Information Technology Reference
In-Depth Information
Mining Network Behavior Specifications
of Malware Based on Binary Analysis
Peidai Xie, Yongjun Wang, Huabiao Lu, Meijian Li, and Jinshu Su
1
College of Computer, National University of Defense Technology, Changsha Hunan, China
peidaixie@gmail.com
Abstract.
Nowadays, malware, especially for a botnet, heavily employs net-
work communication to accomplish predefined malicious functionalities. The
network behavior of malware attracts attention of researchers. However, the
network traffic used for network-based signatures generation and botnet detec-
tion is captured passively from an execution environment, that there are several
limitations. In this paper, we present a network behavior mining approach based
on binary analysis, named NBSBA. Our goal is to accurately understand the
network behavior of malware in details, capture the packets the malware sample
under analysis launched as soon as possible, and extract network behavior of
malware as completely as possible. We firstly give a network behavior specifi-
cation and then describe the NBSBA. And we implement a prototype system to
evaluate the NBSBA. The experiment demonstrates that our approach is
efficient.
Keywords:
Network Behavior, Binary Analysis, Malware.
1
Introduction
Malware is a generic term to denote all kinds of unwanted software that fulfills the
deliberately harmful intent of attackers, such as computer virus, worms, Trojan horse,
bot, etc. Malware is used by attackers to attack network infrastructure, steal important
information and spam emails, that it is the main security threat of internet[1]. Nowa-
days, malware heavily employs network communication to accomplish predefined
functionalities[2].
Remote Control is a dominating characteristic of malware. A representative process
of a network attack activity performed by a malware sample like a bot is as following.
Firstly, DNS-request packets are delivered for IP addresses, such as the IP address of a
C&C server, a server for update of malicious executable, a spam email server, the bot
agents for malicious purpose, etc., and then connections to those IP addresses are
launched based on predefined protocols. Secondly, the malware sample will attack a
target according to commands received from the C&C server. The attacking activities
include collecting information of the victim, scanning the hosts in the victim's local
area network, launching DDoS, pulling a spam template, etc. Finally, the malware
sample may kill itself if the attacker asks for. Most of malicious functionalities of a
