MWS 2012 - anti Malware engineering WorkShop 2012

October 30th - November 1st, 2012
KUNIBIKI MESSE; Shimane Prefectual Convention Center, Shimane, Japan

Photo story of MWS 2012, Manuscripts and Slides

These manuscripts have been published without reviewing and editing as received from the authors: posting the manuscript to MWS 2012 does not prevent future submissions to any journals or conferences with proceedings.
Awared Ceremony
MWS 2012 Best Paper Award
Tracing Malicious Code with Taint Propagation
Yuhei Kawakoyay, Eitaro Shiojiy, Makoto Iwamuray and Takeo Hariu (NTT Secure Platform Laboratories)
MWS 2011 Best Student Paper Award
Evaluating features of payload for malware detection
Yusuke Otsuki, Masatsugu Ichino(The University of Electro-Communications), Kenji Kawamoto(Waseda University), Mitsuhiro Hatada(NTT Communications Corporation) and Hiroshi Yoshiura(The University of Electro-Communications)
MWS Cup 2012 Award Winner
Team "GOTO Love"
MWS Cup 2012 Award Winner with Technical Component
MWS Cup 2012 Award Winner with Artistic Component
Team "Zlab 2012"

1A1: MWS(Static Analysis) - Chair: Takashi Manabe

1A1-1: Tracing Malicious Code with Taint Propagation
Yuhei Kawakoyay, Eitaro Shiojiy, Makoto Iwamuray and Takeo Hariu (NTT Secure Platform Laboratories)

Dynamic malware analysis environments commonly distinguish their target code from benign code based on its process ID or thread ID. However, the distinction based on these IDs does not correctly handle? malware which has anti-analysis functions. To solve this problem, we propose an approach for identifying the to-be-analyzed code based on taint tags. To prove the effectiveness of our proposal, we have conducted experiments with a set of test code which behaves like malware and also with CCC Dataset2012. The results of these experiments indicated that our approach is effective against various anti-analysis functions, and that it is applicable to real malware. Our proposal will allow existing malware analysis environments and antimalware research to be more precise and effective.

[ Manuscript (PDF) | Slide (PDF) ]

1A1-2: Function Estimation Method for Malwares based on part of Binary Code
Ryo Okubo, Masakatu Morii(Kobe University), Ryoichi Isawa, Daisuke Inoue and Koji Nakao(National Institute of Information and Communications Technology)

Because malware analysis using similarities between malwares needs to make a lot of comparison, calculation amount is an important factor. Existing methods use LCS(Longest Common Strings) or n-gram to calculate similarity. The calculation amount of them is O(m×n). This calculation amount is not appropriate for making a lot of comparison. We propose a fast method for calculating similarity between malwares. We focus on distribution of byte code. To calculate a similarity between the two of malwares, we apply Zero-mean Normalized Cross-Correlation. Once we get the distribution of byte code, the calculation amount is O(1). Because this method does not influenced by file size, we can calculate similarity at short times in any case. Moreover we estimate function by adding point to each function according to similarity

[ Manuscript (PDF) | Slide (PDF) ]

1A1-3: Code Capture from Self-Modifying Malwares
Noriaki Nakamuray, Masakatu Morii(Kobe University), Ryoichi Isawa, Daisuke Inoue and Koji Nakao(National Institute of Information and Communications Technology)

Most malwares are packed or encrypted. In order to analyze such malwares, we have to unpack them and extract the original codes from them. There are many techniques of packing. It is difficult to extract original codes from malwares packed with multi-stage packers because their decryption algorithms is complicated. In this paper, we present our preliminary efforts toward generic binary unpacking against the three multi-stage packers, which are tElock, PESpin, and yoda’s Crypter. We find out that the thee packers has a common part of their algorithms. The packers finally reveal the original code of a malware to a specific section named‘.text section.’ That is, we set a break point in the section and can get the original codes of any malwares packed with the three packers.

[ Manuscript (PDF) | Slide (PDF) ]

1A2: MWS(Dynamic Analysis) - Chair: Katsunari Yoshioka

1A2-1: Malware Analysis Report 2012 using Malware Analyzer Alkanet
Yuto Otsuki, Hiroaki Wakabayashi, Eiji Takimoto(Ritsumeikan University), Shoichi Saito(Nagoya Institute of Technology) and Koichi Mouri(Ritsumeikan University)

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analyst cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. We analyzed real malware samples using Alkanet. The samples are actual instances of malware recorded in CCC DATAset 2012. In this paper, we describe the analysis reports.

