GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Xu, Zhaoyan; Zhang, Jialong; Gu, Guofei; Lin, Zhiqiang

doi:10.1007/978-3-319-11379-1_2

Cited by 24 publications

(14 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Otherwise, the malware does not do anything harmful. In most cases, it terminates [78]. The following section summarises the two techniques GoldenEye [78] and VECG [79] for detecting the targeted environment of a malware.…”

Section: B Identifying Phantom Malware's Targeted Environmentmentioning

confidence: 99%

“…In most cases, it terminates [78]. The following section summarises the two techniques GoldenEye [78] and VECG [79] for detecting the targeted environment of a malware. Further, it is discussed why these techniques failed to identify Phantom Malware's targeted environment.…”

Section: B Identifying Phantom Malware's Targeted Environmentmentioning

confidence: 99%

“…Otherwise, the next (starting from this basic block) WinAPI call representing an environmental query will be determined. Thereafter, the complete analysis process starts again [78].…”

Section: ) Goldeneyementioning

confidence: 99%

See 2 more Smart Citations

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

Witte

2020

IEEE Access

View full text Add to dashboard Cite

State of the art malware detection techniques only consider the interaction of programs with the operating system's API (system calls) for malware classification. This paper demonstrates that techniques like these are insufficient. A point that is overlooked by the currently existing techniques is presented in this paper: Malware is able to interact with windows providing the corresponding functionality in order to execute the desired action by mimicking user activity. In other words, harmful actions will be masked as simulated user actions. To start with, the article introduces User Imitating techniques for concealing malicious commands of the malware as impersonated user activity. Thereafter, the concept of Phantom Malware will be presented: This malware is constantly applying User Imitating to execute each of its malicious actions. A Phantom Ransomware (ransomware employs the User Imitating for every of its malicious actions) is implemented in C++ for testing anti-virus programs in Windows 10. Software of various manufacturers are applied for testing purposes. All of them failed without exception. This paper analyzes the reasons why these products failed and further, presents measures that have been developed against Phantom Malware based on the test results.

show abstract

Section: B Identifying Phantom Malware's Targeted Environmentmentioning

confidence: 99%

Section: B Identifying Phantom Malware's Targeted Environmentmentioning

confidence: 99%

See 1 more Smart Citation

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

Witte

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…HARVESTER instruments the reporting mechanism for the values of interest into the slices (see line 4), making changes to the runtime environment (emulator, Android OS) unnecessary. Note that HARVESTER does not need to reconfigure or reset the actual device or emulator on which the slices are executed which is novel in comparison to other approaches that are based on symbolic or concolic execution [20], [21].…”

Section: Overall Approachmentioning

confidence: 99%

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Rasthofer¹,

Arzt²,

Miltenberger³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

115

View full text Add to dashboard Cite

It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

“…There is a vast literature on the problems of detecting [21,71,77], classifying [15,31,39,85] and eradicating botnets [91]. Detection challenges [12] include multiple administrative domains, Internet heterogeneity, botnets that are purely memory-resident [86] lack of ground truth, privacy concerns.…”

Section: Related Workmentioning

confidence: 99%

Classification and prediction of matrix structured data with applications to recommendation systems, identifying anti-socials and bot-nets

Fadaee¹

View full text Add to dashboard Cite

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Cited by 24 publications

References 21 publications

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Classification and prediction of matrix structured data with applications to recommendation systems, identifying anti-socials and bot-nets

Contact Info

Product

Resources

About