Cobra: fine-grained malware analysis using stealth localized-executions

Vasudevan, Amit; Yerraballi, Ramesh

doi:10.1109/sp.2006.9

Cited by 67 publications

(40 citation statements)

References 24 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Vasudevan and Yerraballi proposed Cobra [58], which is a first dynamic analysis system focused on countering antianalysis techniques. Dinaburg et al proposed Ether [24], a transparent sandbox using hardware virtualization extensions such as Intel VT. Those systems focus on how to conceal the existence of analysis mechanisms from malware.…”

Section: Transparent/bare-metal Sandboxesmentioning

confidence: 99%

Evasive Malware via Identifier Implanting

Tanabe

Ueno

Ishii

et al. 2018

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract.To cope with the increasing number of malware attacks that organizations face, anti-malware appliances and sandboxes have become an integral security defense. In particular, appliances have become the de facto standard in the fight against targeted attacks. Yet recent incidents have demonstrated that malware can effectively detect and thus evade sandboxes, resulting in an ongoing arms race between sandbox developers and malware authors.We show how attackers can escape this arms race with what we call customized malware, i.e., malware that only exposes its malicious behavior on a targeted system. We present a web-based reconnaissance strategy, where an actor leaves marks on the target system such that the customized malware can recognize this particular system in a later stage, and only then exposes its malicious behavior. We propose to implant identifiers into the target system, such as unique entries in the browser history, cache, cookies, or the DNS stub resolver cache. We then prototype a customized malware that searches for these implants on the executing environment and denies execution if implants do not exist as expected. This way, sandboxes can be evaded without the need to detect artifacts that witness the existence of sandboxes or a real system environment. Our results show that this prototype remains undetected on commercial malware security appliances, while only exposing its real behavior on the targeted system. To defend against this novel attack, we discuss countermeasures and a responsible disclosure process to allow appliances vendors to prepare for such attacks.

show abstract

Section: Transparent/bare-metal Sandboxesmentioning

confidence: 99%

Evasive Malware via Identifier Implanting

Tanabe

Ueno

Ishii

et al. 2018

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…Cobra, a framework by Vasudevan and Yerraballi [43], is known to be one of the first malware dynamic analysis frameworks with an explicit emphasis on stealth as a design goal, also providing support for self-modifying, self-checking code, and any form of code obfuscation. A somewhat stronger solution was proposed by Dinaburg et al [8].…”

Section: Related Workmentioning

confidence: 99%

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Fischer

Kittel

Kolosnjaji

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer's virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This paper presents CloudIDEA, an architecture that provides a security service for malware defense in cloud environments. It combines lightweight intrusion monitoring with on-demand isolation, evidence collection, and in-depth analysis of VMs on dedicated analysis hosts. A dynamic decision engine makes on-demand decisions on how to handle suspicious events considering cost-efficiency and quality-of-service constraints.

show abstract

“…A sandbox consists of a virtual machine and a simulated environment which are used to run suspicious executables for a limited time span. Depending on the sequence of actions, the simulated program is classified as malicious or benign [8], [9], [10], [11]. Sandbox-based systems suffer from the same restrictions as HIDS, but additionally monitor a program only over a short timeframe, making them blind towards malware that does not execute its payload right away.…”

Section: Related Workmentioning

confidence: 99%

Proactive Detection of Computer Worms Using Model Checking

Kinder

Katzenbeisser

Schallhart

et al. 2010

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract-Although recent estimates are speaking of 200,000 different viruses, worms, and Trojan horses, the majority of them are variants of previously existing malware. As these variants mostly differ in their binary representation rather than their functionality, they can be recognized by analyzing the program behavior, even though they are not covered by the signature databases of current antivirus tools. Proactive malware detectors mitigate this risk by detection procedures which use a single signature to detect whole classes of functionally related malware without signature updates. It is evident that the quality of proactive detection procedures depends on their ability to analyze the semantics of the binary. In this paper, we propose the use of model checking-a well established software verification technique-for proactive malware detection. We describe a tool which extracts an annotated control flow graph from the binary and automatically verifies it against a formal malware specification. To this end, we introduce the new specification language CTPL, which balances the high expressive power needed for malware signatures with efficient model checking algorithms. Our experiments demonstrate that our technique indeed is able to recognize variants of existing malware with a low risk of false positives.

show abstract

Cobra: fine-grained malware analysis using stealth localized-executions

Cited by 67 publications

References 24 publications

Evasive Malware via Identifier Implanting

Evasive Malware via Identifier Implanting

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Proactive Detection of Computer Worms Using Model Checking

Contact Info

Product

Resources

About