Automated analysis of system-wide malware propagation

<p>In contrast to most benign applications, malware infects its host system. It does so via system-wide execution by injecting code into otherwise benign applications, executing via code-reuse attacks, dynamically generating code and much more. These unconventional, albeit perfectly valid, execution paradigms are used for evasion and obfuscation tactics and pose significant problems to automatic malware analysis environments.</p> <p>In this thesis, we investigate the problem of system-wide malware execution. We focus on building general and precise techniques to analyse malware that execute throughout the entire system. To demonstrate our techniques, we implement them as part of a malware analysis system called Minerva. We use Minerva to perform extensive empirical studies based on synthetic benchmarks that explore corner-case behaviours as well as real-world malware samples collected from the wild.</p> <p>The core idea behind our techniques is to analyse system-wide malware execution with a bottom-up approach. To this end, we develop a fundamental technique for capturing the system-wide execution trace of a given malware sample that is independent of the techniques malware use to propagate through the system. We then incrementally build abstractions upon this trace to identify code injections, malware droppers, code-reuse attacks, packed malware and more.</p> <p>In the final part of our thesis, we extend Minerva with several capabilities to perform large-scale studies. We use these features to characterise system-wide malware propagation at large and extract many interesting high-level views on malware based on our precise and general analysis.</p>