Architecture of Malware Tracker Visualization for Malware Analysis

Malware is a man-made malicious code designed for computer destructive purposes. The early destructive programs were developed either for pranks or experimental purposes. However, in this day and age, malware are created mainly for financial gain. Since years ago, the use of malware attack tools, such as keylogger, screen capture software, and trojan were rapidly used to commit cybercrimes. The figures are expected to increase significantly and the attack tools are becoming more sophisticated in order to evade the detection of current security tools. The malware debugger analysis process is an essential part of analyzing and comprehending the purpose and the destructive part of the malware. It is an exhausting and time consuming task; moreover, in-depth computer knowledge is required. With the popularity and variety of malware attacks over the Internet, the number of virus needed to be analyzed by computer security experts are rapidly increasing and has bottlenecked the effectiveness of the analysis process. In this paper, we present a method to visually explore the reverse engineering of a binary executable flow over time to aid in the identification and detection of malicious program on x86-32 platform. We first achieve the preexecution analysis for a sketch of a program’s behavior by combining static analysis and graphical visualization to construct a control flow graph (CFG) as an interface for the analyzed code. Each node in the CFG graph which represents a basic block allows analysts to be selective in the components they monitor. All nodes in the CFG express the complex relationships and causalities of the analyzed code. As the binary executes, those codes that are dynamically generated will be monitored and captured; thus, a fuller understanding of the execution’s behavior will be provided. The backward track approach which allows analysts to restudy the changes of the executed instructions’ memory during dynamic analysis provides a chance for analysts to restudy the execution behavior of the executed instructions. The overall architecture of the visualization debugger, both statically and dynamically will be explained in this paper. To the end of the paper, we analyze a malware test case; W32/NGVCK.dr.gen virus with our malware tracker visualization toolkit and the analysis results proves that our visualization malware tracker tool can simplify the analysis process by displaying the analyzed code in basic block approach. This work is a substantial step towards providing high-quality tool support for effective and efficient visualization malware analysis.