Extracting WinAPI Call Graphs for Inferring Malicious Behaviours

  • Date October 18, 2016
  • Hour 11 am
  • Room Room B
  • Speaker Ricardo J. Rodríguez (University of Zaragoza)


The number of incidents related to cyber-attacks is increasing rapidly during last years, according to numerous numerous software security vendors. In this regard, malicious software specially crafted to proliferate in PC platforms are exponentially growing not only in quantity but also in complexity. For instance, Kaspersky reported a daily analysis of 350000 malware samples in 2013. Many software security vendors offer products to fight against these threats (mainly denoted as anti-virus software) based on signature-based analysis rather than behavioural-based analysis. Thus, a small modification on the malware might provoke a false negative detection and hence, the infection of devices and the benefit for the cyber-criminals. In this talk, we present an approach to dynamically extract the malicious behaviour of a program binary, based on extracting the call graphs. In particular, we focus on malware that target Windows platforms. The call graph is useful for clustering samples with similar behaviour and to detect malicious behavioural patterns which may be used to build new defence tools. We will also show the advantages and disadvantages of this approach, as well as the possibilities for collaboration. To illustrate the approach,  as case study during the talk we will use the specially crafted malware that target Point-of-Sale systems.