Behavior-driven development in malware analysis

A daily task of malware analysts is the extraction of behaviors from malicious binaries. Such behaviors include domain generation algorithms, cryptographic algorithms or deinstallation routines. Ideally, this tedious task would be automated. So far scientific solutions have not gotten beyond proof-ofconcepts. Malware analysts continue to reimplement behaviors of interest manually. However, often times they merely translate the malicious binary assembler code to a higher-level language. This yields to poorly readable and undocumented code whose correctness is not ensured. In this paper, we aim at overcoming these shortcomings by integrating Behavior-Driven Development in the malware analysis process. We explain in detail how the integration of Behavior-Driven Development into the malware analysis process can be done. In a case study on the highly obfuscated malware Nymaim, we show the feasibility of our approach.

presentation presentation

DOI Link:

Print Friendly
Thomas Barabosch
Malware Analyst @ Fraunhofer FKIE
Thomas Barabosch

Latest posts by Thomas Barabosch (see all)