Zusammenfassung
Sandboxes are an indispensable tool in dynamic malware analysis today. However, modern malware often employs sandbox-detection methods to exhibit non-malicious behaviour within sandboxes and therefore evade automatic analysis. One category of sandbox-detection techniques are reverse Turing tests (RTTs) to determine the presence of a human operator. In order to pass these RTTs, we propose a novel approach which builds upon virtual machine introspection (VMI) to automatically reconstruct the graphical user interface, determine clickable buttons and inject human interface device events via direct control of virtualized human interface devices in a stealthy way. We extend the VMI-based open-source sandbox DRAKVUF with our approach and show that it successfully passes RTTs commonly employed by malware in the wild to detect sandboxes.
References
Balzarotti, D.; Cova, M.; Karlberger, C.; Kirda, E.; Kruegel, C.; Vigna, G.: Efficient Detection of Split Personalities in Malware. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February – 3rd March 2010. The Internet Society, 2010, url: https://www.ndss-symposium.org/ndss2010/efficient-detectionsplit-personalities-malware.
Bulazel, A.; Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. Pp. 1–21, 2017.
Chaffey, E.J.; Sgandurra, D.: Malware vs Anti-Malware Battle – Gotta Evade ’em All! In (Kohlhammer, J.; Angelini, M.; Bryan, C.; Gómez, R.R.; Prigent, N., eds.): 17th IEEE Symposium on Visualization for Cyber Security, VizSec 2020, Virtual Event, USA, October 28, 2020. IEEE, pp. 40–44, 2020, url: https://doi.org/10.1109/VizSec51108.2020.00012.
Fois, Q.: Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable, tech. rep., Lastline Inc., Jan. 2019, url: https://www.lastline.com/labsblog/threat-actor-cold-river-networktraffic-analysis-and-a-deep-dive-on-agent-drable/, visited on: 10/28/2021.
Gao, Y.; Lu, Z.; Luo, Y.: Survey on malware anti-analysis. In: Fifth International Conference on Intelligent Control and Information Processing. Pp. 270–275, 2014.
Haughom, J.; Ortolani, S.: Evolution of Excel 4.0 Macro Weaponization, tech. rep., Lastline Inc., 2020, url: https://www.lastline.com/labsblog/ evolution-of-excel-4-0-macro-weaponization/, visited on: 11/08/2021.
Hund, R.: Pafish: How to Test your Sandbox Against Virtualization Detection, 2015, url: https://www.vmray.com/cyber-security-blog/a-pafishprimer/, visited on: 12/17/2020.
Kovalev, S.G.: Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf. In: Proceedings of ISP RAS. Vol. 30. 5, 2018.
Lengyel, T.K.; Maresca, S.; Payne, B.D.; Webster, G.D.; Vogl, S.; Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In (Jr., C.N.P.; Hahn, A.; Butler, K.R.B.; Sherr, M., eds.): Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, December 8-12, 2014. ACM, pp. 386–395, 2014, url: https://doi.org/10.1145/2664243.2664252.
Lengyel, T.: Stealthy monitoring with Xen alt2pm, tech. rep., Xen Project, 2016, url: https://xenproject.org/2016/04/13/stealthy-monitoringwith-xen-altp2m/, visited on: 10/29/2021.
Ligh, M.H.: MoVP 4.2 Taking Screenshots from Memory Dumps, tech. rep., The Volatility Foundation, 2012, url: https://volatilitylabs.blogspot.com/2012/10/movp-43-taking-screenshots-frommemory.html, visited on: 10/30/2021.
Ligh, M.H.: What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?, tech. rep., The Volatility Foundation, 2012, url: https://volatility-labs.blogspot.com/2012/12/what-do-upclicker-poisonivy-cuckoo-and.html, visited on: 11/07/2021.
Leszczyński, M.; Stopczański, K.: A new open-source hypervisor-level malware monitoring and extraction system – current state and further challenges. Virus Bulletin 12/, 2020.
Melvin, A.A.R.; Kathrine, G.J.W.: A Quest for Best: A Detailed Comparison Between Drakvuf-VMI-Based and Cuckoo Sandbox-Based Technique for Dynamic Malware Analysis. In: Intelligence in Big Data Technologies—Beyond the Hype. Springer, pp. 275–290, 2021.
Payne, B.D.: Simplifying virtual machine introspection using LibVMI./, 2012, url: https://www.osti.gov/biblio/1055635.
Rapid7: Fooling malware like a boss with Cuckoo Sandbox, tech. rep., Rapid7, 2013, url: https://www.rapid7.com/blog/post/2013/04/16/foolingmalware-like-a-boss-with-cuckoo-sandbox/, visited on: 10/29/2021.
Russinovich, M.E.; Solomon, D.A.; Ionescu, A.: Windows Internals, Part 1: Covering Windows Server 2008 R2 and Windows 7. Microsoft Press, USA, 2012, isbn: 0735648735.
Singh, A.; Khalid, Y.: Don’t Click the Left Mouse Button: Introducing Trojan UpClicker, tech. rep., Fireeye Inc., 2012, url: https://webcache.googleusercontent.com/search?q=cache:NeVZ4J1Y-cQJ:https://www. fireeye.com/blog/threat-research/2012/12/dont-click-the-leftmouse-button-trojan-upclicker.html+&cd=1&hl=en&ct=clnk&gl=de, visited on: 11/07/2021.
Vashisht, S.O.; Singh, A.: Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction, tech. rep., Fireeye Inc., 2014, url: https://www.fireeye.com/blog/threat-research/2014/06/turingtest-in-reverse-new-sandbox-evasion-techniques-seek-humaninteraction.html, visited on: 10/28/2021.
Willems, C.; Holz, T.; Freiling, F.C.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Secur. Priv. 5/2, pp. 32–39, 2007, url: https://doi.org/10.1109/MSP.2007.45.
Willems, C.; Hund, R.; Holz, T.: CXPinspector: Hypervisor-based, hardwareassisted system monitoring. Ruhr-Universitat Bochum, Tech. Rep/, p. 12, 2013.
Yokoyama, A.; Ishii, K.; Tanabe, R.; Papa, Y.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Inoue, D.; Brengel, M.; Backes, M.; Rossow, C.: SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion. In (Monrose, F.; Dacier, M.; Blanc, G.; García-Alfaro, J., eds.): Research in Attacks, Intrusions, and Defenses – 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings. Vol. 9854. Lecture Notes in Computer Science, Springer, pp. 165–187, 2016, url: https://doi.org/10.1007/978-3-319-45719-2%5C_8.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gruber, J., Freiling, F. Fighting Evasive Malware. Datenschutz Datensich 46, 284–290 (2022). https://doi.org/10.1007/s11623-022-1604-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11623-022-1604-9