VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Dynamic Analysis .. What is it and how to defeat it?!

Valhalla #2
February 2012

[Back to index] [Comments]

Dynamic analysis is an important issue today as the number of malware is increasing every year. For example, in the year 2008 Symantec got more than 4000 new unknown sample per day! and MacAfee got about 12,300 per day!. This emphasized the need for automated tools that can scan the submitted samples and try detecting malicious software among them.

In this article I’ll try to discuss some of the most frequently used techniques of dynamic analysis with emphasis on how to overcome them.

Before I talk about dynamic analysis let’s just say what static analysis is. Static analysis is about analyzing the malware without executing it. The sample will not run but its structure will be examined and searched for known signatures. However, static analysis is very weak against obfuscated or packed malware. Unless the packing routine is well known, the analysis component cannot unpack the target malware for analysis. Also the static analysis can be cheated using indirect jumps and self-modifying code.

The following are some of dynamic analysis methods that are mainly used by AV products and/or sandboxes:

Here is a table that summarizes all the above:

AV TechniqueMalware fight back
API hook in user modeRun in Kernel mode
API hook in kernel modeUse rootkit techniques
Direct data and address taint analysisUse control flow statements for information flow
Instruction traceUse anti-debugging techniques
CPU & memory emulation
  • Anti-emulation techniques
  • Use data from the internet
  • Logic bomb behavior
  • Delayed execution
Network simulationGet data or files from the internet

Dynamic analysis techniques are diverse and advanced. In this article I tried to shed some lights on how they work on different levels and how a malware writer can fight them back. I hope soon I write a more in-details article about sandboxes that are a widely used by AV companies to classify new unknown samples.

M0SA, February 13, 2012
[email protected]


[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka