Computing the Behavior of Malware

摘要

As the quantity and sophistication of malicious code continues to grow, automation support for analysis becomes more important to keep pace with the scope and scale of the problem. To help address this need, CERT has been conducting research and development on Function Extraction (FX) technology for automated computation of software behavior, including malware behavior. Intruders often obfuscate malware packages to make analysis more difficult by inserting massive amounts of arbitrary jumps in code that thwart control flow tracing, and by adding blocks of no-op code that have no functional effect but must nevertheless be analyzed. A specialization of FX technology in the Function Extraction for Malicious Code (FX/MC) system is designed to address these obfuscation problems.