This document summarizes techniques for malware analysis and mitigation. It discusses both static and dynamic analysis methods. For static analysis, it describes reverse engineering techniques like disassembly and control flow graph analysis. It also discusses how attackers use obfuscation and polymorphism to evade static analysis. For dynamic analysis, it discusses algorithmic unpacking and behavior-based analysis using system call monitoring. The document recommends using both signature-based and behavior-based detection methods to comprehensively analyze malware.

1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 6, November - December (2013), pp. 110-120
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com
IJCET
©IAEME
MALWARES, VULNERABILITIES AND ITS ANALYSIS AND MITIGATION
Pratik Karnik
Department of Information Technology, K.J Somaiya College of Engineering, Vidyavihar (E)
Mumbai India
ABSTRACT
Malwares and exploitation of vulnerabilities is on the rise. The number of malwares are
exponentially increasing and the harm that they can cause is also exponentially increasing. A
malware can exploit a system’s vulnerability and can cause damage to the system or make it perform
illegitimate actions.
In this paper various static and dynamic analysis for detection of malwares is put forth and
how we can mitigate it. Along with it how attackers reinforce and improvise their malwares and
malicious programs to prevent such detection is also put forth in the paper. A small insight into
Android Malware Analysis is also stated.
Keywords: Malware, Malware Analysis, Polymorphism, Obfuscation, Reverse Engineering.
1. INTRODUCTION
Malicious Software or Malware refers to any unwanted software and executable code that is
used to perform an unauthorized, often harmful action on a computing device. It is an umbrella-term
for various types of harmful software, including viruses, worms, Trojans, rootkits and botnets. [1]
Self - Spreading
Non Spreading
MEANS OF DISTRIBUTION
Requires Host
Virus
Root – kit
Trojan Horse
Runs Independently
Worm
Dialer
Spyware
Keylogger
In computer security domain, an internet vulnerability is a fallacy which allows an attacker or
any external agent to jeopardize a system’s information and system’s working. Vulnerability is
110

2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
basically convergence of three elements: a flaw in the system, how accessible is the flaw to the
attacker and the ability of the attacker to harness the flaw. To effectively exploit the vulnerability the
attacker uses an application, some tool or technique to take advantage of the system’s weakness and
to cause malicious damage to the system.
Malware
Threat
Attacker
Protection
---------------->
Firewall
Counter Measure
Resources
--------------->
Vulnerability
System
Figure 1 .
A system may have two or more vulnerabilities which can be used for its benefit by threats,
attack or attackers. CIA which means Confidentiality, Integrity and Availability is the triad which is
the foundation of Internet Security. When a vulnerability is exploited the confidentiality, integrity
and availability of system is compromised.
Once attacker gets to know about system’s vulnerability it can take advantage of the same
and attack the system. An attack can be an active attack wherein the attacker maliciously changes the
operations of system for his own benefit or it can be a passive attack wherein the attacker doesn’t
alter anything just quietly snoops data.[2]
As malwares and threats are on rise, efficient and effective detection and analysis of such
malwares is essential. The main purpose of this paper is to highlight various detection and analysis
techniques to prevent and detect malwares and also to give the other side of the story i.e how
attackers improvise to make malwares stronger.
In section 2 basic information regarding various malwares and primitive analysis technique is
given. In section 2.1 various static analysis techniques are put forth for detection of malwares as well
as how attackers can prevent such detection. In section 2.2 various dynamic analysis techniques are
put forth for detection of malwares as well as how attackers can prevent such detection. In section
2.3 a new concept of system centric analysis and detection is put forth. In section 2.4 basic android
malware analysis and detection is given.
2. MITIGATION FOR THREATS, VIRUSES, WORMS AND VULNERABILITIES
Initially worms like Morris Worm etc. were just created to show off one’s coding skills and
not to cause any harm.
Sequence of bytes were used for representing viruses. So viruses could be detected at a high
rate because of this. Common technique used for the same is signature based detection. Hash
Functions to uniquely represent Virus.
Viruses were first written in C then in Macro and other scripting languages.
Signature based detection has database of signatures (regular expressions, byte patterns, hash
functions, byte patterns) without raising too many false positive alarms. Program is scanned before
execution, so if an patterns or sequences are found which match to those in the virus database then
execution can be aborted thereby reducing the impact of the vulnerability exploited.[2]
2.1 STATIC ANALYSIS
Reverse Engineering manually was done manually to detect viruses and thereby reduce
chances of vulnerabilities getting exploited.
111

