Improving the efficiency of dynamic malware analysis

 Each day, security companies see themselves confronted with thousands of new malware programs. To cope with these large quantities, researchers and practitioners alike have developed dynamic malware analysis systems. These systems automatically execute a program in a controlled environment and produce a report describing the program's behavior. During the last three years, the number of malware programs appearing each day has increased by a factor of ten, and this number is expected to continue to grow. To keep pace with these developments without causing even more hardware costs for operating dynamic analysis systems, we have developed a technique that drastically reduces the overall analysis time. Our solution is based on the insight that the huge number of new malicious files is due to mutations of only a few malware programs. To save analysis time, we suggest a technique that avoids performing a full analysis of the same polymorphic file multiple times. In an experiment conducted on a set of 10,922 randomly chosen executable files, our prototype implementation was able to avoid a full dynamic analysis in 25.25 percent of the cases.