Measuring and Defeating Anti-Instrumentation-Equipped Malware

Polino, Mario; Continella, Andrea; Mariani, Sebastiano; D’Alessio, Stefano; Fontana, Lorenzo; Gritti, Fabio; Zanero, Stefano

doi:10.1007/978-3-319-60876-1_4

Cited by 43 publications

(83 citation statements)

References 30 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…(7) else if all the adjacent nodes of block are visited then (8) Pop block from stack_dfs, mark all adjacent nodes as non-visited. 9else (10) Get the adjacent node that is not visited, and push it into stack_dfs. (11) Check and mark the loops in the traversed nodes.…”

Section: Intercepting All Memory Reads and Writesmentioning

confidence: 99%

“…(8) Insert curr_ins and extra analysis code to buf. (9) curr_ins ⟵ target_ins (10) break (11) else if the transfer target cannot be directly determined then (12) Switch the context, execute instructions of buf and perform analysis. (13) Get the jump target address target_ins.…”

Section: Intercepting Only Memory Writes Except the Stackmentioning

confidence: 99%

“…At the same time, there are additional modules and code related to the instrumentation tool in the process space of target program when it is running. ese salient features may make binary instrumentation easier to be detected and attacked [10]. ere are other automated analysis methods that are mainly implemented as plug-ins.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

To protect core functions, applications often utilize the countermeasure techniques such as antidebugging to avoid analysis by outsiders, especially the malware. Dynamic binary instrumentation is commonly used in the analysis of binary programs. However, it can be easily detected and has stability and applicability problems as it involves program rewriting and just-in-time compilation. This paper proposes a new lightweight analysis method for binary programs with the assistance of hardware features and the operating system kernel, named BAHK, which can automatically analyze the target program by stealth and has wide applicability. With the support of underlying infrastructures, this paper designs several optimization strategies and specific analysis approaches at instruction level to reduce the impact of fine-grained analysis on the performance of target program so that it can be well applied in practice. The experimental results show that the proposed method has good stealthiness, low memory consumption, and positive user experience. In some cases, it shows better analysis performance than the traditional dynamic binary instrumentation method. Finally, the real case studies further show its feasibility and effectiveness.

show abstract

Section: Intercepting All Memory Reads and Writesmentioning

confidence: 99%

Section: Intercepting Only Memory Writes Except the Stackmentioning

confidence: 99%

See 1 more Smart Citation

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Arancino [71] is capable of detecting when a malware tries to detect the presence of binary instrumentation and applying the needed countermeasure. As research on malware analysis progresses, so does the sophistication of malware authors.…”

Section: :27mentioning

confidence: 99%

Untitled

Mademlis¹,

Messina²,

Wagner³

et al. 2019

CSUR

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract

“…And, seventh, it is reproducible: we describe it in detail and have released its source code [34]. Moreover, since we released AVCLASS in July 2016, it has became a popular tool, and has been used by multiple research groups [35][36][37][38][39][40][41][42][43][44][45][46]. Among these works, Lever et al [47], further demonstrated the scalability of AVCLASS by applying it 23.9M samples.…”

Section: Pup and Malware Labelingmentioning

confidence: 99%

Tools for the Detection and Analysis of Potentially Unwanted Programs

Guevara¹

View full text Add to dashboard Cite

In this thesis we study potentially unwanted programs (PUP), a category of undesirable software that, while not outright malicious, contains behaviors that may alter the security state or the privacy of the system on which they are installed. PUP often comes bundled with freeware, i.e., proprietary software that can be used free of charge. A popular vector for distributing freeware are download portals, i.e., websites that index, categorize, and host programs. Download portals can be abused to distribute PUP. Freeware is often distributed as an installer, i.e., an auxiliary program in charge of performing all installation steps for the target program. During installation, besides the target program desired by the user, the installer may install PUP as well. PUP may be difficult to uninstall and may persist installed in the system after the user tries to uninstall it. Current malware analysis systems are not able to detect and analyze characteristic behaviors of PUP. For example, current malware analysis systems operate on a single program execution, while detecting incomplete PUP uninstallations requires analyzing together two program executions: the installation and the uninstallation.This thesis presents novel tools to detect and analyze potentially unwanted programs. More concretely, it describes three main contributions. First, it presents a measurement study of PUP prevalence in download portals, exposing the abusive behaviors that authors of malicious software use to distribute their applications through download portals. Second, it proposes a system especially designed to dynamically detect and analyze PUP behaviors during program installation and uninstallation. Third, it describes AVCLASS, an automatic labeling tool that given the AV labels for a potentially massive number of samples, outputs the most likely family for each sample.To analyze the distribution of PUP through download portals, we build a platform to crawl download portals and apply it to download 191K Windows freeware installers from 20 download portals. We analyze the collected installers measuring an overall ratio of PUP and malware between 8% (conservative estimate) and 26% (lax estimate). In 18 of the 20 download portals examined the amount of PUP and malware is below 9%. But, we also find two download portals exclusively used to distribute PPI i downloaders. We also detail different abusive behaviors that authors of undesirable programs use to distribute their programs through download portals.We present a platform to perform dynamic behavioral analysis of an input installer. Our platform executes the installer, navigates it to complete a successful installation, analyzes the installation to identify PUP behaviors, identifies the list of installed programs regardless of the installation location, checks whether each installed program has a corresponding uninstaller, executes the uninstallers, analyzes the uninstallation to identify PUP behaviors, and correlates the installation and uninstallation executions to determine if all installe...

show abstract

Measuring and Defeating Anti-Instrumentation-Equipped Malware

Cited by 43 publications

References 30 publications

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Untitled

Tools for the Detection and Analysis of Potentially Unwanted Programs

Contact Info

Product

Resources

About