ABSTRACT
Malware continues to remain one of the most important security problems on the Internet today. Whenever an anti-malware solution becomes popular, malware authors typically react promptly and modify their programs to evade defense mechanisms. For example, recently, malware authors have increasingly started to create malicious code that can evade dynamic analysis.
One recent form of evasion against dynamic analysis systems is stalling code. Stalling code is typically executed before any malicious behavior. The attacker's aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This paper presents the first approach to detect and mitigate malicious stalling code, and to ensure forward progress within the amount of time allocated for the analysis of a sample. Experimental results show that our system, called HASTEN, works well in practice, and that it is able to detect additional malicious behavior in real-world malware samples.
- Forum Posting - Detection of Sandboxes. http://www.opensc.ws/snippets/3558-detect-5-different-sandboxes.html, 2009.Google Scholar
- http://anubis.iseclab.org, 2010.Google Scholar
- http://www.cwsandbox.org, 2010.Google Scholar
- http://www.norman.com/enterprise/all_products/malware_analyzer/norman_san%dbox_analyzer/en, 2010.Google Scholar
- http://msdn.microsoft.com/en-us/library/ms724408%28VS.8529.aspx, 2010.Google Scholar
- Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., and Vigna, G. Efficient Detection of Split Personalities in Malware. In Network and Distributed System Security Symposium (NDSS) (2010).Google Scholar
- Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, C. A View on Current Malware Behaviors. In Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009). Google ScholarDigital Library
- Bayer, U., Milani Comparetti, P., Hlauschek, C., Kruegel, C., and Kirda, E. Scalable, Behavior-Based Malware Clustering. In Network and Distributed System Security Symposium (2009).Google Scholar
- Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., and Yin, H. Towards automatically identifying trigger-based behavior in malware using symbolic execution and binary analysis. Tech. Rep. Carnegie Mellon University-CS-07--105, Carnegie Mellon University, 2007.Google Scholar
- Crandall, J., Wassermann, G., de Oliveira, D., Su, Z., Wu, F., and Chong, F. Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines. In Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2006). Google ScholarDigital Library
- Dinaburg, A., Royal, P., Sharif, M., and Lee, W. Ether: Malware Analysis via Hardware Virtualization Extensions. In ACM Conference on Computer and Communications Security (2008). Google ScholarDigital Library
- Fattori, A., Paleari, R., Martignoni, L., and Monga, M. Dynamic and Transparent Analysis of Commodity Production Systems. In International Conference on Automated Software Engineering (ASE) (2010). Google ScholarDigital Library
- Ferrie, P. Attacks on Virtual Machines. In Proceedings of the Association of Anti-Virus Asia Researchers Conference (2007).Google Scholar
- Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., and Yan, X. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In IEEE Symposium on Security and Privacy (2010). Google ScholarDigital Library
- Freiling, F., Holz, T., and Wicherski, G. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In European Symposium On Research In Computer Security (ESORICS) (2005). Google ScholarDigital Library
- John, J., Moshchuk, A., Gribble, S., and Krishnamurthy, A. Studying Spamming Botnets Using Botlab. In Usenix Symposium on Networked Systems Design and Implementation (NSDI) (2009). Google ScholarDigital Library
- Kang, M., Yin, H., Hanna, S., McCamant, S., and Song, D. Emulating Emulation-Resistant Malware. In Workshop on Virtual Machine Security (VMSec) (2010). Google ScholarDigital Library
- Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries. In IEEE Symposium on Security and Privacy (2010). Google ScholarDigital Library
- Kolbitsch, C., Milani Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., and Wang, X. Effective and Efficient Malware Detection at the End Host. In Usenix Security Symposium (2009). Google ScholarDigital Library
- Martignoni, L., Paleari, R., Roglia, G. F., and Bruschi, D. Testing CPU Emulators. In International Symposium on Software Testing and Analysis (ISSTA) (2009). Google ScholarDigital Library
- Moser, A., Kruegel, C., and Kirda, E. Exploring Multiple Execution Paths for Malware Analysis. In IEEE Symposium on Security and Privacy (2007). Google ScholarDigital Library
- Paleari, R., Martignoni, L., Roglia, G. F., and Bruschi, D. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In usenix-woot (2009). Google ScholarDigital Library
- Raffetseder, T., Kruegel, C., and Kirda, E. Detecting System Emulators. In Proceedings of the Information Security Conference (2007). Google ScholarDigital Library
- Rutkowska, J. Red Pill... or how to detect VMM using (almost) one CPU instruction. http://www.invisiblethings.org/papers/redpill.html, 2004.Google Scholar
- Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. BitBlaze: A new approach to computer security via binary analysis. In Conference on Information Systems Security (Invited Paper) (2008). Google ScholarDigital Library
- Sreedhar, V. C., Gao, G. R., and fong Lee, Y. Identifying loops using DJ graphs, 1995.Google Scholar
- Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In ACM Conference on Computer and Communications Security (CCS) (2009). Google ScholarDigital Library
- Wilhelm, J., and Chiueh, T.-c. A Forced Sampled Execution Approach to Kernel Rootkit Identification. In Recent Advances in Intrusion Detection. 2007. Google ScholarDigital Library
Index Terms
- The power of procrastination: detection and mitigation of execution-stalling malicious code
Recommendations
Ether: malware analysis via hardware virtualization extensions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityMalware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and ...
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityAutomated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Comments