Article Preview
TopWork being done in the field of malware detection can be broadly classified under static analysis and dynamic analysis as stated in (Mas'ud, 2014). Detection based on static analysis is through analyzing the executable code without the execution of malware. It can detect and prevent a malware application before it is installed. As mentioned in (Moser, 2007), malware authors being mindful of those static analysis techniques added the anti-static analysis functionalities in malwares like code obfuscation, binary encryption, packing of code etc. In dynamic detection, the detection is done by monitoring execution at runtime. The runtime behavior collected in form of the interaction of process with the operating system through system calls for files and memory modifications, registry modifications, network access etc.
Multiple behavior-based, dynamic analysis techniques have been proposed for malware detection as discussed in (Choudhary, 2015). Some of the important techniques include binary hooking, API call hooking, running in sandbox or virtual machine, using machine learning, multiple path execution, instruction trace, data flow analysis etc. Few of them are discussed in this section.
(Bayer, 2006) presented a method where binary is run in open source PC emulator Qemu and monitors its security relevant activities by analyzing windows native call or API call. It did not modify binary to prevent detection by malware and uses hooks and breakpoints implanted in relevant API and native libraries.