Windows malware cataloged by API calls
A newly launched project aims to catalog Windows malware samples based on the APIs the malicious code relies upon.
MalAPI.io, was created by a security researcher with the handle mr.d0x to offer a different perspective on malicious code by cataloging malware through how it works, instead of through a process of reverse engineering.
The researcher is trawling through malware source code written in C/C++ that utilizes WinAPIs and categorizing them.
The aim is to create a resource that mr.d0x said will be useful to both security researchers and pen testers.
“This project can be helpful for ones developing (for legal purposes) or reverse-engineering malware,” mr.d0x told The Daily Swig.
“You can turn mapping mode on which allows you to highlight the APIs used, and when you’re done simply click ‘export table’ to download an image of the table.”
“With this approach, people are able to discover what the Windows APIs do from a security perspective. There’s no real place out there that shows what Windows APIs can be used for from this perspective,” according to mr.d0x.
The MalAPI.io project launched on October 31, to positive initial responses from other security researchers on Twitter.
In the same way that projects including the Mitre ATT&CK Framework can be used to map a network-based assault, MalAPI.io might lend itself to charting attacks based on malicious code.
For now, the project is still only in its early stage and far from complete. Its creator is currently seeking to engage other members of the infosec community to get involved in the project.
“I am looking to get the community involved in this because there's tons of APIs out there, some that I may not even know about,” mr.d0x explained. “With people contributing we can make this [MalAPI.io] a centralized place where everyone can go for knowledge about Windows APIs.”
The security researcher expressed the hope that the project might lead onto the development of better security defences.
“I see it as being beneficial to almost everyone in the infosec community, whether you simply want to learn or if you're doing security-related work,” mr.d0x said.
“For example, pen testers or red teamers can use this to find APIs to use during an engagement if they're building a binary.
“Security researchers working at AV/EDR [antivirus/ end-point detection and response] companies can use the list of APIs to create better detection rules. I think the possibilities for use are numerous.”