Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander, Küchler,; Mantovani, Alessandro; Han, Yufei; Bilge, Leyla; Balzarotti, Davide

doi:10.14722/ndss.2021.24475

Cited by 29 publications

(17 citation statements)

References 84 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If we consider the most evasive families (>95%) and we assume that those samples were misclassified by our framework, our framework lost evasion techniques for at least 121 samples. Although, accordingly with Küchler et al [35], most malware samples execute within 2 minutes timeframe. This implies that the execution time should not have a significant effect on our results.…”

Section: Limitationsmentioning

confidence: 91%

“…As done in the previous work [18], we let each sample run for up to 5 minutes, a reasonable time to trigger most of the evasive behaviors that our tool can detect. In fact, a recent study [35] showed that most of the behaviors manifested by malicious samples in a sandbox (and 98% of the executed basic blocks) are observed during the first two minutes of execution. Finally, following the best practices for malware experiments [36], we allowed the samples to communicate with their control servers and denied any potentially harmful traffic (e.g., spam) during the experiments.…”

Section: Datasets and Setupmentioning

confidence: 99%

See 1 more Smart Citation

A Systematical and longitudinal study of evasive behaviors in windows malware

Galloro

Polino

Carminati

et al. 2022

Computers & Security

View full text Add to dashboard Cite

Malware is one of the prevalent security threats. Sandboxes and, more generally, instrumented environments play a crucial role in dynamically analyzing malware samples, providing key threat intelligence results and critical information to update detection mechanisms.In this paper, we study the evasive behaviors employed by malware authors to hide the malicious activity of samples and hinder security analysis. First, we collect and systematize 92 evasive techniques leveraged by Windows malware to detect and thwart instrumented environments (e.g., debuggers and virtual machines). Then, we implement a framework for evasion analysis of x86 binaries and analyze 45,375 malware samples observed in the wild between 2010 and 2019; we compare this analysis against popular, legitimate Windows programs to study the intrinsic characteristics of such evasive behaviors.Based on the results of our experiments, we present statistics about the adoption of evasive techniques and their evolution over time. We show that over the past 10 years, the prevalence of evasive malware samples had a slight increase (12%). Moreover, the employed techniques shifted significantly over time. We also identify techniques that are specific to malware, as opposed to being employed by both malicious and legitimate software. Finally, we study how the security community reacts to the deployment of new evasive techniques. Overall, our results empirically address open research questions and provide insights and directions for future research. Y ea r T a x o n o m y Dynamic-Static Analysis Longit. Malware vs # Evasive # Samples Analysis Goodware Techniques (# Families) Chen et al. [26] 2006 8 6,222 () Lindorfer et al. [14] 2011 14 1,500 (175) Branco et al. [27] 2012 51 4M () Barbosa et al. [28] 2014 51 12M( )

show abstract

Section: Limitationsmentioning

confidence: 91%

Section: Datasets and Setupmentioning

confidence: 99%

A Systematical and longitudinal study of evasive behaviors in windows malware

Galloro

Polino

Carminati

et al. 2022

Computers & Security

View full text Add to dashboard Cite

show abstract

“…We then discarded those samples that less than ten AV flagged as malicious. This choice is conservative compared to previous works (e.g., [43], [28] considered five detections as an indicator of maliciousness), assuring that the dataset is unlikely to contain false positives. We also ensured that no particular malware family was over-represented by limiting each strain to at most 5% of each year's total.…”

Section: A Datasetmentioning

confidence: 99%

“…A recent study by Kuechler et al [43] shows the amount of code executed by malware samples tends to plateau after only two minutes, and very little additional information can be gained by running samples for more extended periods of time. Therefore, we configured our sandbox to execute each sample for five minutes to err on the side of caution.…”

Section: B Analysis Environmentmentioning

confidence: 99%

“…This section presents the analysis results we performed over a dataset of 183, 340 Windows PE samples. In this analysis, we consider that a sample has started if it invoked at least one native API, while we consider it active if it executed at least 50 native API invocations -we adopted the same threshold of Kuechler et al [43]. Before presenting our results, we discuss how False Positives (FP) and Negatives (FN) could affect our measurement.…”

Section: Measurementsmentioning

confidence: 99%

See 1 more Smart Citation

Longitudinal Study of the Prevalence of Malware Evasive Techniques

Maffia¹,

Nisi²,

Kotzias³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

By their very nature, malware samples employ a variety of techniques to conceal their malicious behavior and hide it from analysis tools. To mitigate the problem, a large number of different evasion techniques have been documented over the years, and PoC implementations have been collected in public frameworks, like the popular Al-Khaser. As malware authors tend to reuse existing approaches, it is common to observe the same evasive techniques in malware samples of different families. However, no measurement study has been conducted to date to assess the adoption and prevalence of evasion techniques.In this paper, we present a large-scale study, conducted by dynamically analyzing more than 180K Windows malware samples, on the evolution of evasive techniques over the years. To perform the experiments, we developed a custom Pin-based Evasive Program Profiler (Pepper), a tool capable of both detecting and circumventing 53 anti-dynamic-analysis techniques of different categories, ranging from anti-debug to virtual machine detection.To observe the phenomenon of evasion from different points of view, we employed four different datasets, including benign files, advanced persistent threat (APTs), malware samples collected over a period of five years, and a recent collection of different families submitted to VirusTotal over a one-month period.

show abstract

Uncovering security vulnerabilities through multiplatform malware analysis

Mohammadi,

Hosseini,

Bahrami

2024

Security and Privacy

View full text Add to dashboard Cite

Cybercriminals, keen on staying anonymous, focus on creating secure connections to hide their activities. This has fueled the rise of malware, especially remote access trojans (RATs), designed to protect themselves for long‐term use and profit. This research investigates how multiplatform malware analysis can expose security weaknesses across Windows, Linux, and macOS systems. We designed and analyzed custom malware to uncover vulnerabilities that attackers could exploit to establish persistent, hidden access. The malware was programmed to bypass detection while performing actions like stealing sensitive data, launching denial‐of‐service attacks, and generating fake website traffic. Controlled lab experiments and real‐world simulations confirmed the malware's ability to operate stealthily on various platforms, highlighting critical security gaps. By uncovering these vulnerabilities, this study provides valuable insights for strengthening cybersecurity defenses.

show abstract

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Cited by 29 publications

References 84 publications

A Systematical and longitudinal study of evasive behaviors in windows malware

A Systematical and longitudinal study of evasive behaviors in windows malware

Longitudinal Study of the Prevalence of Malware Evasive Techniques

Uncovering security vulnerabilities through multiplatform malware analysis

Contact Info

Product

Resources

About