Journal of Information Processing
Online ISSN : 1882-6652
ISSN-L : 1882-6652
API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis
Yuhei KawakoyaEitaro ShiojiMakoto IwamuraJun Miyoshi
Author information
JOURNALS FREE ACCESS

2019 Volume 27 Pages 297-314

Details
Abstract

We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8, 897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8, 897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls.

Information related to the author
© 2019 by the Information Processing Society of Japan
Previous article Next article
feedback
Top