Evasive Malware via Identifier Implanting

Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

Download Full-text

Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks

Digital Threats: Research and Practice ◽

10.1145/3480463 ◽

2021 ◽

Author(s):

Ailton Dos Santos Fh ◽

Ricardo J. Rodríguez ◽

Eduardo L. Feitosa

Keyword(s):

Future Research ◽

Malware Analysis ◽

Framework Analysis ◽

Malicious Software ◽

Binary Instrumentation ◽

Analysis Technique ◽

Dynamic Binary Instrumentation ◽

Split Personality ◽

Attack Surface ◽

Evasive Malware

Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes previous taxonomies. We also note some relevant issues and outline ways of future research in the use of DBI frameworks for security purposes

Download Full-text

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

10.20944/preprints202010.0305.v2 ◽

2020 ◽

Author(s):

Alan Mills ◽

Phil Legg

Keyword(s):

Cyber Security ◽

Virtual Machines ◽

Production Systems ◽

Automated Analysis ◽

Adverse Impact ◽

Security Threats ◽

Malware Analysis ◽

Systematic Testing ◽

Wear And Tear ◽

Evasive Malware

Malware analysis is fundamental for defending against prevalent cyber security threats, and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox `wear-and-tear', and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

Download Full-text

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Journal of Information Processing ◽

10.2197/ipsjjip.27.297 ◽

2019 ◽

Vol 27 (0) ◽

pp. 297-314

Author(s):

Yuhei Kawakoya ◽

Eitaro Shioji ◽

Makoto Iwamura ◽

Jun Miyoshi

Keyword(s):

Malware Analysis ◽

Evasive Malware

Download Full-text

Scarecrow: Deactivating Evasive Malware via Its Own Evasive Logic

2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) ◽

10.1109/dsn48063.2020.00027 ◽

2020 ◽

Author(s):

Jialong Zhang ◽

Zhongshu Gu ◽

Jiyong Jang ◽

Dhilung Kirat ◽

Marc Stoecklin ◽

...

Keyword(s):

Evasive Malware

Download Full-text

Android Adware Detection Using Machine Learning

International Journal of Cyber Research and Education ◽

10.4018/ijcre.2021070101 ◽

2021 ◽

Vol 3 (2) ◽

pp. 1-19

Author(s):

Sikha Bagui ◽

Daniel Benson

Keyword(s):

Machine Learning ◽

Feature Selection ◽

Network Traffic ◽

Information Gain ◽

Malware Detection ◽

Classification Rate ◽

The Individual ◽

Evasive Malware

Adware, an advertising-supported software, becomes a type of malware when it automatically delivers unwanted advertisements to an infected device, steals user information, and opens other vulnerabilities that allow other malware and adware to be installed. With the rise of more and complex evasive malware, specifically adware, better methods of detecting adware are required. Though a lot of work has been done on malware detection in general, very little focus has been put on the adware family. The novelty of this paper lies in analyzing the individual adware families. To date, no work has been done on analyzing the individual adware families. In this paper, using the CICAndMal2017 dataset, feature selection is performed using information gain, and classification is performed using machine learning. The best attributes for classification of each of the individual adware families using network traffic samples are presented. The results present an average classification rate that is an improvement over previous works for classification of individual adware families.

Download Full-text