The term “malware” is short for malicious software and is used to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Many computer devices, such as desktop personal computers (PCs), laptops, personal data assistants (PDAs) and mobile phones can be at risk from malware.
Computer users will typically run antivirus (AV) and/or internet security (IS) software applications, for example F-Secure's™ Internet Security applications, to detect malware and protect against malware attacks on their computer system. Detecting malware is challenging, as malware is usually designed to be difficult to detect, often employing technologies that deliberately hide the presence and processes of malware on a system. Consequently, anti-virus and internet security applications will use a large number of techniques in order to detect malware most effectively, and reduce the risk of any malware going undetected.
Because current Windows™ malware use extensive encryption and compression techniques to hide their functionality, analysing them typically requires reverse engineering a raw memory dump of the malicious code. This is because at that stage the malware has decrypted itself.
A critical part of malware analysis is figuring out what Microsoft Windows™ application programming interfaces (APIs) are called by the malicious code. Without this information the functionality of the malware cannot be established. Win APIs are the core set of application programming interfaces (APIs) available in the Microsoft Windows™ operating systems. Currently determining the API targets for a memory dump requires that the process from which the dump was created is still active. In fact, even rebooting the relevant computer is enough to render the memory dump useless because the load addresses of the DLLs that hold the API call targets change due to address space layout randomization (ASLR). ASLR is a computer security technique involved in protection from buffer overflow attacks. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
Import target determining can be especially difficult with advanced threats that resolve all of their APIs manually instead of relying on the operation system performing that task. In such cases there is even less information available than normal in the memory dump to be used for determining API call targets because the usual import related data structures are not available. Another difficult example is malware that does not even contain the names of the APIs they call but instead just contain checksums of the names which are then used for fetching the addresses for the respective APIs. Forensic examination is often time sensitive and that is why speeding up the analysis of memory dumps significantly would be quite valuable.
As already mentioned, AV and IS applications utilise a number of detection methods when scanning for malware. There is of course always a need to add further detection methods, and in particular methods that can help to determine APIs used by malware even if only a raw memory dump of the malicious memory area exists and no other information about the APIs is available than their absolute virtual address.