Whole-system Fine-grained Taint Analysis for Automatic Malware Detection and Analysis

As malware is becoming increasingly sophisticated and stealthy, effective techniques for malware detection and analysis are imperative. Previous detection mechanisms are insufficient. Signature-based detection cannot detect new malware, and watch-point based behavioral detection can be evaded by stealthier design. Most previous analysis mechanisms are too coarse-grained to capture malware behavior and fail to address kernel-level attacks. We propose whole-system fine-grained taint analysis for automatic malware detection and analysis, and build a prototype called TaintQemu. By tainting data from hardware inputs and monitoring its propagation, TaintQemu generate taint graphs. The taint graph represents how information propagates during the system execution. We demonstrate that such whole-system fine-grained taint analysis can capture the intrinsic properties of many different classes of malware and thus offer effective methods for automatic malware detection and analysis. Our evaluation using a wide spectrum of real-world malware demonstrates that our system is effective in detecting many different classes of malware including keyloggers, backdoor, etc., and offer indispensable assistance to system administrators and analyzers for better understanding of the behavior and consequences of malware. also used to automatically detect a wide spectrum of malware, by checking the violations from the normal patterns in taint graph.