Impact Analysis of Malware Based on Call Network API With Heuristic Detection Method

ABSTRACT


INTRODUCTION
In the current era of globalization, technology and the internet are developing very rapidly. The internet has an important role in all fields in society both in terms of economics to government. But with the rapid development of the internet, making the security system on the internet and PC users must be further improved. One threat from the security system is the presence of cybercrime. Cyber-crime is a variety of crimes that are illegal or prohibited by an individual or group of computer devices, network information technology, and actions targeting an individual in the internet world [1]. The US Department of Justice defines cyber-crime into three categories, namely, a crime where the main target is a computer device, a crime where a computer is used as a weapon (for example: denial-of-service (DoS) attacks) and crime where a computer is used as an accessory (example: used to store illegal data). The most common cybercrime attacks are attacks using malware. Malware or malicious software is software that is harmful to a computer system. Software that becomes malware generally can be in the form of worms, viruses, trojans, spyware, adware and rootkits.
At this time, malware generally spreads through various ways on the internet, such as through drive-by downloads, social engineering and exploitation of network services so that users can be incited and deceived into using these services. The main purpose of an attacker is to make money from a computer that has been attacked by selling stolen data, sending spam emails and extortion [2]. According to anti-virus companies such as Symantec, there are reports that there are 4300 malware samples every day. While McAfee stated that there were 12300 malware samples every day [3]. Then according to a survey by FireEye in June 2013, the level of organizations that experienced incidents of malware security or network violations in the past year reached 47% [4].
The development of malware at this time, the need for malware analysis. Malware analysis techniques can help to understand the risk and intensity of the dangers of the malware. The results of the analysis obtained can be used to take preventative steps to overcome future threats from malware. Malware analysis is useful for seeing how malware works and seeing the nature of the malware. In this study, the malware analysis used is a static method with heuristic detection techniques. The advantage of using a static method is that it is faster and safer because it will collect the structure of the malware from the program code that it clicks on [5]. Malware analysis with heuristic detection uses information from an API call [13,14]. API call is a procedure, protocol and tool for building an application. Information from the API call will be used to determine the activity of malware, so that information will be used to classify malware using heuristic detection techniques. Heuristic detection is a technique that searches for or detects malware by searching for commands or instructions that do not exist in the application where it will be easier to detect types of malware that have not been discovered or known before [5]. The purpose of the malware analysis, which are also to know the characteristics of malware and the targets to be attacked by malware [6].
Based on these data, to classify types of malware the authors conducted research related to malware analysis and classification by conducting simulations on virtual machines using heuristic detection techniques. Therefore, the results of this study are in the form of analysis and classification of malware with heuristic detection techniques.

STUDY OF LITERATURE 2.1 Definition of Malware
Malware is a program that has a negative influence on a computer system that does not have user permission to refer to malware [7]. Malware is usually developed by people who are not responsible such as fraudsters, extortionists, vandals or other criminals who have the main goal to get money illegally [8]. Actions that are usually carried out by malware when it has been installed or entered into a system include [8]: 1. Flooding a computer system or web browser with advertisements. 2. Splitting themselves and attacking other files or systems. 3. Installing applications that trigger malware to work without the user's knowledge has an impact on computer performance. 4. Lock the file or operating system from the computer so that it cannot be used and force the user to make payments in order to access the file or operating system again.
Different types of malware, so different steps or actions that must be taken to remove the malware. Avoiding suspicious links, visiting unsafe websites, is one way to prevent a computer from being infected with malware.

Malware Classification
According to [4,[14][15][16][17][18][19][20], malware can be divided into several types, namely: 1. Backdoor Is a malware that installs itself to attack computer devices. Backdoor works by entering the system and accessing files illegally. This malware will let users connect to the system and then will attack network traffic to get a password [21][22][23][24].

Botnet
Almost like a backdoor, but all computers accessed by attackers will receive the same commands that are managed remotely. Attacker will try to attack many computers that act as bots that can do a lot of spam attacks.