[ Manuscript (PDF) | Slide (PDF) ]

1A2-2: Design and Implementation of Malware Analysis using Network Emulator GINE
Yasuaki Mitsueda, Kunio Goto and Hiroyuki Kawano(Nanzan University)

Dynamic Analysis is effective for Malware. Although most malwares try to connect to the internet, Malware sample should be executed in disconnected the internet environment. For malware, not connecting the internet, malwares do not trigger their malicious behaviors. In this paper, we present design and implementation of malware traffic analysis using virtual network. We provide some fake services such as HTTP, IRC, DNS,SMTP and FTP in the virtual network. We analyze malware’s traffic.

[ Manuscript (PDF) ]

1A2-3: Malware Detection by Signature Matching in a Hypervisor
Yoshihiro Oyama and Yudai Kawasaki(The University of Electro-Communications)

We report the result of experiments in which we detected malware in the MWS 2012 malware dataset by using BVMD, a hypervisor that provides a malware detection mechanism. BVMD is implemented by extending a parapass-through hypervisor BitVisor. BVMD applies signature matching against data blocks that are transmitted between the guest OS and devices such as hard disks.

[ Manuscript (PDF) ]

2A1: MWS(Drive-by Download Analysis) - Chair: Takahiro Matsuki

2A1-1: A Malware Analysis Support System Combining Visualization and Dynamic Analysis
Takayuki Yoshinori, Takuya Ban, Hitoshi Miyazaki, Takuya Matsui, Ryo Sato, Ryosuke Okazaki, Akihito Shinoda(Nagoya Institute of Technology), Masanori Hirotomo(Saga University), Masami Mohri(Gifu University), Masaki Kamizono(SecureBrain Corp.) and Yoshiaki Shiraishi(Nagoya Institute of Technology)

Recently, the Drive-by-Download (DBD) attack increases threats which make users lead to the web sites distributing malwares. As countermeasure for this attack, we detect malicious web sites from the traffic data collected by crawling the web sites by client honeypots. However, it is infeasible to analyze each malicious code in huge traffic data. In this paper, we propose a system for supporting the analysis of the DBD attacks. The proposed system consists of two novel subsystems. The first subsystem is an interface which visualizes the traffic to focus on the attack flow. The second one is an analysis environment which automates dynamic analysis of the focused malicious codes.

[ Slide (PDF) ]

2A1-2: Classification of Hostile Javascript based on Encoding Abstract Syntax Tree
Takuma Johnishi(Kobe University), Masaki Kamizonoz, Masata Nishida(Securebrain Corporation) and Masakatu Morii(Kobe University)

In the recent years, the number of malware written in obfuscated Javascript has been increasing. Abstract syntax tree(AST) is used as a measure of classifying these malware to counter these malware. In previous research, it is proposed to use an AST based on structural analysis of polymorphic Javascript. However, Classi cation of Javascript has not been performed in the research. In this paper, we propose a method which enable to classifying Javascript by further abstracting AST and by encoding AST. Furthermore experimental results with the malware samples provided by MWS DATAset show that our proposed method can exactly classify and summarize hostile Javascript that is obfuscated in a similar way

[ Manuscript (PDF) | Slide (PDF) ]

2A1-3: Feasibility study of Observable Expression for Cyber Attack Countermeasure
Masato Terada, Kazuki Iwamoto, Motoi Endo, Nozomi Matsuzaka and Hideaki Kobayashi(Information-technology Promotion Agency)

Malware activities are progressing and changing for long term and short term, especially for the aspects of the function and implementation. For these progressing and changing, we should track them and keep up-to-date and reviewing for our information system security. In this paper, firstly we will describe implementation transition of email worm. Secondly, we will introduce our tracking approach for the aspects of the functional and implementation changing of outbound traffic of malware.

[ Manuscript (PDF) | Slide (PDF) ]

2A2: MWS(Special Session) - Chair:Mitsuhiro Hatada

2A2-1: Bakuei Matsukawa - Trend Micro Inc.

[ Slide (PDF) ]

2A2-2: Norihiko Maeda - Kaspersky Labs Japan

[ Slide (PDF) ]

2A2-3: Ryoji Kanai - Fourteenforty Research Institute, Inc.

2A2-4: Hiroshi Kawaguchi - LAC Co., Ltd.

