traced process is about to perform. However during software interrupt if a void handler is put, the interrupt will not be executed or if a checksum is applied, any malicious addition of code would be detected. In ltrace in linux, when it runs it retrieves all dynamic functions and it substitutes the entry points of each function with an int3 instruction so as to know that process being traced is about to execute a function call. 116
  8. 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME To avoid being traced malware authors write the program with a ptrace as if a program is already getting traced and we use ptrace we get an error and so that is an indication that malicious activity is being traced and so should be terminated. In linux as libraries are dynamically loaded we can overwrite this library and we can fool the system to believe that it is not tracing anyone. We can redefine a ptrace function and the function is compiled to be contained as a dynamic object that would be loaded as the process executes and then this newly shared object is loaded. SO while executing it return zero. So when actually ptrace is invoked we don’t get a minus 1 (-1) or error as actually we aren’t executing ptrace but the newly formed object that returns zero and so the actual check to see if process is getting traced or no is bypassed. This analysis is done within the environment where malware is executed or is present and hence is also known as inbox analysis. Sometimes a sandbox environment is designed and virtual machines or CPU emulators are used where all analysis is carried out and information is collected and malware is run in this contained environment. Usually malware is run in guest OS and we use emulators to mimic this physical environment and collect information. So all analysis happens out of box. Emulators need to implement one more step which includes implementing VM (Virtual Machine) Introspection. So CPU emulators must field sematic gates to recreate high level flow events like list of processes or accessed resources. Examples of sandboxes are Anubis, CWSandbox, Cuckoo Box,BitBlaze etc. Once we monitor and collect information while malware is under examination a generalized behavioural profile models are created to identify suspicious behaviours like clustering etc. 2.2.1 DRAWBACKS Behaviours associated only with taken paths are considered in dynamic analysis. Hidden or untaken paths are never analysed. It is necessary to force multipath exploration to overcome the drawback[8]. For this an assumption is made that behaviour of program depends only on output of system call it executes. Then dependencies between system call outputs and program variables are formed and then untaken paths are detected and execution is forced through these paths by computing new program states that satisfy those path conditions. Figure 2 Malware exploits single execution path limitation of dynamic analysis by employing trigger based behaviours such as time bombs, logic bombs, bot command inputs and testing presence of analysers to hide its intended malicious behaviour In conditional code obfuscation certain conditions are replaced with hash functions and malicious body is encrypted with a specific key and malware is compiled at right time. 117
  9. 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME Original Code Obfuscated Code If (x==c) { B } BE = Encr (B,c) if (Hash(x)==Hash(c)) { Decr (BE,X) BE } The dynamic analysis is not possible if hash functions are used to substitute original code as this means inversion of hash functions is needed which is a non-practical performance Figure 3 The system above as seen in Figure 3 depends on LLVM so instead of doing manual transformation system builds up automated program transformation analysis to automatically identify and change trigger based conditions. Here is the analysis of how code obfuscation has been able to successfully prevent detection of malware and not force multi path exploration Malware Slapper worm (p2p Engine) Slapper worm (Backdoor) BotNET (IRC Botnet Server) Password rootkit Login rootkit Top rootkit Chsh rootkit M. Triggers 28 Strong - 1 Table 2. Medium Weak None 28 - - 1 - - - 52 52 - - - 2 3 2 4 2 2 2 - 2 1 2 - To increase chances of code obfuscation analysers may be equipped with decryptor to reduce search space of keys by taking input domain into account. Eg. If we know condition checks for input and input is of specific length and domain of characters is limited one can perform brute force and disclose encrypted malicious page 118
  10. 10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME 2.3 ACCESS MINER – SYSTEM CENTRIC MODELS Main idea behind Access Miner is instead of focusing on program centric models for threat protection, a system centric model so as to look for interaction made by the application with the OS trying to understand whether there are common patterns or patterns likely to be suspicious or threats. [9] In program centric approach monitoring of programs is done and inferences about its behaviour are drawn from the same mainly by system calls and its parameters as well as information from the stack. During monitoring if a program or a system call is executed which wasn’t executed during training phase or testing phase then an alarm is raised about this. It might not always be malicious, it might also mean sufficient inputs haven’t been given and tested. During analysis models do not just track and compare sequences and patterns of system calls. They are arranged in a