Unlimited distribution subject to the copyright.

Current methods of malware analysis are increasingly challenged by the scope and sophistication of attacks. Recent advances in software behavior computation illuminate an opportunity to compute the behavior of malware at machine speeds, to aid in understanding intruder methods and developing countermeasures. The behavior computation process helps eliminate certain forms of malware obfuscation and computes the net effects of the remaining functional code. This paper describes behavior computation technology and provides an example of its use in malware analysis. 1. A malware vulnerability Malware often exhibits a fundamental vulnerability that can be exploited by defenders. No matter how a malware package is obfuscated, and no matter what attack strategy it implements, it must ultimately execute on a target machine to achieve its objectives. That is, the intended behavior of a malware package must be realized through ordinary execution of instructions and manipulation of memory, just as must the intended behavior of legitimate software. A potential Achilles heel of malware is literally its functional behavior which must achieve a purpose intended by the attacker. This paper describes application of software behavior computation to help eliminate certain forms of obfuscation in malware and derive the net behavior of the remaining functional code. This malware vulnerability is being exploited through research and development carried out by the