Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Or-Meir, Ori; Nissim, Nir; Elovici, Yuval; Rokach, Lior

doi:10.1145/3329786

Cited by 216 publications

(128 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Whilst seemingly trivial, these evasion techniques are increasingly used to determine whether the environment is a genuine target (i.e., a real system with a real user). Common evasion techniques may include system artefact checks, including the use of registry edits and virtual environment processes ( [2,4,[19][20][21][22][23][24][25][26]), trigger-based behaviour ( [4,19,20,[26][27][28]) and checks for human interaction ( [4,19,20,26,[29][30][31]).…”

Section: Evasion and Anti-evasion Methodsmentioning

confidence: 99%

“…Malware analysis aims to study the traits and characteristics of malicious software, so that those tasked with defending computer systems can better understand the nature of an intended malicious attack and defend against future attacks. Common techniques include static analysis that examines software source code and dynamic analysis that observes system behaviours when the malware executes [1,2]. Moser et al discussed the limits to adopting static analysis methods [3] such as code obfuscation techniques and it has long been recognised that dynamic analysis allows for greater understanding of how malware behaves in a given environment.…”

Section: Introductionmentioning

confidence: 99%

“…Moser et al discussed the limits to adopting static analysis methods [3] such as code obfuscation techniques and it has long been recognised that dynamic analysis allows for greater understanding of how malware behaves in a given environment. Virtual Machines (VMs) are widely used as sandbox environments for dynamic malware analysis [2], so that activity can be safely contained in a virtual environment during malware execution so as to not cause damage to genuine production systems or users. All the while, malware development has become more sophisticated with greater measures being taken by malware developers to check the authenticity of the operating environment before executing an attack, often described as context-aware malware or sandbox evasion.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills¹,

Legg²

2020

Preprint

View full text Add to dashboard Cite

Malware analysis is fundamental for defending against prevalent cyber security threats, and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation into anti-evasion malware triggers for uncovering malware behaviours that may act benign when they detect a traditional sandbox environment. To facilitate our investigation, we developed a dynamic sandbox reconfiguration tool called MORRIGU that couples together both automated and human-driven analysis for anti-evasion configuration testing, along with a visual analytics view for examining system behaviours and performing comparative analysis. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox `wear-and-tear’, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. Using a systematic testing approach such as MORRIGU enables test coverage of anti-evasion methods, whilst also offering flexibility for further human-driven analysis of additional evasion methods. We also perform a comparative study against automated analysis using Cuckoo sandbox to show that automated scoring alone can not reliably inform on the presence of evasive malware, hence requiring a more sophisticated anti-evasive testing approach. With a greater understanding of anti-evasion malware triggers and with appropriate tools to explore these in an effective and efficient manner, this study helps to advance research on how evasive malware is being utilised to evade analysis so that we can better defend against future attacks.

show abstract

Section: Evasion and Anti-evasion Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills¹,

Legg²

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…There are various spyware and trojans that can either eavesdrop and modify users' messages, both on smartphones like Android [10], such as Trojan-Spy.SymbOS.Flexispy [11] and others; and on computers, like sniffers [12]. Such malware, running on promiscuous mode, commonly sniffs every packet received and sent by all Network Interface Cards (NICs) of the infected device, being able to read their payloads if they are transmitted in clear text.…”

Section: Problem Statementmentioning

confidence: 99%

Securing Instant Messages With Hardware-Based Cryptography and Authentication in Browser Extension

et al. 2020

View full text Add to dashboard Cite

Instant Messaging (IM) provides near-real-time communication between users, which has shown to be a valuable tool for internal communication in companies and for general-purpose interaction among people. IM systems and supporting protocols, however, must consider security aspects to guarantee the messages' authenticity, confidentiality, and integrity. In this paper, we present a solution for integrating hardware-based public key cryptography into Converse.js, an open-source IM client for browsers enabled with the Extensible Messaging and Presence Protocol (XMPP). The proposal is developed as a plugin for Converse.js, thus overriding the original functions of the client; and a browser extension that is triggered by the plugin and is responsible for calling the encryption and decryption services for each sent and received message. This integrated artifact allowed the experimental validation of the proposal providing authenticity of IM users with digital certificates and protection of IM messages with hardware-based cryptography. Results also shows the proposed systems is resistent to adversarial attacks against confidentiality and integrity and it is secure when considering cryptrographic tests like the Hamming distance and the NIST SP800-22.

show abstract

“…The aim is to look for changes in the infected machine where it is running, network traffic and potential external communications with command and control servers. It can be done manually in a virtual or physical environment using different tools that collect the data of its interaction with the machine infected or automatically by "Sandbox" toolset [17].…”

Section: Introductionmentioning

confidence: 99%

Systematic Approach to Malware Analysis (SAMA)

et al. 2020

View full text Add to dashboard Cite

Featured Application: The systematic and methodological process of analysis described in this document will provide a complete understanding of the life cycle of a malware specimen in terms of its behavior, operation, interaction with the environment, methods of concealment and obfuscation, system updates, and communications.Abstract: Malware threats pose new challenges to analytic and reverse engineering tasks. It is needed for a systematic approach to that analysis, in an attempt to fully uncover their underlying attack vectors and techniques and find commonalities between them. In this paper, a method of malware analysis is described, together with a report of its application to the case of Flame and Red October. The method has also been used by different analysts to analyze other malware threats like 'Stuxnet', 'Dark Comet', 'Poison Ivy', 'Locky', 'Careto', and 'Sofacy Carberp'. The method presented in this work is a systematic and methodological process of analysis, whose main objective is the acquisition of knowledge as well as to gain a full understanding of a particular malware. Using the proposed method to analyze two well-known malware as 'Flame' and 'Red October' will help to understand the added value of the method.

show abstract

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Cited by 216 publications

References 72 publications

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Securing Instant Messages With Hardware-Based Cryptography and Authentication in Browser Extension

Systematic Approach to Malware Analysis (SAMA)

Contact Info

Product

Resources

About