An Optimal and Transparent Framework for Automatic Analysis of Malware

Malware is the most important security threat in cyberspace. Some statistics show that over 315,000 malware are released, every day. Certainly, it is not possible to analyze all of these malware, manually. That's why the security vendors are obliged to use software capable of analyzing suspicious executable files. These software determine behavior of suspicious files automatically. Several tools such as Anubis and Cuckoo are produced in this area. The problem of these tools is lack of transparency. Some malware use this sort of weaknesses to recon analysis environments. To resolve this problem some solutions using hardware-assisted virtualization is presented. However, these solutions impose a great run time overhead on the program execution. In this paper an automated malware analysis framework is presented that is both transparent and optimal. This framework in addition to being resistant to malware with split personality features, may also be used to analyze the large amount of malware released every day without adding extra hardware resources. This framework uses dynamic analysis approaches with hardware assisted virtualization technology to analyze suspicious code. The dynamic analysis approaches used in this framework include sandboxing and system calls sequence analysis. Analysis based on hardware-assisted virtualization technology is applied to provide transparent analysis environment.