A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #6101  by utsav.0202
 Sat Apr 30, 2011 8:16 am
Hi,
I am trying to detect a malware process on the basis of its behavior.
e.g. a process creates a file that has the same name as that of any "Microsoft.exe" or
it loads modules into address space of other processes or
opens different ports
and so on.

I don't know what are the possible malware process's behavior.
How to differentiate it from a "white process"?

Thanks and Regards
 #6103  by Buster_BSA
 Sat Apr 30, 2011 10:14 am
I coded a malware behaviour analyzer (Buster Sandbox Analyzer) so I know what you mean.

In my experience generically you can not tell a program has a malware behaviour and be sure 100%. You can only show to the user the most representative actions that look like malware behaviour and let the user decide if they look suspicious or not. Why? Because many times the "suspiciousness" depends of the program you are analyzing.
 #6105  by Buster_BSA
 Sat Apr 30, 2011 11:56 am
utsav.0202 wrote:
....actions that look like malware behaviour......
what actions exactly??
Modify certain registry keys/values.
Drop certain types of files like EXE, DLL, SYS.
...

Those actions can be performed by trusted software too, that´s why only the user can decide if they are suspicious or not. Just one example:

When you install the software for your webcam, a driver will be dropped to disk and registry will be modified so Windows loads the driver when it starts.

Is that ok? For sure.

Now imagine a keygen does the same actions. Is that ok? For sure it´s not.

Conclusions: the same actions can be ok and wrong.
 #6108  by utsav.0202
 Sat Apr 30, 2011 2:23 pm
but there are antiviruses that kill processes on the basis of their behaviour without any user interaction.
 #6114  by Buster_BSA
 Sat Apr 30, 2011 6:55 pm
utsav.0202 wrote:but there are antiviruses that kill processes on the basis of their behaviour without any user interaction.
And I guess they have white/trusted lists because it´s not possible to know what process is malware and what process is not.