Evasive Malware via Identifier Implanting

Tanabe, Rui; Ueno, Wataru; Ishii, Kou; Yoshioka, Katsunari; Matsumoto, Tsutomu; Kasama, Takahiro; Inoue, Daisuke; Rossow, Christian

doi:10.1007/978-3-319-93411-2_8

Cited by 9 publications

(4 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, the behavior-based methods can be evaded by mimicry attacks, when the malicious code is embedded in a program that behaves properly. Furthermore, advanced malware is able to detect the presence of the sandbox and will try to avoid detection by limiting its activity [106].…”

Section: B Behavior-based Methodsmentioning

confidence: 99%

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Section: B Behavior-based Methodsmentioning

confidence: 99%

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

“…There is a significant body of research [81,23,72,25,48,38,71] focusing on both designing novel evasion techniques for malware and also providing mechanisms to detect them. We next discuss the most relevant works related to ours.…”

Section: Related Workmentioning

confidence: 99%

POW-HOW: An enduring timing side-channel to evade online malware sandboxes

Nappa¹,

Papadopoulos²,

Varvello³

et al. 2021

Preprint

View full text Add to dashboard Cite

Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect. The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

show abstract

“…For example, if a sample is executed under both VMWare [67] and VirtualBox [47], and the VMWare instance does not exhibit malicious behavior, one can conclude that the sample detects VMWare-specific artifacts (e.g., [49]). Many techniques, from machine learning [50] to symbolic execution and traces [26] to hybrid dynamic analyses [40], among others, have been proposed to tackle this problem of environment-aware malware-even as new black hat approaches for more insidious stealthy evasion (e.g., [45], [65]) are proposed as well.…”

Section: Introductionmentioning

confidence: 99%

MIMOSA: Reducing Malware Analysis Overhead with Coverings

Ahmadi,

Leach,

Dougherty

et al. 2021

Preprint

View full text Add to dashboard Cite

There is a growing body of malware samples that evade automated analysis and detection tools. Malware may measure fingerprints ("artifacts") of the underlying analysis tool or environment, and change their behavior when artifacts are detected. While analysis tools can mitigate artifacts to reduce exposure, such concealment is expensive. However, not every sample checks for every type of artifact-analysis efficiency can be improved by mitigating only those artifacts most likely to be used by a sample. Using that insight, we propose MIMOSA, a system which identifies a small set of "covering" tool configurations that collectively defeat most malware samples with increased efficiency. MIMOSA identifies a set of tool configurations which maximize analysis throughput and detection accuracy while minimizing manual effort, enabling scalable automation for analyzing stealthy malware. We evaluate our approach against a benchmark of 1535 labeled stealthy malware samples. Our approach increases analysis throughput over the state of the art on over 95% of these samples. We also investigate cost-benefit tradeoffs between the fraction of successfully-analyzed samples and computing resources required. MIMOSA provides a practical, tunable method for efficiently deploying analysis resources.

show abstract

Evasive Malware via Identifier Implanting

Cited by 9 publications

References 28 publications

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

POW-HOW: An enduring timing side-channel to evade online malware sandboxes

MIMOSA: Reducing Malware Analysis Overhead with Coverings

Contact Info

Product

Resources

About