Detecting Environment-Sensitive Malware

Lindorfer, Martina; Kolbitsch, Clemens; Comparetti, Paolo Milani

doi:10.1007/978-3-642-23644-0_18

Cited by 149 publications

(90 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2009, according to [2] 0.3 to 12.5 percent of the samples submitted to Anubis were able to detect the sandbox and refuse to run. In [22] it is shown that evasive malware was being actively developed and distributed in 2011. While overcoming this limitation is beyond the scope of our work, we can note that the problem of evasive malware is well mitigated by collecting data outside the malware execution scope.…”

Section: Limitations and Future Workmentioning

confidence: 99%

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

When analyzing an untrusted binary, reverse engineers usually rely on ad-hoc collections of interesting dynamic patterns-known as behaviors in the malware-analysis community-and static patterns-known as signatures in the antivirus community. Such patterns are often part of the skill set of the analyst, sometimes implemented in manually-created post-processing scripts. It would be desirable to be able to automatically find such behaviors, present them to analysts, and create a systematic catalog of matching rules and relevant implementations. We propose JACKDAW, a system that finds interesting dynamic patterns, and ranks them to unveil potentially interesting behaviors. Then, it annotates them with static information, capturing the distinct implementations of each across different malware families. Finally, JACKDAW associates semantic information to the behaviors, so as to create a descriptive summary that helps the analysts in querying the catalog of behaviors by type. To do this, it leverages the dynamic information and an indexed Web-based knowledge databases. We implement and demonstrate JACKDAW on the Win32 API (even if the technique can be generalized to any OS). On a dataset of 2,136 distinct binaries, including both malicious and benign libraries and executables, we compared the behaviors extracted automatically against a ground truth of 44 behaviors created manually by expert analysts. JACKDAW found 77.3% of them and was able to exclude spurious behaviors in 99.6% cases. We also discovered 466 novel behaviors, among which manual exploration and review by expert reverse engineers revealed interesting findings and confirmed the correctness of the semantic tagging.

show abstract

Section: Limitations and Future Workmentioning

confidence: 99%

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Instead of analyzing the program instructions, the behavior of the program under analysis is monitored and evaluated. Several applications have been developed based on dynamic analysis sandboxes to monitor botnet traffic [11], obtain unpacked and unencrypted malware samples [12], [13], automatically obtain malware mitigation procedures [14] and detect unknown evasion techniques [15]. Several such tools exist today for both, research and commercial purposes.…”

Section: B Malware Analysismentioning

confidence: 99%

Take a bite - Finding the worm in the Apple

Lindorfer

Miller

Neugschwandtner

et al. 2013

2013 9th International Conference on Information, Communications &Amp; Signal Processing

Self Cite

View full text Add to dashboard Cite

Abstract-When it comes to security risks, especially malware, Mac OS X has the questionable reputation of being inherently safe. While there is a substantial body of research and implementations dealing with malware on Windows and, more recently, Android systems, Mac OS X has received little attention so far.To amend this shortcoming, we built a Mac OS X based highinteraction honeypot and used it to evaluate over 6,000 blacklisted URLs to estimate how widespread malware for Mac OS X is today. We further built a dynamic analysis environment and analyzed 148 malicious samples to gain insight into the current state of Mac OS X malware. To the best of our knowledge, we are the first to tackle this task.

show abstract

“…Dione only requires basic disk access information that can be obtained by many types of sensors, including both physical hardware sensors and virtualizationbased sensors. It can, therefore, be used to analyze and detect malware that utilizes anti-sandbox or virtualization-evasion techniques, which have become increasingly common [3,8,19].…”

Section: Introductionmentioning

confidence: 99%

Dione: A Flexible Disk Monitoring and Analysis Framework

Mankin

Kaeli

2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date-even as new files are created, deleted, moved, or altered.Dione is the first disk monitoring infrastructure to provide rich, upto-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione's liveupdating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10%-in many cases less than 3%-even when processing complex sequences of file system operations.

show abstract

Detecting Environment-Sensitive Malware

Cited by 149 publications

References 28 publications

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Take a bite - Finding the worm in the Apple

Dione: A Flexible Disk Monitoring and Analysis Framework

Contact Info

Product

Resources

About