A Bit Vector Based Binary Code Comparison Method for Static Malware Analysis

Abstract

As variants of malicious codes have made it difficult and complicated to detect possible threat in the Internet, it is one of the most important challenges to analyze the malwares correctly in a timely manner. It has been also observed that we need static analysis as well as dynamic analysis to detect the malware correctly. In this paper, we define a bit vector to characterize a binary code, and utilize it for static malware analysis. Since each bit of a bit vector is organized to indicate the existence of a certain function or code block, we could replace a comparison operation on binary codes by simple logical operations. Common features of a group of binary codes could be also captured by bit vectors, which would be used to determine whether another binary code is similar to those of the group or not. Experimental results show that the bit vector could be effectively utilized to do static malware analysis, and that the group bit vectors could help classify the malwares into their appropriate groups.