Lessons Learned from an Investigation into the Analysis Avoidance Techniques of Malicious Software

  title={Lessons Learned from an Investigation into the Analysis Avoidance Techniques of Malicious Software},
  author={Murray Brand and Craig Valli and Andrew Woodward},
This paper outlines a number of key lessons learned from an investigation into the techniques malicious executable software can employ to hinder digital forensic examination. Malware signature detection has been recognised by researchers to be far less than ideal. Thus, the forensic analyst may be required to manually analyse suspicious files. However, in order to hinder the forensic analyst, hide its true intent and to avoid detection, modern malware can be wrapped with packers or protectors… 
Mal-EVE: Static detection model for evasive malware
  • Charles Lim, Nicsen
  • Computer Science
    2015 10th International Conference on Communications and Networking in China (ChinaCom)
  • 2015
This research focuses on designing an effective, automated, and accurate model to detect evasive malware, and contains the most frequently evasion techniques used by malware: packer, anti debugging, and anti virtualization.
A Threat to Cyber Resilience : A Malware Rebirthing Botnet
This paper presents a threat to cyber resilience in the form of a conceptual model of a malware rebirthing botnet which can be used to collect existing malware and rebirth it with new functionality and signatures that will avoid detection by AV software and hinder analysis.
Runtime Malware Detection using hardware features
The precision and efficiency are enhanced by reducing the false prediction rates of the basic methods by using ensemble techniques and the target of more than 98% accuracy is reached, up from previous 85%.
Preliminary research is presented to forensically recover and analyse artefacts from the process of using crimeware toolkits from the file system and memory of systems that have been potentially engaged in such banking trojan authoring activities.


Malware Detection and Removal: An examination of personal anti-virus software
Examination of the quality of malware removal programs currently available on the market suggests that current anti-virus products, whilst able to detect most recently released malware, still fall short of eliminating the malware and returning the system to its original state.
Malware: Fighting Malicious Code
Real-world examples of malware attacks help you translate thought into action, and a special defender's toolbox chapter shows how to build your own inexpensive code analysis lab to investigate new malware specimens on your own.
Statistical signatures for fast filtering of instruction-substituting metamorphic malware
A method is presented for rapidly deciding whether or not an input program is likely to be a variant of a given metamorphic program, which may be useful for practical malware detection by serving as an inexpensive filter to avoid more in-depth analyses where they are unnecessary.
Windows memory forensics
  • Nicolas Ruff
  • Computer Science
    Journal in Computer Virology
  • 2007
This paper gives an overview of all known “live” memory collection techniques on a Windows system, and freely available memory analysis tools. Limitations and known anti-collection techniques will
Defining Digital Forensic Examination and Analysis Tool Using Abstraction Layers
The nature of tools in digital forensics is examined and a discussion of the definitions, properties, and error types of abstraction layers when used with digital forensic analysis tools is discussed.
Introducing Stealth Malware Taxonomy
A simple taxonomy that could be used to classify stealth malware according to how it interacts with the operating system is proposed as well as extending it of a new type of malware the type III malware.
A solution for the automated detection of clickjacking attacks
A novel solution for the automated and efficient detection of clickjacking attacks is proposed and the system that is designed, implemented and deployed to analyze over a million unique web pages is described, showing that the approach is feasible in practice.
Secure Deletion and the Effectiveness of Evidence Elimination Software
  • Simon Innes
  • Computer Science
    Australian Computer, Network & Information Forensics Conference
  • 2005
This paper will discuss and analyse the different methods of wiping media to make them forensically clean and the effectiveness of software that is designed to eliminate evidence from a computer.
The forensic chain-of-evidence model: Improving the process of evidence collection in incident handling procedures
This paper suggests that administrators form a new way of conceptualizing evidence collection across an intranet based on a model consisting of linked audit logs. This methodology enables the