A toolkit for detecting and analyzing malicious software

Author

Weber, Michael ; Schmid, Matthew ; Schatz, Michael ; Geyer, David

Author_Institution

Cigital Inc., Dulles, VA, USA

fYear

2002

fDate

2002

Firstpage

423

Lastpage

431

Abstract

We present PEAT: the Portable Executable Analysis Toolkit. It is a software prototype designed to provide a selection of tools that an analyst may use in order to examine structural aspects of a Windows Portable Executable (PE) file, with the goal of determining whether malicious code has been inserted into an application after compilation. These tools rely on structural features of executables that are likely to indicate the presence of inserted malicious code. The underlying premise is that typical application programs are compiled into one binary, homogeneous from beginning to end with respect to certain structural features; any disruption of this homogeneity is a strong indicator that the binary has been tampered with. For example, it could now harbor a virus or a Trojan horse program. We present our investigation into structural feature analysis, the development of these ideas into the PEAT prototype, and results that illustrate PEAT´s practical effectiveness.

Keywords

operating systems (computers); program verification; security of data; software portability; software tools; PEAT; Portable Executable Analysis Toolkit; Trojan horse; Windows Portable Executable file; computer virus; executables; malicious software detection toolkit; software prototype; structural feature analysis; Application software; Information systems; Invasive software; Programming profession; Prototypes; Software design; Software prototyping; Software tools; Space technology; Viruses (medical);

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2002. Proceedings. 18th Annual

ISSN

1063-9527

Print_ISBN

0-7695-1828-1

Type

conf

DOI

10.1109/CSAC.2002.1176314

Filename

1176314