Skip to main content
SpringerLink
Log in

Jan Gruber, Felix C. Freiling

Fighting Evasive Malware

How to Pass the Reverse Turing Test By Utilizing a VMI-Based Human Interaction Simulator

  • Aufsätze
  • Published:
Datenschutz und Datensicherheit - DuD Aims and scope Submit manuscript

Zusammenfassung

Sandboxes are an indispensable tool in dynamic malware analysis today. However, modern malware often employs sandbox-detection methods to exhibit non-malicious behaviour within sandboxes and therefore evade automatic analysis. One category of sandbox-detection techniques are reverse Turing tests (RTTs) to determine the presence of a human operator. In order to pass these RTTs, we propose a novel approach which builds upon virtual machine introspection (VMI) to automatically reconstruct the graphical user interface, determine clickable buttons and inject human interface device events via direct control of virtualized human interface devices in a stealthy way. We extend the VMI-based open-source sandbox DRAKVUF with our approach and show that it successfully passes RTTs commonly employed by malware in the wild to detect sandboxes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Balzarotti, D.; Cova, M.; Karlberger, C.; Kirda, E.; Kruegel, C.; Vigna, G.: Efficient Detection of Split Personalities in Malware. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February – 3rd March 2010. The Internet Society, 2010, url: https://www.ndss-symposium.org/ndss2010/efficient-detectionsplit-personalities-malware.

  2. Bulazel, A.; Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. Pp. 1–21, 2017.

  3. Chaffey, E.J.; Sgandurra, D.: Malware vs Anti-Malware Battle – Gotta Evade ’em All! In (Kohlhammer, J.; Angelini, M.; Bryan, C.; Gómez, R.R.; Prigent, N., eds.): 17th IEEE Symposium on Visualization for Cyber Security, VizSec 2020, Virtual Event, USA, October 28, 2020. IEEE, pp. 40–44, 2020, url: https://doi.org/10.1109/VizSec51108.2020.00012.

  4. Fois, Q.: Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable, tech. rep., Lastline Inc., Jan. 2019, url: https://www.lastline.com/labsblog/threat-actor-cold-river-networktraffic-analysis-and-a-deep-dive-on-agent-drable/, visited on: 10/28/2021.

  5. Gao, Y.; Lu, Z.; Luo, Y.: Survey on malware anti-analysis. In: Fifth International Conference on Intelligent Control and Information Processing. Pp. 270–275, 2014.

  6. Haughom, J.; Ortolani, S.: Evolution of Excel 4.0 Macro Weaponization, tech. rep., Lastline Inc., 2020, url: https://www.lastline.com/labsblog/ evolution-of-excel-4-0-macro-weaponization/, visited on: 11/08/2021.

  7. Hund, R.: Pafish: How to Test your Sandbox Against Virtualization Detection, 2015, url: https://www.vmray.com/cyber-security-blog/a-pafishprimer/, visited on: 12/17/2020.

  8. Kovalev, S.G.: Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf. In: Proceedings of ISP RAS. Vol. 30. 5, 2018.

  9. Lengyel, T.K.; Maresca, S.; Payne, B.D.; Webster, G.D.; Vogl, S.; Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In (Jr., C.N.P.; Hahn, A.; Butler, K.R.B.; Sherr, M., eds.): Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, December 8-12, 2014. ACM, pp. 386–395, 2014, url: https://doi.org/10.1145/2664243.2664252.

  10. Lengyel, T.: Stealthy monitoring with Xen alt2pm, tech. rep., Xen Project, 2016, url: https://xenproject.org/2016/04/13/stealthy-monitoringwith-xen-altp2m/, visited on: 10/29/2021.

  11. Ligh, M.H.: MoVP 4.2 Taking Screenshots from Memory Dumps, tech. rep., The Volatility Foundation, 2012, url: https://volatilitylabs.blogspot.com/2012/10/movp-43-taking-screenshots-frommemory.html, visited on: 10/30/2021.

  12. Ligh, M.H.: What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?, tech. rep., The Volatility Foundation, 2012, url: https://volatility-labs.blogspot.com/2012/12/what-do-upclicker-poisonivy-cuckoo-and.html, visited on: 11/07/2021.

  13. Leszczyński, M.; Stopczański, K.: A new open-source hypervisor-level malware monitoring and extraction system – current state and further challenges. Virus Bulletin 12/, 2020.

  14. Melvin, A.A.R.; Kathrine, G.J.W.: A Quest for Best: A Detailed Comparison Between Drakvuf-VMI-Based and Cuckoo Sandbox-Based Technique for Dynamic Malware Analysis. In: Intelligence in Big Data Technologies—Beyond the Hype. Springer, pp. 275–290, 2021.

  15. Payne, B.D.: Simplifying virtual machine introspection using LibVMI./, 2012, url: https://www.osti.gov/biblio/1055635.

  16. Rapid7: Fooling malware like a boss with Cuckoo Sandbox, tech. rep., Rapid7, 2013, url: https://www.rapid7.com/blog/post/2013/04/16/foolingmalware-like-a-boss-with-cuckoo-sandbox/, visited on: 10/29/2021.

  17. Russinovich, M.E.; Solomon, D.A.; Ionescu, A.: Windows Internals, Part 1: Covering Windows Server 2008 R2 and Windows 7. Microsoft Press, USA, 2012, isbn: 0735648735.

  18. Singh, A.; Khalid, Y.: Don’t Click the Left Mouse Button: Introducing Trojan UpClicker, tech. rep., Fireeye Inc., 2012, url: https://webcache.googleusercontent.com/search?q=cache:NeVZ4J1Y-cQJ:https://www. fireeye.com/blog/threat-research/2012/12/dont-click-the-leftmouse-button-trojan-upclicker.html+&cd=1&hl=en&ct=clnk&gl=de, visited on: 11/07/2021.

  19. Vashisht, S.O.; Singh, A.: Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction, tech. rep., Fireeye Inc., 2014, url: https://www.fireeye.com/blog/threat-research/2014/06/turingtest-in-reverse-new-sandbox-evasion-techniques-seek-humaninteraction.html, visited on: 10/28/2021.

  20. Willems, C.; Holz, T.; Freiling, F.C.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Secur. Priv. 5/2, pp. 32–39, 2007, url: https://doi.org/10.1109/MSP.2007.45.

  21. Willems, C.; Hund, R.; Holz, T.: CXPinspector: Hypervisor-based, hardwareassisted system monitoring. Ruhr-Universitat Bochum, Tech. Rep/, p. 12, 2013.

  22. Yokoyama, A.; Ishii, K.; Tanabe, R.; Papa, Y.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Inoue, D.; Brengel, M.; Backes, M.; Rossow, C.: SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion. In (Monrose, F.; Dacier, M.; Blanc, G.; García-Alfaro, J., eds.): Research in Attacks, Intrusions, and Defenses – 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings. Vol. 9854. Lecture Notes in Computer Science, Springer, pp. 165–187, 2016, url: https://doi.org/10.1007/978-3-319-45719-2%5C_8.

Download references

Author information

Authors and Affiliations

  1. Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Erlangen, Deutschland

    Jan Gruber M. Sc. &  Felix Freiling

Authors
  1. Jan Gruber M. Sc.
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Felix Freiling
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan Gruber M. Sc..

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gruber, J., Freiling, F. Fighting Evasive Malware. Datenschutz Datensich 46, 284–290 (2022). https://doi.org/10.1007/s11623-022-1604-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11623-022-1604-9

Search

Navigation