An Analysis of Malicious Behaviors of Open-Source Packages Using Dynamic Analysis

An Analysis of Malicious Behaviors of Open-Source Packages Using Dynamic Analysis

연구 분야: Analysis

학회: International Conference on Computer Applications in Industry and Engineering

There has been an increasing number of malicious open-source packages in recent years. A recent backdoor attack on the Linux xz utility has highlighted the importance of security checks on open-source packages, especially popular ones. While major security scanners focus on identifying vulnerabilities (CVEs) in open-source packages, there are very few studies on malware analysis techniques for them. Similar to traditional malware analysis, there are two types of analysis for open-source packages: static and dynamic analysis. Static analysis techniques mainly focus on analyzing the source code of a package while dynamic analysis techniques execute the code in an isolated environment. Dynamic analysis techniques seem more promising than static analysis techniques, as they can expose packages’ behaviors at runtime. However, current dynamic analysis tools (e.g., package-analysis) make minimal effort to provide insight into the behaviors of open-source packages. In this paper, we attempt to analyze the dynamic behaviors of open-source packages on popular package repositories, including npm, PyPI, RubyGems, Packagist, and crates.io. We also analyze the discrepancies in behaviors between benign and malicious packages at runtime, which is helpful in building rules for malware detection. Our study finds that malicious packages perform a significantly higher number of domain communications and command executions. Malicious packages use simple techniques for malicious operations such as base64 or curl.