3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
2.1.1 REVERSE ENGINEERING
It’s about extracting the properties of program by doing inverse process of assembling i.e
dissemble a program.
Disassembly means taking a binary blob, setting code and data apart and translating machine
code to mnemonics instructions. With disassembled program we identify functions, jumps, local
variables thus we get to know program behaviour without running it.
As viruses or any threats can maliciously enter a system or a program under execution by
SQL, OS or LDAP Injection and can trick the compiler to execute unwanted or malicious commands
we need to do reverse engineering.
For reverse engineering we make use of a Linear Algorithm i.e Linear Sweep[3]
The Linear Sweep algorithm locates instructions where one instruction begins and the other
ends. It assumes that everything in the section marked as code actually represents machine
instructions. The algorithm starts disassembling from the first byte in the code section in a linear way
thereby giving a complete cover of program. The algorithm basically tries to interpret everything as
code and disassembles it. It interprets data also as code so data shouldn’t be mixed with code.
As viruses and attack agents can maliciously change the control flow of execution of a
program it is very important to scan and analyse the control flow. For this Recursive Traversal
Algorithm. A flow of a program includes sequential flows which means flow of control to the
instruction that follows, conditional branching which means if condition is true branch is taken
otherwise flow of execution continues in a linear fashion or unconditional branching means the
branch is taken without any condition. Basically this algorithm goes with the normal flow of
execution and unlike Linear Sweep this algorithm distinguishes between code and data and thereby
helps in further static analysis.
Also CFG or control flow graphs can be used. A CFG is a representation of flow of execution
of the program which includes all program statements as well as predicates. CFG helps us to perform
sophisticated program analysis like Optimization (constant propagation, dead code elimination
through reachability analysis) , Slicing which helps to determine what instructions operate on
sensitive data thereby helping us provide more security and attention to such operands. CFG can also
be used to compare structure of malware or viruses. So if CFG of the present program has a similar
structure so by rough comparison of it was possible to detect viruses.
So Reverse Engineering as a whole it breaks down the program or statement into various
components and each component is analysed for malicious or unwanted behaviour so as to prevent
damage to the system.
For reverse engineering and specifically for recursive traversal algorithm there is a software
IDA Pro (Interactive Disassembler Professional)[3]. Though specific to recursive traversal it gives a
very detailed preliminary analysis and hence can be used in generic cases as well. This is provided
the program isn’t heavily obfuscated to find function boundaries, library calls and argument types. It
builds control flow graph as well as call graph for static analysis. It also adds code and data cross
references and know if any other part of code is referencing this good. This helps to know if a person
is in a loop or entry point of a block. It can even patch a binary so as to illegally write a CD and let it
go undetected.
2.1.2 POLYMORPHISM
To prevent malwares and viruses from being detected, attackers and hackers have started
creating variances of their malware i.e malwares perform the same original work but are
syntactically different.
112

4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
For polymorphism the attackers encrypt the pay load or the real malicious component of the
virus with a key which is generated independently in each infection cycle. This encryption makes
static analysis and reverse engineering very difficult as we have a blob of code and no way to
disassemble it. So to do static analysis one has to find a decryption routine and execute it and then
later on perform static analysis. There be a single or multiple encryption routines. In polymorphism
there is a decryptor and an encryptor routine and then there is a payload which is encrypted so only
the payload changes. So it is easy for an antivirus to create a signature and later use it for detecting
this virus. However in metamorphism the whole virus changes, all instructions are replaced with
equivalent instructions of different syntax so it is difficult to create a unique instruction for the same.
Besides encryption one can use code Obfuscation to make process of reverse engineering harder.[4]
Obfuscation refers to techniques that preserve program’s semantics and functionality while at the
same time making it difficult for an analyst to comprehend or extract information about program and
its structure.
One way to hamper static analysis is to insert junk bytes into the program. If junk bytes are
not complete but just partial instructions then when assembling the program it shouldn’t report an
error. However x86 architecture has a property that it self-repairs itself after a certain number of
steps. So while inserting junk bytes it should be inserted so as to create maximum confusion which is
intended.
The junk bytes which are inserted must be partial instructions and must be unreachable at run
time by inserting a conditional jumps that skip over the partial instructions otherwise there might be
an error reported by the CPU. This technique helps get rid of linear sweep algorithm but not
recursive traversal algorithm as recursive traversal follows flow of execution.
One technique to fool recursive traversal algorithm is to use branch functions whose work is
to camouflage original conditional jumps. In this the original branch function is replaced by a
dummy function that encodes the logic to change the return address of the callee. So basically the
recursive traversal algorithm will also not hit the partial instructions and will keep disassembling
different parts of the program as due to branch functions algorithm is referenced to it.
We can also use Opaque functions. Opaque functions are basically functions which go in
only one direction which means they are either completely true or completely false. However it is
difficult to determine that at static time. So program gets executed along both its branches thereby
increasing program complexity.
Branching Function can be as follows
Given a finite map λ= {a1 -> b1, …. ,an->bn} a branch function fλis a function such that
a1 : jump b1
a2 : jump b2
an : jump bn
a1: call fλ
………
is replaced by
---------------------->
a2 : call fλ
……….
an : call fλ
Example of fλ :
F : push1 %eax
mov 8(%esp), %eax
add %eax, 4(%esp)
pop %eax
ret
#1 : save original eax into the stack
and get disp to target b_i
#2 : add disp to ret-addr
#3 : restore original eax
#4 : jump to the target
113
………
……….

