A Systematical and longitudinal study of evasive behaviors in windows malware

Galloro, Nicola; Polino, Mario; Carminati, Michele; Continella, Andrea; Zanero, Stefano

doi:10.1016/j.cose.2021.102550

Cited by 31 publications

(46 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Anti-debugging and anti-virtualization techniques used in early malware [10] employ numerous evasion methods to hide or reduce malicious activities. These anti-detection methods are analyzed comprehensively in the recent study by Galloro et al [32] where over 92 classes of evasive techniques executed by modern malware.…”

Section: Related Workmentioning

confidence: 99%

HyperDbg: Reinventing Hardware-Assisted Debugging

Karvandi¹,

Gholamrezaei²,

Monfared³

et al. 2022

Preprint

View full text Add to dashboard Cite

Software analysis, debugging, and reverse engineering have a crucial impact in today’s software industry. Efficient and stealthy debuggers are especially relevant for malware analysis. However, existing debugging platforms fail to address a transparent, effective, and high-performance low-level debugger due to their detectable fingerprints, complexity, and implementation restrictions. In this paper, we present HyperDbg, a new hypervisor-assisted debugger for high-performance and stealthy debugging of user and kernel applications. To accomplish this, HyperDbg relies on state-of-the-art hardware features available in today’s CPUs, such as VT-x and extended page tables. In contrast to other widely used existing debuggers, we design HyperDbg using a custom hypervisor, making it independent of OS functionality or API. We propose hardware-based instruction-level emulation and OS-level API hooking via extended page tables to increase the stealthiness. Our results of the dynamic analysis of 10,853 malware samples show that HyperDbg’s stealthiness allows debugging on average 22% and 26% more samples than WinDbg and x64dbg, respectively. Moreover, in contrast to existing debuggers, HyperDbg is not detected by any of the 13 tested packers and protectors. We improve the performance over other debuggers by deploying a VMX-compatible script engine, eliminating unnecessary context switches. Our experiment on three concrete debugging scenarios shows that compared to WinDbg as the only kernel debugger, HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x, 1319x, and 2018x faster, respectively. We finally show real-world applications, such as a 0-day analysis, structure reconstruction for reverse engineering, software performance analysis, and code-coverage analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

HyperDbg: Reinventing Hardware-Assisted Debugging

Karvandi¹,

Gholamrezaei²,

Monfared³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…If malware detects that it is being analyzed, it can cease execution, execute misleading behavior and hide its malicious intent. This delays classi cation of new malware, allowing it more time to in ict damage or extort more ransoms 18,19 . Evasive malware is widespread and uses varied obfuscation and anti-analysis techniques to defeat widely used static and dynamic analysis tools 10,[19][20][21] .…”

Section: Introductionmentioning

confidence: 99%

“…This delays classi cation of new malware, allowing it more time to in ict damage or extort more ransoms 18,19 . Evasive malware is widespread and uses varied obfuscation and anti-analysis techniques to defeat widely used static and dynamic analysis tools 10,[19][20][21] . Obfuscation is a technique used by malware authors to conceal the true intent and functionality of malicious code and involves modifying the malware using packing, encoding, metamorphism and polymorphism, which are all widely used and severely limit static analysis 3,11,22,23 .…”

Section: Introductionmentioning

confidence: 99%

“…Evasive malware is ubiquitous, Galloro, et al 19 and Sharma, et al 26 found that anti-analysis techniques were present in 80% and 99.36% of the malware samples they examined, respectively. Additionally, Ma a, et al 23 demonstrated that 68% of the malware samples they analyzed employed various forms of obfuscation, signi cantly limiting static analysis to the extent that it is not a viable option for malware analysis.…”

Section: Introductionmentioning

confidence: 99%

“…Dynamic analysis tools that include DBI, debuggers and sandboxes execute the malware or benign software in a controlled environment and are summarized in SupplementaryTable 1 30,31 . The anti-analysis techniques that target dynamic analysis tools are numerous and if the malware makes a determination it is under analysis it can hide it malicious intent, execute misleading behavior or cease execution 19,30 . Malware can probe its environment using Application Programming Interface (API) calls that interact with the user space of the Operating System (OS) and System calls that interact with the kernel, that is the core, of the OS.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

Gaber,

Ahmed,

Janicke

2024

Preprint

View full text Add to dashboard Cite

The accuracy of Artificial Intelligence (AI) in malware detection is dependent on the features it is trained with, where the quality and authenticity of these features is dependent on the dataset and the analysis tool. Evasive malware, that alters its behavior in analysis environments, is challenging to extract authentic features from where widely used static and dynamic analysis tools have several limitations. However, Dynamic Binary Instrumentation (DBI) allows deep and precise control of the malware sample, thereby facilitating the extraction of authentic behavior from evasive malware. Considering the limitations of malware analysis for use with AI, this research had two primary objectives: investigation of the evasive techniques used by modern malware and the creation of Peekaboo, a DBI tool to extract authentic data from live malware samples. Peekaboo instruments and defeats evasive techniques that target analysis tools and virtual environments. A dataset of 20,500 samples was assembled and each sample was run for up to 15 minutes to observe not only the anti-analysis techniques used but also its complete behavior. Peekaboo outperforms other tools on several fronts, it is the only tool to measure start and completion rates, capture the executed Assembly (ASM) instructions, record all network traffic and implements the largest coverage against evasive techniques.

show abstract

A Research on Countering Virtual Machine Evasion Techniques of Malware in Dynamic Analysis

Nep

Cam²

2022

Intelligent Computing &Amp; Optimization

View full text Add to dashboard Cite

A Systematical and longitudinal study of evasive behaviors in windows malware

Cited by 31 publications

References 23 publications

HyperDbg: Reinventing Hardware-Assisted Debugging

HyperDbg: Reinventing Hardware-Assisted Debugging

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

A Research on Countering Virtual Machine Evasion Techniques of Malware in Dynamic Analysis

Contact Info

Product

Resources

About