[ Slide (PDF) ]

2A3: MWS(Special Session) - Chair:Mitsuhiro Hatada

2A3-1: Mamoru Saito - Internet Initiaive Japan Inc.

[ Slide (PDF) ]

2A3-2: Shinsuke Honjo - McAfee, Inc.

2A3-3: Masakazu Takahashi - Microsoft Corporation

[ Slide (PDF) ]

2A4: MWS(Special Session) - Chair: Mitsuhiro Hatada

2A4-1: Ikuo Takahashi - BLT Legal Chambers

[ Slide (PDF) ]

2A4-2: Panel Discussion
 Bakuei Matsukawa - Trend Micro Inc.
 Norihiko Maeda - Kaspersky Labs Japan
 Shinsuke Honjo - McAfee, Inc.
 Ryoji Kanai - Fourteenforty Research Institute, Inc.
 Hiroshi Kawaguchi - LAC Co., Ltd.
 Mamoru Saito - Internet Initiaive Japan Inc.
 Masakazu Takahashi - Microsoft Corporation
 Ikuo Takahashi - BLT Legal Chambers
 Mitsuhiro Hatada - NTT Communications Corporation

3A1: MWS(Traffic Analysis) - Chair: Daisuke Inoue

3A1-1: Development and Evaluation of the System to Detect C&C Server in Botnet Using Accumulated Data from CCC
Nobuhiro Nakamura and Ryoichi Sasaki(Tokyo Denki University)

Recently,the damage caused by the botnet has been increasing. There exists a problem that the other bot PCs can be produced, even if one bot PC could be specified and removed. Therefore, we proposed the Multi Stage Trace Back system on a proxy server program named Squid. We also evaluation second stage trace back method which consists of black list and Quantification methods No. 2 with CCCDataSet2009,2010,2011 and new parameters. This paper reports at first the system implemented for the 2nd Stage Trace Back, and then the results of functional experiment and performance experiment.
3A1-2: Evaluating features of payload for malware detection
Yusuke Otsuki, Masatsugu Ichino(The University of Electro-Communications), Kenji Kawamoto(Waseda University), Mitsuhiro Hatada(NTT Communications Corporation) and Hiroshi Yoshiura(The University of Electro-Communications)

We evaluated features used in related works based on traffic data since effectiveness of using these features in malware detection is not evaluated sufficiently. In the evaluation, CCCDATAset and D3M2012 are used as anomaly traffic data infected with malware, and traffic data captured in some Intranet are used as normal traffic data. We evaluated the features by comparing the distances between normal/anomaly codebooks made by vector quantization and input data. In this paper, we show and discuss the evaluation results of payload features in each type of malware.

[ Manuscript (PDF) ]

3A1-3: A study of malware communication detection method that postulate the implemented to the IPS
Sachio Ohnishi and Naoki Tsunematsu(MC Security Co., Ltd.)

Because of the malware to perform software downloads and malicious attacks, such as remote control, damage report of unending information leakage. Also, anti-malware techniques have diversified accordingly. However, in order to take measures to malware that is increasing every day, there is a limit in the static defense techniques such as pattern matching. The results were analyzed CCC DATA set 2012 data set for research, we focus on the behavior of the communication that occurs of malware, in this paper, we propose a new method for dynamic defense IPS.

[ Manuscript (PDF) | Slide (PDF) ]

3A1-4: A Malware Detection Infrastructure System based on Stream Processing System
Masahiro Ohke, Hideyuki Kawashima and Hiroyuki Kitagawa(University of Tsukuba)

This paper proposes a malware detection infrastructure system based on stream processing system. The proposed system models packets as relational streams to solve the efficiency problem and generates results as relational streams to solve operation problem. We realize the proposed system based on SS* which we have developed, and we implement conventional methods.

[ Manuscript (PDF) | Slide (PDF) ]


Team "GOTO Love
Team "Young IT Keys@NAIST"
Team "TDU-ISL"
Team "mochigoma"
Team "Retry=++1"
Team "Mr.Ng"
Team "Zlab 2012"
Team "NWU12"
Team "24Droid"
Team "tessy"

MWS Hands-on

Static Analysis 101 (JPCERT/CC)

Incident Response (IIJ)



MWS2011 MWS2010 MWS2009 MWS2008

MWS 2012 Datasets
provided by



   Telecom-ISAC Japan



NTT Communications



Trend Micro

  Hitachi Incident Response Team



  Digital Arts