5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
When execution of a stops it jumps to b, however recursive traversal algorithm cannot see
this as it can only see the function fλand so it will disassemble that part and also disassemble
whatever follows it and not that of b as it cannot see or understand whats there a b.
2.2 DYNAMIC ANALYSIS
Since Signature based detection is insufficient, packing is now considered to unpack malware
and detect it. Packing can be considered to be an evolution of polymorphism. Polymorphism was
mainly related to encrypting payload of the malware or the malicious software. With packing we can
add several layers, one or more compression and encryption layers and decryption and
decompression is performed at run time. Thus packing aims at hampering any attempts for reverse
engineering.
One way to unpack a packed malware is to follow algorithmic unpacking. In this we
implement a routine semantically equivalent to a packing routine but we reverse the order of
operation. Using this we can even recover original code. However to know algorithmic unpacking it
is essential to study packing techniques so to avoid all this more dynamic analysis techniques
evolved.
However once unpacking of program or blocks of code is done if it is malicious the block
mutates itself by polymorphism or metamorphism. For this the malware analyses its own code, then
it splits the code in blocks and then each block is mutated separately. And each mutation of the block
uses semantically different replacements so as to give an impression that they are different mutants
whereas they perform same task.
The need for dynamic analysis came as static analysis wasn’t sufficient for protection against
threats and attackers. So for this we use Algorithmic-Agnostic Unpacking Techniques which rely on
concept of exploiting virtual memory in subsystems work.
OmniUnpack is one the generic algorithmic agnostic unpacking technique[5]. OmniUnpack
works such that when malware is loaded on system, all pages in memory of malware are erased with
all permissions so every page has no permission at all. So if malware tried do to do any malicious
activity there is a trap which can be further analysed.
Execution trace of Malware
x(i) represents execution of page i in memory
w(i) represents write to page i in memory
si represents system call
{x(0),w(2),s0,w(1),x(1),s1,x(2),s2,…}
TABLE 1.
PAGE NUMBER
ACCESS
W
0
1
2
WX
@
@
@
@
s1 is OpenFile , s2 is OpenKey and s3 is DeleteFile
Using OmniUnpack Algorithm we analyse the system calls. As s1 and s2 are considered
benign no action is taken according to the algorithm. However as s3 raises flag an analysis is done to
check if the executed and written pages have codes or patterns which represent a malware
114

