Thursday, December 18, 2008

what are dynamic heuristics?

dynamic heuristics are a branch of heuristic techniques that try to determine if a suspect program is malicious by running the program in a simulated environment and trying to detect the active (dynamic) malicious behaviour(s)...

there are a number of ways to accomplish this, whether it be emulating the program until it reveals the de-obfuscated (and, ideally, previously known) version of itself, or running it in some some sort of sandbox to catalog a broader range of it's behaviours looking for signs of malicious intent...

one of dynamic heuristics' strengths lies in being able to bypass many of the obfuscatory techniques that malware writers use to stymie static heuristic analysis as obfuscation has traditionally needed to be undone at run-time for the malware to operate... unfortunately a number of tricks have been developed by malware writers to try and combat these techniques and they generally exploit a more natural and general weakness involving the fact that for any non-trivial program there are multiple paths that program execution can take but any single invocation of the program will follow only one of those paths... program execution can take different paths (and thus produce different behaviours) depending on any number of different conditions present at run-time so the malicious behaviour a dynamic heuristic engine is looking for may not show up (either by chance or by design) during analysis...

back to index

0 comments: