Attacks with malicious software are an imminent risk. Malware developers not only unveil constantly new artistries in response to current detection schemes but also manifest a tendency to re-code and modify existing malware versions with regard to their behaviour and functionality. These malware variants may have similar functionality but pose substantial syntactic representation differences. In this regard, the use of calls to the Windows Application Programming Interface (API) can be used as guidance to determine the specimen’s functionality and its interaction with the operating system.
This work proposes an approach to automate the exploration of malicious Windows binaries. A set of semantics is used to match against a program’s control flow graph in order to derive the presence of malicious functionality and behaviour patterns, represented by typically employed Windows API call sequences. The publication is accompanied with the release of an IDA Pro plugin.