6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
Some softwares available which automatically emulate itself and mutate into a different form
on unpacking. This isn’t done for malicious purposes. It can also be done by authors of code
protecting privacy of their code against reverse engineering
Best solution is to combine signature based detection and dynamic analysis for holistic
comprehension and detection of threats and malwares.
Signature based detection and static analysis techniques are easy to defeat so we there was a
complete shift towards dynamic analysis and behaviour based analysis techniques.
One of the most promising and effective technique to check if a vulnerability has been
exploited is to monitor the execution of system call as system call is the only way process can
interact with the operating system and can cause various actions[6]. It can also cause malicious
actions like deleting a file, opening socket to connect to internet and on mobile platform it can be
illegitimately sending SMS, placing calls etc. We can collect data on system calls as well as its
parameters and compute statistical models on the same to infer behaviour of the program. Also we
can detect high level malwares through their behaviour as all of them share a same behaviour of
stealing sensitive information etc. Thus if a specific behaviour can be tagged as threatening and any
statement or program showing that behaviour can be detected and eliminated to protect the system.
Thus for dynamic analysis program needs to be executed and monitored by studying its interaction
with the environment and OS (system calls etc.)
Dynamic analysis thus enables to monitor code and data flow as it is executed and thus we
can perform a more deep analysis as well have contextual information about it as well. It also helps
in finding bugs in the code as program is executed or to enrich the program by instrumenting its code
to enforce policies like taint tracking.
Taint Tracking is used to detect integrity and confidentiality violations[7]. In taint tracking
along with monitoring of system calls we can track how information flows throughout system and to
check whether sensitive information is being transported or no. For eg. Detecting sending
information out on the internet as it can be a sign of information leaks. Taint source is the interesting
data source which we want to track. Taint sinks are the points where we want to check where data
flows or where to enforce policies. Propagation rules is how data propagates throughout the system.
A few Propagation Rules are as below
1. Explicit (data) flows
x=y;
2. Control dependent (data) flows
if(x==value) { expression;}
3. Implicit flows ( w gets same value of y )
x=0; z=0
if (y==1)
x=1;
else
z=1;
if (x==0)
w=0;
if(z==0)
w=1;
Implicit flow is basically letting a variable have a value of a tainted variable without
actually propagating tainted information as propagation is done by unexecuted or hidden
paths and as we are doing dynamic analysis we cannot see these paths.
115

7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
Thus many authors of malwares and attacks use implicit flow as it can get difficult to track
them by taint analysis
We can analyse the various processes in the system and what they do. With this analysis we
can find out if any process is communicating with a remote system etc. In Linux we use netstat
command for the same or Profile system which gives us detailed information about network traffic
etc.
We can monitor sequence of system calls or sequence of dynamic library functions. Ltrace on
linux intercepts and records dynamic library calls which are called by the executed process and the
signals which are received by that process.
Thus basically monitoring of system calls can be used for anomaly based detection as in this
program is executed and its behaviour is inferred and for other instances where the same program is
executed, the behaviour is seen if it deviates from the initial non-malicious behaviour to detect
malware.
Strace is a system call tracer in linux which intercepts and records system calls which are
called by a process and the signals which are received by the process. Strace tool helps to trace
system call parameters as well as its child processes and also processes attached to one process. So
by tracing we come to know if program is writing an file or opening any file which can be analysed
for subsequent execution.
Debugging is a way we can monitor single process execution. In debugging breakpoints can
be set up to stop a program whenever a particular point in program is reached or it can set up
watchpoints to stop a program whenever the value of a particular variable or expression changes or it
can even set up catchpoints to stop the program whenever a particular event occurs to analyse CPU
environment like the memory, registers etc. On linuxgdb is the most known debugger and on
Windows we have ImmuntityDebugger.
In Linux to set up a breakpoint a software interrupt is used. So when CPU transfers control
routine associated. So then debuggers analyse memory and registers. Breakpoint is usually done by
instruction int3. After breakpoint pointer is referenced to instruction following breakpoint.
In linux we have another tool ptrace to trace one process (the tracing process) to control
another (traced process). The ptrace() system call provides a means by which a parent process may
observe and control execution of another process and examine and change its core image and
registers. It is primarily used to implement breakpoint debugging and system call tracing. Ptrace can
also be used to patch program to bypass checkpoints.
Syntax of ptrace is
#include<sys/ptrace.h>
longptrace(enum __ptrace_request request, pid_tpid, void *addr, void *data);
request : determines action to be performed
pid: pid of process to debug
addr: depends on the request
data: depends on request
Whenever an event is hit, a system call is reached, tracer is invoked and the process is traced
and we can analyse what action traced process is about to perform.
However during software interrupt if a void handler is put, the interrupt will not be executed
or if a checksum is applied, any malicious addition of code would be detected.
In ltrace in linux, when it runs it retrieves all dynamic functions and it substitutes the entry
points of each function with an int3 instruction so as to know that process being traced is about to
execute a function call.
116

