5.2.1
Dynamic Behavioral Data Collection
To conduct the dynamic analysis, the executable files were launched manually in a Dell OptiPlex 755 computer with a clean installation of 32-bit Windows 7 Ultimate. The objective of the dynamic analysis was to collect behavioral-based features (i.e., power consumption, network traffic, and system logs), while running different malware and non-malicious applications on a general-purpose computer.
Chapter 5. Experimental Set-up & Data Collection 59
The instrumentation used in our experiments to collect the power consumption data was a DAQ, Model Number: USB-1608G Series [20]. The DAQ was attached to the experimental machine through a 24-pin ATX-extender cable. The 24-pin male connector from the ATX-extender cable was attached to the motherboard, while the 24-pin female connector was attached to the PSU. Eight DC power chan- nels—four voltage channels and four corresponding current channels were moni- tored (+3.3V rails, the +5V rails, the +12V rails on the motherboard and the +12V rails on the CPU). To collect precise power measurements, we developed a program that directly accessed the DAQ to read the power consumption data and stored them on a separate machine, used as data repository. A detailed description about the hardware configuration used to collect the power consumption data can be found in Chapter 4 and in our technical report [172].
We also used Wireshark [42], which ran on the data collection repository ma- chine, to collect the network traffic data. In the case of the system logs, several software applications (i.e., Event Viewer [208], RegFsNotify [112], Logstash [37], and CaptureBAT) were evaluated.
Event Viewer [208] is a tool that allows the user to monitor the events that occurred in the system, it maintains system logs about programs, security, and system events on the computer, can be used to view and manage the system logs and to gather specific information (e.g., hardware and software problems) [208]. Because the recorded events did not included the milliseconds on their timestamps, this tool was discarded. Note that precise timestamps are essential since we are interested in correlating the system logs with the power consumption and the network traffic data.
Similarly, RegFsNotify [112] detects the changes that occurred in the Windows Registry and file system in real time, but since no timestamp was recorded for the collected events it was discarded. On the other hand, Logstash [37] (an open source server-side tool for managing events and logs) was also discarded because by having a client-server architecture additional software is required to run on the background of the operating system (OS), which causes additional noisiness
in the power consumption data. Finally, we evaluated CaptureBAT [263, 32], a lightweight open source tool that logs the changes that occurs in the OS when an application is running. This tool allows to record changes that occur in the file system, Registry, and system processes. The file system monitor captures system details such as when an event occurs, the type of event (i.e., read and write), and the name of the process that triggered that particular event. The Registry monitor reports the time with a resolution in milliseconds, the process that triggered the registry event, the path to the key where the action occurred, and the type of action that was performed on the key (i.e., created and deleted). The process monitor pays attention to the creation and destruction of processes but does not report on the running processes. It captures the time, whether the process was created or terminated, and the file name that represents that particular process. This tool was chosen among the other tools, because it has an exclusion list mechanism that allows to omit noise that occurs naturally in the system. Moreover, this tool has also been recommended for conducting dynamic malware analysis [143] and has been used by previous works for rootkit detection [273] and for malware analysis in memory forensics [284].
To account for the randomness of different Windows OS background processes, each malware and non-malicious software application was executed three times. Each run lasted for thirty minutes. Other works that used behavioral charac- teristics for malware detection have executed the malware in a controlled sand- box environment for one minute and a half [178], two minutes [251], five min- utes [95, 77, 303, 99] and twenty minutes [114]. We decided to run our malware samples for thirty minutes because for these specific malware examples this was sufficient time for them to perform malevolent actions. Note that for each thirty minutes run, we collected one .csv file with the power consumption data, one .pcap file with the network traffic data, and one text file (.txt) with the system log data.
Chapter 5. Experimental Set-up & Data Collection 61
5.2.2
Code-based Static Data Collection
Static data can be collected without executing the portable executable file. Specif- ically, the portable executable files has to be decompiled first. To decom- pile Windows executables, disassembler and memory dumper tools can be used. Some examples of tools commonly used to disassemble Windows executables are: IDAPro [35], OllyDbg [38], ExifTool [152], and PE Explorer [51]. From these tools, we used a disassembler tool called PE Explorer [51]. PE Explorer is an integrated collection of tools that provide a framework for working with several executable formats that run on Windows 32-bit platforms. After unpacking the executable file, information such as headers, data directories, and dynamic linked libraries (DLL) dependencies were collected from each malicious and non-malicious software application.