API Chaser: Anti-analysis Resistant Malware Analyzer

Self Cite

We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8,897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8,897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls.

Section: Synthetic Malware Experimentsmentioning

confidence: 99%

“…The first version of this paper was published in 2013 [25]. We have mainly two advances with this paper, compared to the first one.…”

Section: Introductionmentioning

confidence: 97%

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Kawakoya¹,

Shioji²,

Miyoshi³

2019

Self Cite

“…To overcome stolen code, as shown in Fig. 1 (c), Kawakoya et al [9] proposed a technique of tracking the movement of API code with taint analysis. Their technique sets taint tags on API code and tracks them by propagating the tags to identify the position of copied instructions.…”

Section: Api De-obfuscationmentioning

confidence: 99%

“…API Chaser [9] relates code with the API name before starting an analysis by setting taint tags containing the API name on the code. It then keeps track of its relationship by propagating the tags during its analysis.…”

Section: Other De-obfuscation Techniquesmentioning

confidence: 99%

Stealth Loader: Trace-free Program Loading for Analysis Evasion

Kawakoya¹,

Shioji²,

Otsuki³

et al. 2018

Self Cite

Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show the limit of existing API de-obfuscation techniques. To do that, we first analyzed existing API [de]obfuscation techniques and clarified that an attack vector commonly exists in these techniques; then, we present Stealth Loader, which is a program loader to bypass all existing API de-obfuscation techniques. The core idea of Stealth Loader is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrated the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools. The results indicate that among other obfuscation tools, only Stealth Loader is able to successfully bypass all analysis tools.

“…API Chaser [14] is a malware analysis system that provides anti-analysis resistant API monitoring. This system incorporates numerous techniques to prevent malware from evading analysis.…”

Section: Related Workmentioning

confidence: 99%

Checkpointing an Operating System Using a Parapass-through Hypervisor

Oyama

Kawasaki

Takahashi

2015

Abstract:Many dynamic malware analysis systems based on hypervisors have been proposed. Although they support malware analysis effectively, many of them have a shortcoming that permits the malware to easily recognize the virtualized hardware and change its execution to prevent analysis. We contend that this drawback can be mitigated using a hypervisor that virtualizes the minimum number of hardware accesses. This paper proposes a hypervisor-based mechanism that can function as a building block for dynamic malware analysis systems. The mechanism provides the facility for checkpointing and restoring a guest OS. It is designed for a parapass-through hypervisor, that is, a hypervisor that runs directly on the hardware and does not execute a host OS or an administrative guest OS. The advantage of using a parapass-through hypervisor is that it provides a virtual machine whose hardware configuration and behavior is similar to the underlying physical machine, and hence, it can be stealthier than other hypervisors. We extend the parapassthrough hypervisor BitVisor with the proposed mechanism, and demonstrate that the resulting system can successfully checkpoint and restore the states of Linux and Windows OSes. We confirm that hypervisor detectors running on the system cannot identify the virtualized hardware, and determine that they are executing on a physical machine. We also confirm that the system imposes minimal overhead on the execution times of the benchmark programs.