Técnicas para Análise Dinâmica de Malware

Abstract

The threat posed by malware to systems security led to the development of analysis mechanisms that operate in a dynamic and controlled manner. These mechanisms (dynamic analysis systems) use a variety of techniques to obtain the behavior from malware sam-ples' execution. The complexity of those techniques varies from monitoring events on user-level interfaces, to Web malicious code desobfuscation, to hooking operating system (OS) kernel structures. In this book chapter, we present the main techniques that are used to perform malware dynamic analysis, either at the operating system level or at the Web applications level. These techniques are used in the main publicly available analysis systems. Also, we show some tools used to capture information about the execution of malware samples and how to build a simple system to analyze malware using open-source and free tools. Finally, we describe in details a case study about the analysis of a malware sample that starts its attack from the browser and then compromises the OS. Resumo A ameaça dos códigos e programas maliciosos à segurança dos sistemas computacionais fez com que surgissem muitos sistemas cujo propósito é analisar, de maneira dinâmica e controlada, tais programas. Estes sistemas se utilizam de diversas técnicas para ob-ter o comportamento apresentado por amostras de malware durante sua execução. A complexidade destas técnicas varia desde a monitoração de eventos através de interfaces no nível de privilégio dos usuários, passando pela desofuscação de programas malicio-sos em linguagens típicas da Web, até a inserção de código em estruturas do kernel do