Académique Documents
Professionnel Documents
Culture Documents
available at www.sciencedirect.com
abstract
Keywords: In this paper, we present Capture, a tool for behavioral analysis of applications for the
Security Win32 operating system family. Capture is able to monitor the state of a system during
Forensics the execution of applications and processing of documents, which provides the analyst
Behavioral analysis with insights on how the software operates even if no source code is available. Capture dif-
Application analysis fers from existing behavioral analysis tools in its ability to monitor state changes on a low
Document analysis kernel level and its ability to be easily used across operating systems, various versions and
configurations. Capture provides a powerful mechanism to exclude event noise that natu-
rally occurs on an idle system or when using a specific application. This mechanism is fine-
grained and allows an analyst to take into account the process that causes the various state
changes. As a result, this mechanism even allows Capture to analyze the behavior of doc-
uments that execute within the context of an application. We demonstrate Capture’s capa-
bilities by analyzing a malicious Microsoft Word document.
ª 2007 DFRWS. Published by Elsevier Ltd. All rights reserved.
* Corresponding author.
E-mail addresses: christian.seifert@mcs.vuw.ac.nz (C. Seifert), ramon.steenson@mcs.vuw.ac.nz (R. Steenson), ian.welch@mcs.
vuw.ac.nz (I. Welch), peter.komisarczuk@mcs.vuw.ac.nz (P. Komisarczuk), endicott@u.washington.edu (B. Endicott-Popovsky).
1742-2876/$ – see front matter ª 2007 DFRWS. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2007.06.003
S24 digital investigation 4S (2007) S23–S30
2. Problem
3.1.3. Kernel callbacks can also function as a behavioral analysis tool for software
Instead of patching the kernel with kernel level API hooking, running on the Win32 family of operating systems (Microsoft
Microsoft encourages the usage of callback functions (Field, Corporation, 1993) including the latest version of Windows
2006). Callback functions are publicly supported interfaces Vista. In this section, we describe the functionality of Capture
on the kernel level that notify an application about state followed by a description of the technical aspects of the tool.
changes on the system. These callbacks are designed with re-
liability and long-term supportability in mind allowing a mon- 4.1. Functional description
itoring application to run on various versions of the Microsoft
Windows operation system without modification. Similarly to the other existing tools, Capture analyzes the
state of the operating system and applications that execute
on the system by monitoring the file system, the registry,
3.2. Portability
and process monitor and generating reports for any events re-
ceived by the three monitors. The three monitors are de-
Second, we review implementation options around portability.
scribed below:
included in the list, the event is dropped; otherwise, it is out- documents, creation of document history, etc. The corre-
put to the final report that Capture generates. sponding exclusion lists are shown in Fig. 6 (the Microsoft
Windows XP SP2 exclusion list has been omitted because of
space limitations). With these exclusion lists, no events will
5. Results be reported when opening or closing an existing benign
Word document.
To demonstrate the capabilities of Capture, we expose Cap- With this configuration, we proceed to open the malicious
ture to a malicious Microsoft Word document that exploits Word document a1.do by double clicking on the document
vulnerability MS06-027 (Microsoft Corporation, 2006b). We from Windows Explorer. As expected, Word starts and at-
have chosen to analyze an Office document because it repre- tempts to open the document, but shortly after our action,
sents a more complex case in application analysis than the Word crashes. After 30 s, we proceed to inspect the report pro-
mere analysis of a stand-alone executable. The Word docu- duced by Capture. The formatted report is shown in Fig. 7. The
ment will be executed within a legitimate application and report shows that 14 unique unauthorized state changes oc-
the analysis tool, as a result, is tasked to differentiate between curred. First, we observe that Microsoft Word writes a file
legitimate actions of the application and actions performed by C:\WIN\sys\.exe and then proceeds to execute this newly writ-
the malware document. This situation allows us to show the ten out file. This newly created file and process are likely to be
power of Capture’s exclusion list and its system wide monitor- the payload of the malicious Word document. From this point
ing mechanism. forward, the Microsoft Word application is not involved in fur-
The analysis is performed on a virtualized environment ther state changes, but rather the .exe payload takes over to
that runs an unpatched Microsoft Windows XP SP2 installa- modify the registry and write additional files to the system.
