Evaluating tool based automated malware analysis through persistence mechanism detection

Webb, Matthew S.

January 1900

Master of Science / Department of Computer Science / Eugene Vasserman / Since 2014 there have been over 120 million new malicious programs registered every year. Due to the amount of new malware appearing every year, analysts have automated large sections of the malware reverse engineering process. Many automated analysis systems are created by re-implementing analysis techniques rather than automating existing tools that utilize the same techniques. New implementations take longer to create and do not have the same proven quality as a tool that evolved alongside malware for many years. The goal of this study is to assess the efficiency and effectiveness of using existing tools for the application of automated malware analysis. This study focuses on the problem of discovering how malware persists on an infected system. Six tools are chosen based on their usefulness in manual analysis for revealing different persistence techniques employed by malware. The functions of these tools are automated in a fashion that emulates how they can be manually utilized, resulting in information about a tested sample. These six tools are tested against a collection of actual malware samples, pulled from malware families that are known for employing various persistence techniques. The findings are then scanned for indicators of persistence. The results of these tests are used to determine the smallest tool subset that discovers the largest range of persistence mechanisms. For each tool, implementation difficulty is compared to the number of indicators discovered to reveal the effectiveness of similar tools for future analysis applications. The conclusion is that while the tools covered a wide range of persistence mechanisms, the standalone tools that were designed with scripting in mind were more effective than those with multiple system requirements or those with only a graphical interface. It was also discovered that the automation process limits functionality of some tools, as they are designed for analyst interaction. Regaining the tools’ functionality lost from automation to use them for other reverse engineering applications could be cumbersome and could require necessary implementation overhauls. Finally, the more successful tools were able to detect a broader range of techniques, while some less successful tools could only detect a portion of the same techniques. This study concludes that while an analysis system can be created by automating existing tools, the characteristics of the tools chosen impact the workload required to automate them. A well-documented tool that is controllable through a command line interface that offers many configuration options will require less work for an analyst to automate than a tool with little documentation that can only be controlled through a graphical interface.

Malware analysis

Automated analysis

Tool evaluation

Malware persistence

Evaluation And Selection Of Case Tools:a Methodology And A Case Study

Oksar, Koray

01 February 2010

Today&rsquo / s Computer Aided Software Engineering (CASE) technology covers nearly all activities in software development ranging from requirement analysis to deployment.Organizations are evaluating CASE tool solutions to automate or ease their processes. While reducing human errors, these tools also increase control, visibility and auditability of the processes. However, to achieve these benefits, the right tool or tools should be selected for usage in the intended processes. This is not an easy task when the vast number of tools in the market is considered. Failure to select the right tool may impede project&rsquo / s progress besides causing economic loss. In this thesis study, a methodology is proposed for CASE tool evaluation and selection among various candidates and the points that separate this work from similar studies in the literature are explained. Moreover, the methodology is performed on a case study.

QA Computer Software 76.75-76.765

On Applying a Method for Developing Context Dependent CASE-tool Evaluation Frameworks

Rehbinder, Adam

January 2000

<p>This dissertation concerns the application of a method for developing context dependent CASE-tool evaluation frameworks. Evaluation of CASE-tools prior to adoption is an important but complex issue; there are a number of reports in the literature of the unsuccessful adoption of CASE-tools. The reason for this is that the tools have often failed in meeting contextual expectations. The genuine interest and willingness among organisational stakeholder to participate in the study indicate that evaluation of CASE-tools is indeed a relevant problem, for which method support is scarce.</p><p>To overcome these problems, a systematic approach to pre-evaluation has been suggested, in which contextual demands and expectations are elucidated before evaluating technology support.</p><p>The proposed method has been successfully applied in a field study. This dissertation contains a report and reflections on its use in a specific organisational context. The application process rendered an evaluation framework, which accounts for demands and expectations covering the entire information systems development life cycle relevant to the given context.</p><p>The method user found that method transfer was indeed feasible, both from method description to the analyst and further from the analyst to the organisational context. Also, since the span of the evaluation framework and the organisation to which the method was applied is considered to be large, this indicates that the method scales appropriately for large organisations.</p>

Evaluation frameworks

method support

CASE-tool

CASE-tool evaluation

Computer and systems science

Data- och systemvetenskap

Development of an Adventure Game : An Evaluation of Tools, Development, and Story Writing

Heinemark, Erik, Persson, Johan

January 2003

This master thesis discusses three different parts of adventure game development. The first part is about the usage of existing development environments; which one we selected and how we selected it. The second part discusses the development of the game using the selected development environment from the first part. The third and last part discusses the benefits from using skilled story writers when developing an adventure game. In this work the story writers were students from the English Department at Blekinge Institute of Technology.

adventure games

game development

tool evaluation

story writing

Software Engineering

Programvaruteknik

On Applying a Method for Developing Context Dependent CASE-tool Evaluation Frameworks

Rehbinder, Adam

January 2000

This dissertation concerns the application of a method for developing context dependent CASE-tool evaluation frameworks. Evaluation of CASE-tools prior to adoption is an important but complex issue; there are a number of reports in the literature of the unsuccessful adoption of CASE-tools. The reason for this is that the tools have often failed in meeting contextual expectations. The genuine interest and willingness among organisational stakeholder to participate in the study indicate that evaluation of CASE-tools is indeed a relevant problem, for which method support is scarce. To overcome these problems, a systematic approach to pre-evaluation has been suggested, in which contextual demands and expectations are elucidated before evaluating technology support. The proposed method has been successfully applied in a field study. This dissertation contains a report and reflections on its use in a specific organisational context. The application process rendered an evaluation framework, which accounts for demands and expectations covering the entire information systems development life cycle relevant to the given context. The method user found that method transfer was indeed feasible, both from method description to the analyst and further from the analyst to the organisational context. Also, since the span of the evaluation framework and the organisation to which the method was applied is considered to be large, this indicates that the method scales appropriately for large organisations.

Evaluation frameworks

method support

CASE-tool

CASE-tool evaluation

Information Systems