Malware Dynamic Analysis Evasion Techniques

Afianian, Amir; Niksefat, Salman; Sadeghiyan, Babak; Baptiste, David A.

doi:10.1145/3365001

Cited by 143 publications

(80 citation statements)

References 56 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…While seemingly trivial, these evasion techniques are increasingly used to determine whether the environment is a genuine target (i.e., a real system with a real user). Common evasion techniques may include system artefact checks, including the use of registry edits and virtual environment processes [2,4,[19][20][21][22][23][24][25][26], trigger-based behaviour [4,19,20,[26][27][28] and checks for human interaction [4,19,20,26,[29][30][31].…”

Section: Evasion and Anti-evasion Methodsmentioning

confidence: 99%

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills

Legg

2020

JCP

View full text Add to dashboard Cite

Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

show abstract

Section: Evasion and Anti-evasion Methodsmentioning

confidence: 99%

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills

Legg

2020

JCP

View full text Add to dashboard Cite

show abstract

“…Whilst seemingly trivial, these evasion techniques are increasingly used to determine whether the environment is a genuine target (i.e., a real system with a real user). Common evasion techniques may include system artefact checks, including the use of registry edits and virtual environment processes ( [2,4,[19][20][21][22][23][24][25][26]), trigger-based behaviour ( [4,19,20,[26][27][28]) and checks for human interaction ( [4,19,20,26,[29][30][31]).…”

Section: Evasion and Anti-evasion Methodsmentioning

confidence: 99%

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills¹,

Legg²

2020

Preprint

View full text Add to dashboard Cite

Malware analysis is fundamental for defending against prevalent cyber security threats, and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation into anti-evasion malware triggers for uncovering malware behaviours that may act benign when they detect a traditional sandbox environment. To facilitate our investigation, we developed a dynamic sandbox reconfiguration tool called MORRIGU that couples together both automated and human-driven analysis for anti-evasion configuration testing, along with a visual analytics view for examining system behaviours and performing comparative analysis. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox `wear-and-tear’, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. Using a systematic testing approach such as MORRIGU enables test coverage of anti-evasion methods, whilst also offering flexibility for further human-driven analysis of additional evasion methods. We also perform a comparative study against automated analysis using Cuckoo sandbox to show that automated scoring alone can not reliably inform on the presence of evasive malware, hence requiring a more sophisticated anti-evasive testing approach. With a greater understanding of anti-evasion malware triggers and with appropriate tools to explore these in an effective and efficient manner, this study helps to advance research on how evasive malware is being utilised to evade analysis so that we can better defend against future attacks.

show abstract

“…In a very recent survey dealing with dynamic malware analysis [14], the authors focused on the techniques employed by malware to prevent the analysis and isolated the most common functionalities needed to implement a malicious behavior. In the survey [18], the authors noticed that evasive functionalities are primarily used to recognize and evade sandboxes; therefore, several works propose to use fingerprinting and the reverse Turing test for recognizing a genuine human interaction. Similar considerations can be found in an earlier survey [19].…”

Section: A Surveys On Malware Analysis and Evasionmentioning

confidence: 99%

“…• limited interest in information hiding: as shown, only one recent work dealt with information hiding (specifically, in the context of mobile devices). As modern mal- [23] x x x x x [16] x x x x x [24] x x [22] x x fileless [31] x adversarial ML [17] x tools [25] x AI [14] x x x evasion, tools [34] x x x evasion [18] x x evasion [21] x x APT [28] x x cybersecurity [19] x evasion [26] x x x x [27] x x cybersecurity [36] x x x visualisation [30] x x [11] x x behavior analysis, visualisation [12] x analysis [37] x x [33] x x x evasion [29] x x x [15] x x x x x [20] x x stealth malware [32] x x x C&C communication [35] x x x OS openness [38] x x [39] x visualisation ware is increasingly exploiting some form of steganography, information hiding and obfuscation to launch attacks or exfiltrate data [42], [43], this consolidated trend should be taken into account. • lack of sufficient coverage of new threats: despite the vivacity of the topic, many works continue to focus on the "legacy" hazards, e.g., phishing.…”

Section: Contributions and Survey Architecturementioning

confidence: 99%

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

100

View full text Add to dashboard Cite

Malware Dynamic Analysis Evasion Techniques

Cited by 143 publications

References 56 publications

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Contact Info

Product

Resources

About