Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation

Yoshioka, Katsunari; Inoue, Daisuke; Eto, Masashi; Yuji, Hoshizawa; Nogawa, Hiroki; Nakao, Koji

doi:10.1587/transinf.e92.d.955

Cited by 5 publications

(4 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this case, the focus of the work is on the design of the sandbox itself. Examples in this category are papers that describe new network-oriented sandboxes [44], [45], [108], [109] or those describing the use of hypervisor techniques [56]. Overall, we believe that for these papers the short execution time was not critical for the overall contribution.…”

Section: B Impact On Prior Workmentioning

confidence: 99%

“…Some were explicitly designed to improve or propose new sandbox techniques, while others simply relied on sandboxes to collect data to perform other experiments -such as modeling the behavior of samples, extracting new detection signatures, train a classifier, or report on the internals of certain malware characteristics (such as packing, use of encryption, etc.). [44]- [46], [94], [109] 1 2 [56], [108] 2 14 [21], [26], [35], [40], [43], [52], [70], [85], [91], [95], [100], [101], [105], [110] 3 7 [15], [65]- [67], [71], [81], [93] 4 1 [58] 5 13 [12], [13], [23], [29], [38], [50], [51], [69], [78], [88], [92], [102], [106] 8 2 [20], [89] 10 7 [24], [25], [36], [41], …”

Section: A Research Experimentsmentioning

confidence: 99%

See 1 more Smart Citation

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify each sample. Anything more is wasting resources, anything less is jeopardizing the experiments. Despite its importance, there are no clear guidelines on how to choose this parameter, nor experiments that can help companies to assess the pros and cons of a choice over another. To fill this gap, in this paper we provide the first large-scale study of the impact that the execution time has on both the amount and the quality of the collected events. We measure the evolution of system calls and code coverage, to draw a precise picture of the fraction of runtime behavior we can expect to observe in a sandbox. Finally, we implemented a machine learning based malware detection method, and applied it to the data collected in different time windows, to also report on the relevance of the events observed at different points in time. Our results show that most samples run for either less than two minutes or for more than ten. However, most of the behavior (and 98% of the executed basic blocks) are observed during the first two minutes of execution, which is also the time windows that result in a higher accuracy of our ML classifier. We believe this information can help future researchers and industrial sandboxes to better tune their analysis systems.

show abstract

Section: B Impact On Prior Workmentioning

confidence: 99%

Section: A Research Experimentsmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…However, it attacks with an implemented pre-defined window APIs in the emulator that will return a result inconsequent compared to the executed results outside the emulator [20]. For example, usually opening an unreal URL will return 'true', but it would return an error in multi-processor function, the main purpose behind this work is to highlight the gap between the emulator of the sand box and the APIs implementation of a fully operating system and use these vulnerabilities to evade the detection [21].…”

Section: Literature Reviewmentioning

confidence: 99%

A Malware Obfuscation AI Technique to Evade Antivirus Detection in Counter Forensic Domain

Mawgoud

Rady

Tawfik

2020

Enabling AI Applications in Data Science

View full text Add to dashboard Cite

“…However, the 32-bit Windows executable file output by our system disguises the name of the executable file, as does the application software that would open the document file. Their tool might be able to analyze the 32-bit Windows executable file output by our system, even though we expect that the output executable file would be analyzed via the environment proposed by Inoue and Yoshioka [11]- [13].…”

Section: Shellcode Analysismentioning

confidence: 99%

A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation

Iwamoto¹,

Wasaki²

2016

IJET

View full text Add to dashboard Cite

Abstract-We propose a method for the dynamic analysis of malicious documents that can exploit various types of vulnerability in applications. Static analysis of a document can be used to identify the type of vulnerability involved. However, it can be difficult to identify unknown vulnerabilities, and the application may not be available even if we could identify the vulnerability. In fact, malicious code that is executed after the exploitation may not have a relationship with the type of vulnerability in many cases. In this paper, we propose a method that extracts and executes "shellcode" to analyze malicious documents without requiring identification of the vulnerability or the application. Our system extracts shellcode by executing byte sequences to observe the features of a document file in a priority order decided on the basis of entropy.Our system was used to analyze 88 malware samples and was able to extract shellcode from 74 samples. of these, 51 extracted shellcodes behaved as malicious software according to dynamic analysis.Index Terms-Malware, shellcode, entropy, dynamic analysis, vulnerability. I. INTRODUCTIONAt the start of a typical attack aimed at stealing information from a targeted organization, a piece of malware is supplied by targeted email [1]. An email is sent to a specific person, and often has an attached document file containing malicious code. The victim may then open the document file and execute the malicious code without knowing that it was created for attacking purposes. As a part of measures to deal with targeted attacks, we would like to analyze the behavior of malicious code via dynamic analysis.It is often not possible to use dynamic analysis directly, because we cannot reproduce an appropriate vulnerable environment. The reason for this is that the vulnerability usually depends on the environment of the operating system (OS) or the application software. However, versatile malicious code (or "shellcode"), which often does not depend on a specific OS or application software, can be executed. Therefore, our system extracts shellcode from the document file to analyze the malicious document. It then outputs an executable file containing shellcode to enable dynamic analysis.Before building our system, we conducted a preliminary survey of malware samples that we had already analyzed. In this preliminary survey, we determined parameter values for Manuscript received September 24, 2014; revised November 20, 2014. Kazuki Iwamoto is with Advanced Research Laboratory at SecureBrain Corporation, Kojimachi RK Building 4F 2-6-7 Kojimachi, Chiyoda-ku Tokyo, Japan (e-mail: kazuki_iwamoto@securebrain.co.jp).Katsumi Wasaki is with Interdisciplinary Graduate School of Science and Technology, Shinshu University, 4-17-1 Wakazato, Nagano-shi, Japan (e-mail: wasaki@cs.shinshu-u.ac.jp).calculating the entropy, an algorithm for shellcode priority and byte sequences to be excluded from the document file. Our system executes those byte sequences that are shellcode candidates and observes their behavior to ...

show abstract

Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation

Cited by 5 publications

References 6 publications

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

A Malware Obfuscation AI Technique to Evade Antivirus Detection in Counter Forensic Domain

A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation

Contact Info

Product

Resources

About