specific order and compared and a distinct behavioural profile is created for the same. Goal of Access is to detect an end-host detection of illegitimate behaviour. While most detectors follow program centric approach access miner follows system centric approach. Program centric approach lacks context and they just look at system calls now how resources are accessed. Access Miner first creates a large data set of benign applications and malicious applications so that monitoring of interaction with the system and cross referencing can be done to see if there are any differences. System centric approach proposes an Access Activity Model. Benign programs always follow a certain way in which they access OS resources. There is no erratic pattern of accessing and writing to random resources. Malware program on the other hand will do such an erratic behaviour. To capture normal interactions with filesystem and Windows registry access activity models are proposed by access miner. Access activity model specifies a set of labels for OS resources like registry or files. A label L is a set of access tokens {t0,t1,t2,..,tn} Each token t is a pair <a,op> where first component represent and second component represents type of access. So we can monitor whether application has written to any file or directory. It is found that the detection rate of malicious activity is very high almost overall 90% with zero false positives. Initially malicious programs show false positives however it was seen that a lot of threat agents didn’t go till doing malicious activity but were terminated before itself by themselves so by filtering out those agents we get the final column as our result. 2.4 ANDROID MALWARE DYNAMIC ANALYSIS Manifest file in Android contains a lot of information like number of permissions etc. Java is easy to decompile so static analysis can be done on decompiled java byte code to understand the system. For unified dynamic analysis we use CopperDroid. It is a technique used to characterize the behaviour of android malware. It automatically reconstructs behaviour of android malware by dynamically executing malware in contained environment. All behaviours eventually happen through system calls only. By collecting system call information and analysing binder protocol reconstruction of whole behaviour of android malware can be done. CopperDroid instruments QEMU to intercept every time something is written to special register cpr and is also an indication of transition between kerneland user space. In out of box analysis information about system being analysed, system code is collected and associated with processes and resources. Binder protocol is core of Android IPC/RPC. Intents are carriers though binders, interactions with the system go through the binder and the binder driver enforces some permission policies. For example applications cannot send SMSs on their own, but must invoke (RPC) the proper system service to do it. 119
  11. 11. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME CopperDroid deeply inspects the Binder protocol intercepting a subset of ioctls issued by Userspace Applications. Thus Copper Droid is just a VM based dynamic analysis system to automatically reconstruct behaviour of android malware. In this unified analysis is used to avoid having multi layer virtual machine introspection and this allows easily be ported on different android versions. CopperDroid also dynamically stimulates applications to disclose additional behaviour CONCLUSION The paper gives a comprehensive idea about how malwares can be detected and how an attacker can improvise and make malwares stronger and more resilient to detection. Access Miner having shown really good results for detection with giving false positives it stands out as a very good method as it uses system centric models. In the future more work can be done on Android Malware Mitigation as Android being one of the fastest growing OS, the number of malwares and attempts to exploit it as on the rise as well. ACKNOWLEDGEMENTS I would like to thank Prof.IrfanSiddavatam from Department of Information Technology, K.J Somaiya College of Engineering for his guidance in writing of this paper. REFERENCES [1] [2] [3] [4] Information Security Theory and Practice – Lorenzo Cavallaro , Dieter Gollmann Information Security Principles and Practice, Wiley Publications – Deven N. Shah IDA Pro Book – Chris Eagle Obfuscation of executable code to improve resistance to static disassembly - C. Linn and S. Debray ACM CCS 2003. [5] Omniunpack: Fast, Generic and safe unpacking of malware – L. Martignoni, M.Christodorescu and S. Jha ACSAC 2007 [6] Anomalous system call detection – D. Mutz, F.Valeur, G.Vigna and C.Kruegel ACM TISSEC,2006 [7] Taint enhanced policy enforcement – a practical approach to defeat wide range of attacks – W. Xu and S. Bhatkar and R. Sekar, USENIX Security Symposium, 2006 [8] Exploring multiple paths for malware analysis – A. Moser, C.Kruegel and E.Kirda IEEE Security and Privacy 2007 [9] Accessminer – A. Lanzi, D.Balzarotti, C.Kruegel, M.Christodorescu and E.Kirda ACM CCS, 2010 [10] Droidscope : seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis – L.K Yan and H.Yin USENIX Security Symposium, 2012. [11] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor (The Onion Routing) Anonymity Network”, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. [12] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for Malware Detection Techniques”, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. 120