On the Dissection of Evasive Malware

D’Elia, Daniele Cono; Coppa, Emilio; Palmaro, Federico; Cavallaro, Lorenzo

doi:10.1109/tifs.2020.2976559

Cited by 31 publications

(36 citation statements)

References 46 publications

(72 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, this method does not intercept low-level system interactions, such as system calls and x86 instruction, because the bare-metal setup can only reason about raw disk content. A more recent solution is to execute the malicious samples inside a Dynamic Binary Instrumentation (DBI) framework that hides the presence of the analysis environment, identifying anti-instrumentation techniques [18,19,20].…”

Section: Introductionmentioning

confidence: 99%

A Systematical and longitudinal study of evasive behaviors in windows malware

Galloro

Polino

Carminati

et al. 2022

Computers & Security

View full text Add to dashboard Cite

Malware is one of the prevalent security threats. Sandboxes and, more generally, instrumented environments play a crucial role in dynamically analyzing malware samples, providing key threat intelligence results and critical information to update detection mechanisms.In this paper, we study the evasive behaviors employed by malware authors to hide the malicious activity of samples and hinder security analysis. First, we collect and systematize 92 evasive techniques leveraged by Windows malware to detect and thwart instrumented environments (e.g., debuggers and virtual machines). Then, we implement a framework for evasion analysis of x86 binaries and analyze 45,375 malware samples observed in the wild between 2010 and 2019; we compare this analysis against popular, legitimate Windows programs to study the intrinsic characteristics of such evasive behaviors.Based on the results of our experiments, we present statistics about the adoption of evasive techniques and their evolution over time. We show that over the past 10 years, the prevalence of evasive malware samples had a slight increase (12%). Moreover, the employed techniques shifted significantly over time. We also identify techniques that are specific to malware, as opposed to being employed by both malicious and legitimate software. Finally, we study how the security community reacts to the deployment of new evasive techniques. Overall, our results empirically address open research questions and provide insights and directions for future research. Y ea r T a x o n o m y Dynamic-Static Analysis Longit. Malware vs # Evasive # Samples Analysis Goodware Techniques (# Families) Chen et al. [26] 2006 8 6,222 () Lindorfer et al. [14] 2011 14 1,500 (175) Branco et al. [27] 2012 51 4M () Barbosa et al. [28] 2014 51 12M( )

show abstract

Section: Introductionmentioning

confidence: 99%

A Systematical and longitudinal study of evasive behaviors in windows malware

Galloro

Polino

Carminati

et al. 2022

Computers & Security

View full text Add to dashboard Cite

show abstract

“…In this paper, we propose an anti-anti-VM study to complement the limitations of the technique suggested by Cheng, Binlin, et al Therefore, if the above study were to consider the results of this paper, analysis may be conducted in a safer environment. D'Elia, Daniele Cono, et al [13] proposed Bluepill, a human-centered dynamic analysis system to facilitate malware analysis. Bluepill is based on DBI tool, and the authors of the above mentioned study configured a rule set for automatic bypass by analyzing known anti-analysis techniques.…”

Section: Related Workmentioning

confidence: 99%

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

2021

View full text Add to dashboard Cite

“…response [9], [10]. Network forensics collects and analyzes data related to computer networks [11], which mainly refers to digital forensics that analyzes and monitors network connection information or packets.…”

Section: Introductionmentioning

confidence: 99%

Forensics and Anti-Forensics of a NAND Flash Memory: From a Copy-Back Program Perspective

Ahn

Lee

2021

IEEE Access

View full text Add to dashboard Cite

This paper proposes a safe copy-back program operation in a NAND flash memory, which is targeting digital forensics for a variety of reasons. Due to the background management operation of the NAND flash memory, the original data is highly likely to remain without truly being deleted. We have carefully investigated the possibility of data exposure due to a copy-back program operation, among, frequently used management operations as such data exposure increases the possibility of privacy invasion. We propose a safe copy-back program operation that lowers the possibility of privacy invasion. And we additionally introduce various techniques for solving the reliability problem of adjacent cells caused by the proposed copy-back program operation. For example, when deleting the original data in a copy-back program operation, overwriting is performed to minimize program disturbance. Also, after acquiring the victim cell information of the adjacent cell before proceeding with overwriting, program prohibition is determined on each page buffer based on the victim cell information. Our research results are meaningful for forensics and anti-forensics issues to be raised regarding NAND flash memories. We look forward to the development of NAND flash memories that guarantee privacy in subsequent studies.

show abstract

On the Dissection of Evasive Malware

Cited by 31 publications

References 46 publications

A Systematical and longitudinal study of evasive behaviors in windows malware

A Systematical and longitudinal study of evasive behaviors in windows malware

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

Forensics and Anti-Forensics of a NAND Flash Memory: From a Copy-Back Program Perspective

Contact Info

Product

Resources

About