8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
To avoid being traced malware authors write the program with a ptrace as if a program is
already getting traced and we use ptrace we get an error and so that is an indication that malicious
activity is being traced and so should be terminated. In linux as libraries are dynamically loaded we
can overwrite this library and we can fool the system to believe that it is not tracing anyone.
We can redefine a ptrace function and the function is compiled to be contained as a dynamic
object that would be loaded as the process executes and then this newly shared object is loaded. SO
while executing it return zero. So when actually ptrace is invoked we don’t get a minus 1 (-1) or
error as actually we aren’t executing ptrace but the newly formed object that returns zero and so the
actual check to see if process is getting traced or no is bypassed.
This analysis is done within the environment where malware is executed or is present and
hence is also known as inbox analysis.
Sometimes a sandbox environment is designed and virtual machines or CPU emulators are
used where all analysis is carried out and information is collected and malware is run in this
contained environment. Usually malware is run in guest OS and we use emulators to mimic this
physical environment and collect information. So all analysis happens out of box. Emulators need to
implement one more step which includes implementing VM (Virtual Machine) Introspection. So
CPU emulators must field sematic gates to recreate high level flow events like list of processes or
accessed resources. Examples of sandboxes are Anubis, CWSandbox, Cuckoo Box,BitBlaze etc.
Once we monitor and collect information while malware is under examination a generalized
behavioural profile models are created to identify suspicious behaviours like clustering etc.
2.2.1 DRAWBACKS
Behaviours associated only with taken paths are considered in dynamic analysis. Hidden or
untaken paths are never analysed. It is necessary to force multipath exploration to overcome the
drawback[8]. For this an assumption is made that behaviour of program depends only on output of
system call it executes. Then dependencies between system call outputs and program variables are
formed and then untaken paths are detected and execution is forced through these paths by
computing new program states that satisfy those path conditions.
Figure 2
Malware exploits single execution path limitation of dynamic analysis by employing trigger
based behaviours such as time bombs, logic bombs, bot command inputs and testing presence of
analysers to hide its intended malicious behaviour
In conditional code obfuscation certain conditions are replaced with hash functions and
malicious body is encrypted with a specific key and malware is compiled at right time.
117

9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
Original Code
Obfuscated Code
If (x==c)
{
B
}
BE = Encr (B,c)
if (Hash(x)==Hash(c))
{
Decr (BE,X)
BE }
The dynamic analysis is not possible if hash functions are used to substitute original code as
this means inversion of hash functions is needed which is a non-practical performance
Figure 3
The system above as seen in Figure 3 depends on LLVM so instead of doing manual
transformation system builds up automated program transformation analysis to automatically identify
and change trigger based conditions.
Here is the analysis of how code obfuscation has been able to successfully prevent detection
of malware and not force multi path exploration
Malware
Slapper worm
(p2p Engine)
Slapper worm
(Backdoor)
BotNET (IRC
Botnet Server)
Password rootkit
Login rootkit
Top rootkit
Chsh rootkit
M.
Triggers
28
Strong
-
1
Table 2.
Medium
Weak
None
28
-
-
1
-
-
-
52
52
-
-
-
2
3
2
4
2
2
2
-
2
1
2
-
To increase chances of code obfuscation analysers may be equipped with decryptor to reduce
search space of keys by taking input domain into account. Eg. If we know condition checks for input
and input is of specific length and domain of characters is limited one can perform brute force and
disclose encrypted malicious page
118