Rootkit
It is malware that hides dangerous program code. This malware is commonly used to hide worms, bots and malware. Rootkits can delete logs and hide processes from malware. The rootkit operating system is planted at the kernel level and core level so that it is difficult to detect.

Trojan-Horse
Malware disguised as legitimate software commonly used by hackers to get access to user systems.

Worm or virus
Malware that can reproduce itself and infect a user's computer. The virus spreads through programs that have been previously infected and are only active when the program is run. Whereas a worm is a stand-alone program and runs its program without relying on other programs. 6. Spyware Malware is installed on a computer device without the knowledge of the user. Spyware causes a reduction in speed on the processor and network connection.

Adware
Adware is an application program that displays advertisements when the program is running, such as pop-up windows and banners.

Malware Analysis
Malware analysis is an investigation of malware that aims to find out specific malware that can build security to protect devices [9]. Heuristic Detection is a malware analysis technique that works by searching for commands or instructions that can enable the discovery of new types of malware [10]. Here are the advantages and disadvantages of heuristic detection [11]: a. The advantages of heuristic detection are: 1. Can see the behavior of malware to be executed. 2. Potential to find unknown malware on the system. 3. Giving understanding to the unexpected in the future. 4. Can be used simultaneously with other analytical techniques.
b. The disadvantages of heuristic detection are: 1. Can give a false warning (false positive) to the system because of the detection of more detail.
2. Requires sufficient knowledge in analyzing 3. The analysis process is done manually so it requires more time.

Application Program Interface (API)
According to Vangie Beal, API is a procedure, protocol and tool for building an application that will determine how a software interacts. The advantage of using the Windows API is that it can save time in analysis but the drawback is the lack of tolerance for errors [12].
Generally, malware attacks the network functions in running its programs, because in Windows API the most common communication in an application is through the network [4]. Based on this statement, this research will focus on the network API for analysis. Network API allows an application to communicate with other applications, but it can also be used as access to a sharing resource [12]. The way the API network works is by looping so that the network resources on an operating system become full and the computer's performance will be slower.

RESEARCH METHOD
In this study the method used is explained by using a conceptual model. Conceptual models can identify data in the research process so that they can formulate solutions to existing problems. With the explanation of the conceptual model, researchers can explain how a malware is analyzed with heuristic detection techniques so that it can find commands or instructions that have the potential to become malware.
The problem in this research is the development of types of malware in the internet world so that the operating system is more vulnerable on a computer. From these problems, obtained an opportunity to reduce vulnerabilities in the operating system of a computer is to do an analysis on a program or file that is suspected. With the problems and opportunities contained in the research, an artifact can be generated, namely, in the form of malware analysis using heuristic detection techniques.
To perform malware analysis with heuristic detection techniques, concepts and methods are needed that can help the analysis. The concepts used include theories about static analysis, heuristic detection theory and API calls theory. While the method used is, literature study and malware analysis. The resulting analysis is a simulation of malware analysis based on the call network API using the heuristic detection method.

TEST RESULTS AND ANALYSIS 4.1. Testing Using Cuckoo Sandbox
Cuckoo Sandbox is a malware analysis tool that is installed on localhost. Data taken from the Cuckoo Sandbox is a network API.  Figure 1 is the result of testing one of the malwares. It can be seen that there is some information regarding the network API used. One of them is the InternetCrackUrlA network API, which is a link targeted by malware. The link is a trap so that users access it so hackers can enter the user's computer system.

Testing Using Malwarebytes
Malwarebytes is an antimalware tool for scanning a program. This program will remove all malicious programs before the malicious program interferes with user activity.

Testing Using ShowString
ShowString is a tool that functions to see the strings contained in a file. The string can describe how a file performs its job.

