PowerScan: A Framework for Dynamic Analysis and Anti-Virus Based Identification of Malware

• Main Authors: Langerud, Thomas, Lillesand, Jøran Vagnby
• Format: Others
• Language: English
• Published: Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk 2008
• Subjects: ntnudaim; SIE7 kommunikasjonsteknologi; Telematikk
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-8901

This thesis describes the design and implementation of a framework, PowerScan, which provides the ability to combine multiple tools in the analysis of a malware sample. The framework utilizes XML configuration in order to provide extendability so that new tools can be added post compilation without significant effort. The framework deals with three major types of malware analysis: 1. Surface scan of a sample with multiple on-demand anti-virus engines. 2. Execution of malware sample with real-time (on-access) anti-virus engines running in the background. 3. Execution of malware sample with different dynamic analysis solutions running. These tools may monitor the file system, registry, network or other aspects of the operating systems during execution. The reasoning behind each of these phases are: 1. Using multiple scanners increases the probability that at least one of the vendors has created a detection signature for the given malware. 2. Executing the sample ensures that the malware code sooner or later will be written to disk or memory. This should greatly enhance detection rate for samples obfuscated using packers with encryption or other techniques, as the code at some point must be deobfuscated before execution. Additionally, on-demand scanners might use more advanced (and resource consuming) techniques when monitoring files executed on the system. As for surface scanning, the odds of correctly identifying the malware also increases when using more scanners. 3. Although several good sandbox analysis tools exist, the solution presented here allows the malware analyst choose which analysis tools to use - and even use different tool for analyzing the same aspect of the execution. A thorough description of both design, implementation and testing is given in the report. In addition to the implementation of the PowerScan framework described above, the theory behind all involved components is presented. This includes description of the Microsoft Windows platform (which is used for executing malware in PowerScan, and the one definitely most targeted by malware at the time of writing), virtualization (which is used in the virtual machines), anti-virus technology, malware hiding techniques and more. Surveys of the usability of different anti-virus engines and dynamic analysis tools in the framework have been conducted and are presented in the appendices, together with a comprehensive user guide.