Modern Blue Pills and Red Pills

Algawi, Asaf; Kiperberg, Michael; Leon, Roee; Resh, Amit; Zaidenberg, Nezer Jacob

doi:10.4018/978-1-5225-9715-5.ch078

Cited by 2 publications

(2 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, this approach can be easily bypassed by disabling the acceleration option of guest machines. These limitations are unsuitable for detecting virtual machines [8], [31].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim

Cho

2022

IEEE Access

View full text Add to dashboard Cite

To dynamically identify malicious behaviors of millions of Windows malware, anti-virus vendors have widely been using sandbox-based analyzers. However, the sandbox-based analysis has a critical limitation that anti-analysis techniques (i.e., Anti-sandbox and Anti-VM techniques) can easily detect analyzers and evade from being analyzed. In this work, we study on anti-analysis techniques used in real-world malware. First off, to measure how many Windows malware exhibits anti-analysis techniques, we collect anti-analysis techniques used in malware. We, then, design and implement an automated system, named EvDetector, that detects malware which employ anti-analysis techniques. EvDetector finds if malware uses an anti-analysis technique and monitors whether the malware changes its execution paths based on the result of the anti-analysis technique. By using EvDetector, we analyzed 763,985 real-world malware that emerged from 2017 to 2020. Our evaluation results show that 16.21% of malware use antianalysis techniques on average. Also, we check the effectiveness of the analysis result by comparing EvDetector and static analysis. EvDetector analyzes up to 49.88% of malware detected by static analysis did not use anti-analysis techniques. In addition, we analyze that only up to 3.75% of the packed malware used anti-analysis techniques. Finally, we analyze the evasive malware trend through familial analysis and behavioral analysis. Our work implies that the research community needs to put more effort on defeating such anti-analysis techniques to automatically analyze emerging malware and respond with them.

show abstract

“…However, this approach can be easily bypassed by disabling the acceleration option of guest machines. These limitations are unsuitable for detecting virtual machines [8], [31].…”

Section: Introductionmentioning

confidence: 99%

“…However, there are limitations in detecting APIs that can reduce detection accuracy or instructions that are not valid in modern environments. [8].…”

Section: Introductionmentioning

confidence: 99%