Results of Analysis with the Heuristic Detection Method
The analysis using the heuristic detection method is based on the test results detected on Malwarebytes. Here is a graph of the results of testing. 1. PUP.Optional.InstallCore, this PUP is a bundler that will install adware. The impact that can be caused is by displaying pop-up advertisements that interfere with the user. 2. PUP.Optional.WinYahoo will make changes to the browser default page. This results in an extension that is automatically installed in the browser and can direct the browser to open a site that is not desired by the user. 3. Optional.DriverPack PUP is a PUP that will automatically install drivers on a computer system. This can trigger the entry of spyware.
Based on this data, malware that uses the network API has a pattern of behavior, such as making changes to the browser, installing unauthorized drivers, and displaying pop-ups of unwanted advertisements. Of the three behaviors, spyware activity is the most numerous activities, so malware that uses the network API has a tendency towards the entry of spyware. Whereas PUP that is not dominantly detected is: 1. PUP.Optional.DriverToolkit downloads the Driver Toolkit application automatically when a user accesses an insecure website. Users will be directed to do an installation that aims to improve the user's computer operating system. 2. PUP.Optional.ChinAd is an adware that displays marketplace sites originating from China. The impact of this malware is browser hijacking and can make users misclick while using broswer. 3. Optional.YouXun PUP, PUP that downloads a file infected with malware that impacts the entry of malware on the user's computer device and affects the performance of the computer device.
PUP.Optional.DriverToolkit and PUP.Optional.YouXun have the same pattern of behavior, which is downloading a file. Both of these PUPs do the download automatically without the user's knowledge, but the installation is still done manually so that the user can still prevent the installation of malware programs on the computer. While PUP.Optional.ChinAd is a little PUP that is detected because adware which usually attacks computer devices is broad, that is, it can display advertisements in the form of pop-ups or new tabs on browsers that can come from anywhere. Adware that attacks computer devices can also be a gaming site that is not desired by the user. Figure 5 shows that places or locations that are widely used as malware targets are: 1. Registry key and registry value, if the malware directly attacks the two registry, there will be a change in the operating system, because malware can change the configuration contained in the two registry, such as the computer cannot shutdown, cannot open files that have been hidden , and cannot access some of the applications contained in the user's computer. 2. Registry data, the impact caused when the registry data is infected with malware is almost the same as the impact of the registry key and registry value, because the registry data is the actual configuration file that is inside the registry value. 3. Files, when a file is infected by malware, then the file may not be opened or the file can be turned into another virus, lost or hidden by malware that infects it.
Based on the analysis results, PUP that has been detected as a whole can cause malware, but there are PUPs that require user action first to run the malware. PUP.Optional.DriverToolkit and PUP.Optional.YouXun are PUPs that require user action first. Both of these PUPs will only download files automatically without the user's knowledge, but installation requires user approval. Whereas the other four PUPs enter the operating system directly and infect the operating system with malware. The biggest impact of malware that uses the network API is the emergence of spyware.

Recommended Analysis Results
Based on the results of the analysis in point 4, the following recommendations for each PUP are obtained. Precautions that can be taken are by not accessing insecure websites, using antivirus and antimalware and not installing additional applications from the application to be installed.

CONCLUSION
Based on research on the Impact Analysis of Malware Based on API call Network with Heuristic Detection Method, it can be concluded that: 1. Testing malware can use several environments that function as sandboxes. In this study the Windows operating system is run on VMware which functions as a sandbox so that the main operating system is not infected. The Windows operating system is used as a target in the analysis using Cuckoo Sandbox. 2. The research results are based on test results from Malwarebytes that can detect programs that cause malware with the heuristic detection method and see the malware string on ShowString. 3. Malware with a network API will attack the operating system registry key and have a program that can cause spyware or adware that can interfere with user activity when using a computer device. 4. Recommendations for protecting computer systems such as using antivirus or antimalware, not installing unauthorized applications, not accessing insecure websites and not needing to install additional applications that are not needed when installing an application.