10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
2.3 ACCESS MINER – SYSTEM CENTRIC MODELS
Main idea behind Access Miner is instead of focusing on program centric models for threat
protection, a system centric model so as to look for interaction made by the application with the OS
trying to understand whether there are common patterns or patterns likely to be suspicious or threats.
[9]
In program centric approach monitoring of programs is done and inferences about its
behaviour are drawn from the same mainly by system calls and its parameters as well as information
from the stack. During monitoring if a program or a system call is executed which wasn’t executed
during training phase or testing phase then an alarm is raised about this. It might not always be
malicious, it might also mean sufficient inputs haven’t been given and tested. During analysis models
do not just track and compare sequences and patterns of system calls. They are arranged in a specific
order and compared and a distinct behavioural profile is created for the same. Goal of Access is to
detect an end-host detection of illegitimate behaviour. While most detectors follow program centric
approach access miner follows system centric approach. Program centric approach lacks context and
they just look at system calls now how resources are accessed.
Access Miner first creates a large data set of benign applications and malicious applications
so that monitoring of interaction with the system and cross referencing can be done to see if there are
any differences.
System centric approach proposes an Access Activity Model. Benign programs always follow
a certain way in which they access OS resources. There is no erratic pattern of accessing and writing
to random resources. Malware program on the other hand will do such an erratic behaviour. To
capture normal interactions with filesystem and Windows registry access activity models are
proposed by access miner.
Access activity model specifies a set of labels for OS resources like registry or files.
A label L is a set of access tokens {t0,t1,t2,..,tn}
Each token t is a pair <a,op> where first component represent and second component
represents type of access. So we can monitor whether application has written to any file or directory.
It is found that the detection rate of malicious activity is very high almost overall 90% with
zero false positives. Initially malicious programs show false positives however it was seen that a lot
of threat agents didn’t go till doing malicious activity but were terminated before itself by themselves
so by filtering out those agents we get the final column as our result.
2.4 ANDROID MALWARE DYNAMIC ANALYSIS
Manifest file in Android contains a lot of information like number of permissions etc. Java is
easy to decompile so static analysis can be done on decompiled java byte code to understand the
system.
For unified dynamic analysis we use CopperDroid. It is a technique used to characterize the
behaviour of android malware. It automatically reconstructs behaviour of android malware by
dynamically executing malware in contained environment. All behaviours eventually happen through
system calls only. By collecting system call information and analysing binder protocol reconstruction
of whole behaviour of android malware can be done.
CopperDroid instruments QEMU to intercept every time something is written to special
register cpr and is also an indication of transition between kerneland user space.
In out of box analysis information about system being analysed, system code is collected and
associated with processes and resources.
Binder protocol is core of Android IPC/RPC. Intents are carriers though binders, interactions
with the system go through the binder and the binder driver enforces some permission policies. For
example applications cannot send SMSs on their own, but must invoke (RPC) the proper system
service to do it.
119

11. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
CopperDroid deeply inspects the Binder protocol intercepting a subset of ioctls issued by
Userspace Applications.
Thus Copper Droid is just a VM based dynamic analysis system to automatically reconstruct
behaviour of android malware. In this unified analysis is used to avoid having multi layer virtual
machine introspection and this allows easily be ported on different android versions. CopperDroid
also dynamically stimulates applications to disclose additional behaviour
CONCLUSION
The paper gives a comprehensive idea about how malwares can be detected and how an
attacker can improvise and make malwares stronger and more resilient to detection. Access Miner
having shown really good results for detection with giving false positives it stands out as a very good
method as it uses system centric models.
In the future more work can be done on Android Malware Mitigation as Android being one of
the fastest growing OS, the number of malwares and attempts to exploit it as on the rise as well.
ACKNOWLEDGEMENTS
I would like to thank Prof.IrfanSiddavatam from Department of Information Technology,
K.J Somaiya College of Engineering for his guidance in writing of this paper.
REFERENCES
[1]
[2]
[3]
[4]
Information Security Theory and Practice – Lorenzo Cavallaro , Dieter Gollmann
Information Security Principles and Practice, Wiley Publications – Deven N. Shah
IDA Pro Book – Chris Eagle
Obfuscation of executable code to improve resistance to static disassembly - C. Linn and S.
Debray ACM CCS 2003.
[5] Omniunpack: Fast, Generic and safe unpacking of malware – L. Martignoni,
M.Christodorescu and S. Jha ACSAC 2007
[6] Anomalous system call detection – D. Mutz, F.Valeur, G.Vigna and C.Kruegel ACM
TISSEC,2006
[7] Taint enhanced policy enforcement – a practical approach to defeat wide range of attacks –
W. Xu and S. Bhatkar and R. Sekar, USENIX Security Symposium, 2006
[8] Exploring multiple paths for malware analysis – A. Moser, C.Kruegel and E.Kirda IEEE
Security and Privacy 2007
[9] Accessminer – A. Lanzi, D.Balzarotti, C.Kruegel, M.Christodorescu and E.Kirda ACM CCS,
2010
[10] Droidscope : seamlessly reconstructing the OS and dalvik semantic views for dynamic
android malware analysis – L.K Yan and H.Yin USENIX Security Symposium, 2012.
[11] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor
(The Onion Routing) Anonymity Network”, International Journal of Computer Engineering
& Technology (IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367,
ISSN Online: 0976 – 6375.
[12] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for
Malware Detection Techniques”, International Journal of Computer Engineering &
Technology (IJCET), Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367,
ISSN Online: 0976 – 6375.
120