Component Similarity Based Methods for Automatic Analysis of Malicious Executables.pdfVIP

Component Similarity Based Methods for Automatic Analysis of Malicious Executables Zhiyin Liang, Tao Wei, Yu Chen, Xinhui Han, Jianwei Zhuge, Wei Zou(Corresponding Author) Institute of Computer Science and Technology, Peking University, 100871 Phone: 8610 Fax: 8610 {Liangzhiyin, weitao, chenyu, hanxinhui, zhugejianwei, zouwei}@ Abstract. In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative ra