Evasive Malware via Identifier Implanting

  title={Evasive Malware via Identifier Implanting},
  author={Rui Tanabe and Wataru Ueno and Kou Ishii and Katsunari Yoshioka and Tsutomu Matsumoto and Takahiro Kasama and Daisuke Inoue and Christian Rossow},
To cope with the increasing number of malware attacks that organizations face, anti-malware appliances and sandboxes have become an integral security defense. In particular, appliances have become the de facto standard in the fight against targeted attacks. Yet recent incidents have demonstrated that malware can effectively detect and thus evade sandboxes, resulting in an ongoing arms race between sandbox developers and malware authors. 
Automated Malware Identifier and Analyzer
There are anti-malware softwares and firewalls available for help, but sometimes they are not enough, that is where malware analysis comes into the picture.
Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures
This paper aims at determining the possibilities for malware to detect the antiviruses and then evaluating the efficiency of these techniques on a panel of antiviral techniques that are the most used nowadays and proposing to evaluate a countermeasure that creates false artifacts, thus forcing malware to evade.
Malware's Double Anti Analysis (DAA) Analysis Methodology
A new methodology DAA is designed to analyze malwares even when they use this predisposition to evade detection and analysis techniques, and a new open source software tool has been designed and developed.
Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection
A detailed meta-review of the existing surveys related to malware and its detection techniques, showing an arms race between these two sides of a barricade and the evolution of modern threats in the communication networks.
MIMOSA: Reducing Malware Analysis Overhead with Coverings
MIMOSA is proposed, a system which identifies a small set of ”covering” tool configurations that collectively defeat most malware samples with increased efficiency, enabling scalable automation for analyzing stealthy malware.
POW-HOW: An enduring timing side-channel to evadeonline malware sandboxes
The POW-HOW framework is designed and implemented, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample, and it is shown how bare-metal environments cannot scale with actual malware submissions rates for consumer services.


SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion
The strong need to automate program analysis also bears the risk that anyone that can submit programs to learn and leak the characteristics of a particular sandbox.
Impeding Automated Malware Analysis with Environment-sensitive Malware
Two obfuscation techniques are developed that make the successful execution of a malware sample dependent on the unique properties of the original host it infects and reinforces the potential for malware authors to leverage this type of analysis resistance.
Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
This work has undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods, which is used to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.
Mirage: Toward a Stealthier and Modular Malware Analysis Sandbox for Android
The presence of differences between real devices and Android emulators started an arms race between security researchers and malware authors, where the former want to hide these differences and the latter try to seek them out.
Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts
A novel class of sandbox evasion techniques that exploit the "wear and tear" that inevitably occurs on real systems as a result of normal use are presented and statistical models that capture a system's age and degree of use are developed that can be used to aid sandbox operators in creating system images that exhibit a realistic wear-and-tear state.
Detecting Environment-Sensitive Malware
Novel techniques for detecting malware samples that exhibit semantically different behavior across different analysis sandboxes are proposed, compatible with any monitoring technology that can be used for dynamic analysis, and completely agnostic to the way that malware achieves evasion.
Evading android runtime analysis via sandbox detection
The large amounts of malware, and its diversity, have made it necessary for the security community to use automated dynamic analysis systems. These systems often rely on virtualization or emulation,
Ether: malware analysis via hardware virtualization extensions
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
Efficient Detection of Split Personalities in Malware
This paper presents a technique that efficiently detects when a malware program behaves differently in an emulated analysis environment and on an uninstrumented reference host, and demonstrates that one can efficiently detect malware samples that use a variety of techniques to identify emulatedAnalysis environments.
Malware Virtualization-Resistant Behavior Detection
This paper collects behavioral information from malware and uses an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability.