Malware detection with Neptune
In this video recorded at Black Hat USA 2010, Rami Kawach, a software architect at Qualys, talks about Neptune – a project to build an automatic malware analysis engine and deliver it as a free tool.
Neptune intercepts key method invocations within Internet Explorer’s Trident rendering engine and reverse engineers its internal data structures in order to trace JavaScript execution. It hooks all relevant operating system entry points in order to monitor browser process activity and network traffic. This allows it to detect any malicious behavior of the browser during the rendering of the page and de-obfuscates layer by layer all JavaScript. It relies heavily on the detours package, which is a Microsoft library for intercepting arbitrary Win32 binary functions on x86 machines.