• Corpus ID: 15898868

Impeding Automated Malware Analysis with Environment-sensitive Malware

@inproceedings{Song2012ImpedingAM,
  title={Impeding Automated Malware Analysis with Environment-sensitive Malware},
  author={Chengyu Song and Paul Royal and Wenke Lee},
  booktitle={HotSec},
  year={2012}
}
To solve the scalability problem introduced by the exponential growth of malware, numerous automated malware analysis techniques have been developed. Unfortunately, all of these approaches make previously unaddressed assumptions that manifest as weaknesses to the tenability of the automated malware analysis process. To highlight this concern, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original host it… 
An Improved Method to Unveil Malware's Hidden Behavior
TLDR
This paper proposes a new hybrid dynamic analysis scheme by applying function summary based symbolic execution of malware by providing Windows APIs’ summary stub and using unicorn CPU emulator, which can effectively extract malware’s hidden behavior.
Vendor Malware: Detection Limits and Mitigation
TLDR
This work focuses on the ability of buyers and other legitimate stakeholders to detect malware inserted in computing devices by vendors and other insiders with access to the devices before they reach the buyers.
Evasive Malware via Identifier Implanting
TLDR
This research examines how anti-malware appliances and sandboxes have become the de facto standard in the fight against targeted attacks and their role in an ongoing arms race between sandbox developers and malware authors.
Assembling behavioural characteristics of malicious software
TLDR
The approach to assembling characteristics of malware, which may be useful for another researchers, in case they face limitations of hardware and software resources during their work, is presented.
GoldenEye: Efficiently and Effectively Unveiling Malware's Targeted Environment
TLDR
This paper proposes a new dynamic analysis scheme that speculatively execute a malware sample and adaptively switch to the right environment during the analysis, and shows that it can actually use less memory space and achieve much higher speed than existing schemes.
Analysis of Evasion Techniques in Web-based Malware
TLDR
This dissertation focuses on the defenses against web-based malware protected by advanced evasion techniques from both defensive and offensive perspectives, and proposes a combination of obfuscation and anti-analysis techniques, targeting these limitations, which can hide existing web- based malware from state-of-the-art detectors.
0 Handling Anti-Virtual Machine Techniques in Malicious Software
TLDR
A detect-and-hide approach, which systematically addresses anti-VM techniques in malware by proposing cardinal pill testing – a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine, through carefully designed tests.
Handling Anti-Virtual Machine Techniques in Malicious Software
TLDR
This article proposes cardinal pill testing—a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests and proposes VM Cloak—a WinDbg plug-in which hides the presence of VMs from malware.
A Framework for Understanding Dynamic Anti-Analysis Defenses
TLDR
This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses and can provide insights into the underlying structure of various anti- analysis defenses and thereby help devise techniques for neutralizing them.
CAMP: Content-Agnostic Malware Protection
TLDR
CAMP is a content-agnostic malware protection system based on binary reputation that is built into the browser and determines the reputation of most downloads locally, relying on server-side reputation data only when a local decision cannot be made.
...
1
2
3
...

References

SHOWING 1-10 OF 18 REFERENCES
Impeding Malware Analysis Using Conditional Code Obfuscation
TLDR
This work has implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary and provides insight into the strengths, weaknesses, and possible ways to strengthen current analysis approaches in order to defeat this malware obfuscation technique.
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
TLDR
The results from the experiments show the approach can be used to significantly reduce the time required to analyze such malware, and to improve the performance of malware detection tools.
Effective and Efficient Malware Detection at the End Host
TLDR
A novel malware detection approach is proposed that is both effective and efficient, and thus, can be used to replace or complement traditional antivirus software at the end host.
Ether: malware analysis via hardware virtualization extensions
TLDR
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
Deobfuscation of virtualization-obfuscated software: a semantics-based approach
TLDR
This paper proposes a different approach to the problem that focuses on identifying instructions that affect the observable behavior of the obfuscated code, and aims to complement existing techniques by broadening the domain of obfuscated programs eligible for automated analysis.
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators
TLDR
An automatic and systematic technique to generate red-pills, specific for detecting if a program is executed through a CPU emulator, for two publicly available emulators, which are widely used for analyzing malware.
Cobra: fine-grained malware analysis using stealth localized-executions
TLDR
A powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze and provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems.
Automatic Reverse Engineering of Malware Emulators
TLDR
The first work in automatic reverse engineering of malware emulators is presented, which accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.
Panorama: capturing system-wide information flow for malware detection and analysis
TLDR
This work proposes a system, Panorama, to detect and analyze malware by capturing malicious information access and processing behavior, which separates these malicious applications from benign software.
HookFinder: Identifying and Understanding Malware Hooking Behaviors
TLDR
This paper proposes a unified approach, fine-grained impact analysis, to identify malware hooking behaviors, and devise a method using semantics-aware impact dependency analysis to provide a succinct and intuitive graph representation to illustrate hooking mechanisms.
...
1
2
...