tion with Microsoft Word 2003. Capture has been installed Note that the information about the process that cause the
on this machine and configured to exclude state changes state change is helpful to follow the events that occurred.
that occur during idle operation of the system, such as addi- Line 5 shows the malicious document we originally opened
tion to log files, as well as during the legitimate operation of is being written to a temporary file as well as a process called
the Microsoft Word application. These excluded events are WINWORD.exe as shown on line 6. WINWORD.exe is opened
events that revolve around keeping backup copies of in line 11 and proceeds to further modify the registry and
S28 digital investigation 4S (2007) S23–S30
file system. It is expected that WINWORD.exe inserts itself analysis, but with the information provided in the report,
whenever the Microsoft Word application is executed, allow- a good foundation has been laid for a speedy and comprehen-
ing the malware to execute without raising suspicion. sive offline analysis.
Whether it exhibits viral behavior and replicates itself via
newly created documents or whether it exhibits spyware
qualities to collect information about the user and system re- 6. Conclusion
mains to be determined in further analysis, which is beyond
the scope of this paper. In this paper, we have presented Capture, an open-source tool
As shown, Capture has successfully been used to deter- for behavioral analysis of software. We have presented the
mine the behavior of a malicious document. While further functionality and technical details of this tool that fulfill the
manual analysis remains to be undertaken, the tool allowed needs of the analyst: (1) system state monitoring with high
us to quickly assess whether the document was indeed mali- confidence in the generated reports, (2) portability with a fu-
cious. Such analysis could be done in an automated fashion ture proof state monitoring technique and portable exclusion
across a set of applications and documents. Capture also con- lists, and (3) transparency through an open-source approach.
veyed information about the state changes that occurred on We presented a powerful portable exclusion list mechanism
the system. Because the system is now contaminated with that allows to omit noise that occurs naturally on a system.
malware, an analyst would have to proceed to an offline With the power of regular expressions, the analysis is able
digital investigation 4S (2007) S23–S30 S29
to exclude groups of events on one line of the exclusion lists. This current version of Capture can easily be detected by
In addition, the mechanism is fine-grained allowing the ana- software that might be running on the system. We are not
lyst to exclude events on a process level. For example, we planning to introduce stealth capabilities to Capture, because
have illustrated that it is possible to report on write events it would place Capture into the rootkit family necessitating
to a browser cache by any application but the browser itself. implementation techniques that are not portable, namely ker-
In Section 5, we have presented the feasibility of using Cap- nel level API hooking. However, we are intending to imple-
ture as a tool to analyze the behavior of a document executing ment capabilities that allow Capture to assess whether any
within the context of an application. We have opened a mali- software attempts to determine Capture’s existence. If no
cious Microsoft Word file and observed its behavior on the sys- such attempts were made, one can be assured that the behav-
tem. This example shows the power of the exclusion list that ior of the application was not altered because of the presence
assists in the analysis. While we opened a document with the of the Capture tool.
client application, Microsoft Word, we were not overwhelmed The Capture tool is open-source and available from our
by thousands of normal system events that occur upon such web site at: http://www.nz-honeynet.org/capture-standalone.
action. Instead, the exclusion list allowed us to concentrate html.
on examining the behavior of the malicious document.
In future versions of the tool, we are planning to add addi-
tional capabilities around the level of information captured.
Currently, Capture only obtains identifying event information, Acknowledgements
such as the name of the underlying object and the action that
was taken on the object. We are planning to capture the con- We would like to thank Manuel Fries from Rising Antivirus,
tent of the state change itself, such as the registry key value Ltd. in providing us with a malware sample that we used in
before and after the modification, and store it for later com- our sample analysis.
parison. In addition, we are planning to extend the tool
around system state monitoring, such as monitoring of net- references
work connections, that the tool currently does not support.
Capture relies on the kernel callback functions for its infor-
mation. There is the possibility for a malicious application to Blanchon B. Winpooch watchdog. Available from: <http://
modify the kernel and change the functionality of these call- winpooch.free.fr>; 2004 [accessed 15.03.07].
backs. We do not want to put the burden on Capture to deter- Bassov A. Hooking the kernel directly. Available from: <http://
mine whether the kernel is intact, because existing tools www.codeproject.com/system/soviet_direct_hooking.asp>;
already allow such an assessment. However, Capture should 2006 [accessed 10.11.06].
Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self
have the capability to determine whether the kernel was
for Unix processes. In: 1996 IEEE symposium on security and
modified during the operation of the software that one would
privacy. Oakland: IEEE; 1996. p. 120–8.
like to analyze. A kernel integrity monitor would provide Field S. An introduction to kernel patch protection. Available
such functionality and is a top priority for the next version of from: <http://blogs.msdn.com/windowsvistasecurity/archive/
the tool. 2006/08/11/695993.aspx>; 2006 [accessed 15.03.07].
S30 digital investigation 4S (2007) S23–S30
Ivanov I. API hooking revealed. Available from: <http://www. Ramon Steenson is a software engineer working as a research as-
codeproject.com/system/hooksys.asp>; 2002 [accessed 13. sistant at the University of Victoria in Wellington, New Zealand.
03.06]. He has a Bachelor of Information Technology from that Univer-
Microsoft Corporation. Windows Sysinternals. Available from: sity. His interests include honeypot technologies, computer secu-
<http://www.microsoft.com/technet/sysinternals/default. rity, and kernel development.
mspx>; 2006 [accessed 15.03.07].
Microsoft Corporation. Windows (32bit) home page; 1993. Ian Welch is currently a lecturer in the School of Mathematics,
Microsoft Corporation. Microsoft security bulletin MS06-027: Statistics and Computer Science at the University of Victoria
vulnerability in Microsoft Word could allow remote code at Wellington, New Zealand. He has a PhD from the University of-
execution. Available from: <http://www.microsoft.com/ Newcastle upon Tyne (UK). His research interests include
technet/security/bulletin/ms06-027.mspx>; 2006 [accessed 05. intrusion detection, privacy-preserving auctions, community
04.07]. informatics and the preservation of New Zealand-developed
Symantec. Understanding heuristics: symantec’s bloodhound computer games.
technology. Available from: <http://www.symantec.com/
avcenter/reference/heuristc.pdf>; 1997 [accessed 25.06.06]. Peter Komisarczuk received his PhD from the University of Surrey
Sunbelt Software USA. Sunbelt CWSandbox. Available from: (UK) and is a senior lecturer at the University of Victoria in Wel-
<http://www.sunbelt-software.com/Developer/Sunbelt- lington New Zealand. He teaches Networking, Internet Technol-
CWSandbox/>; 2006 [accessed 15.03.07]. ogy, Computer Architecture and coordinates student work
Steenson R, Seifert C. Capture – honeypot client. Available from: experience. His research interests include next generation net-
<http://www.nz-honeynet.org/capture.html>; 2006 [accessed works, Internet architecture, grid computing and crosslayer and
22.02.07]. location aided techniques in wireless networking.
Willems C, Holz T, Freiling F. Toward automated dynamic malware
analysis using CWSandbox. IEEE Secur Priv 2007;5(2):32–9.
Barbara Endicott-Popovsky has an MS in Information Systems En-
gineering and an MBA. She is completing her PhD in computer sci-
Christian Seifert is a PhD candidate at Victoria University of ence, focused on computer security/computer forensics, at the
Wellington, New Zealand. He also leads the New Zealand Hon- University of Idaho’s NSA Center for Academic Excellence in In-
eynet Alliance, member organization of the internationally oper- formation Assurance. As Director for the CIAC, an emerging Cen-
ating Honeynet Research Alliance that uses honeypots to attract, ter for Academic Excellence in Information Assurance, she is
track and study current and emerging security threats across responsible for guiding the research direction and developing an
the Internet. Christian has an MS in Software Engineering with information assurance curriculum. She has a joint faculty ap-
a focus on computer security from Seattle University, WA. His pointment with the Information School and the Computer Science
research interests include network security, honeypot technol- Department at the University of Washington at Tacoma. Her re-
ogy, in particular client honeypot technology, and malware search interests include forensic-ready networks and integrating
analysis. secure coding practices.