I just read about the tool Malheur designed for malware analysis. It looks interesting, I don’t know what other tools like this one are out there (if you know some of them, please leave a comment) but it is worth some minutes to read through their page.

After thinking some minutes about their approach using the MIST (malware instruction set) would the software still detect the malicious behaviour if instead of calling a function inside the software itself to create a new process with the according parameters.

instead of collecting all sensitive data and transferring it to the dropzone and triggering the alarm bell separating these two functions by calling :

malware.exe -collect >output.txt
malware -drop output.txt

I implemented it like that inside the SkypeTrojan.

Malheur is a tool for automatic analysis of program behavior recorded from malware. It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning techniques.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.