Impersonating a sandbox against evasive malware

Lindorin, Axel

January 2022

The steadily increasing amount of malware puts an even larger amount of work required to analyze all the gathered samples. The current methods of analyzing malware come with their downsides such as inefficiency as a manual analysis requires a human or dynamic analysis that could be considered unreliable. The usage of dynamic malware analysis where the malware is executed in a sandbox environment is proven to be an efficient method of analyzing malware. As the techniques used to protect the system evolves, so do the attacking techniques. Some of the malware uses advanced evasion techniques to avoid detection from these sandbox analyzing environments, which causes the malware to be cleared and later executed in a real, target environment. These evasion techniques can find certain artifacts in the system which is inherent to a sandbox environment. Previous studies mention the lack of transparency between the virtual and physical host to be one of the bigger giveaways for the malware when looking for artifacts. There is also a grey area regarding how the malware acts and behaves, trying to assess and figure out if it is in a sandbox or not. This paper focused on creating a sandboxing analyzing environment within a physical machine, using all the dead giveaways by keeping the system as minimal as possible with only analyzing tools and software, in other words creating a fake sandbox environment. 12 samples of malware were analyzed in the two environments and the results show that the malware interacts more within the physical system and uses different APIs, System calls, and dlls compared to the virtual system. The malware samples, after its running process, resulted in similar activities on both systems which indicated that mimicking a sandbox could be effective to deter evasive malware.

evasive

malware

malware analysis

comparison

sandbox

Information Systems

Malware Analysis Skills Taught in University Courses

Gorugantu, Swetha

07 June 2018

No description available.

Computer Science

Computer Engineering

Educational Evaluation

Curriculum Development

Cybersecurity

Malware

Malware Analysis

Software Reverse Engineering

Analysis of Rank Distance for Malware Classification

Subramanian, Nandita

January 2016

No description available.

Computer Science

Rank Distance

Malware Classification

Mutual Information

Text Mining

Similarity Measures

Windows Malware

Malware Propagation Modelling in Peer-to-Peer Networks: A Review

Musa, Ahmad S., Al-Mohannadi, Hamad, Alhamar, J.

11 October 2018

yes / Peer-to-Peer (P2P) network is increasingly becoming the most important means of trading content throughout the last years due to the constant evolvement of the cyber world. This popularity made the P2P network susceptible to the spread of malware. The detection of the cause of malware propagation is now critical to the survival of P2P networks. This paper offers a review of the current relevant mathematical propagation models that have been proposed to date to predict the propagation behavior of a malware in a P2P network. We analyzed the models proposed by researchers and experts in the field by evaluating their limitations and a possible alternative for improving the analysis of the expected behavior of a malware spread.

Malware

Propagation

Malware spread

Peer-to-Peer (P2P)

Propagation analysis

Machine Learning for Malware Detection in Network Traffic

Omopintemi, A.H., Ghafir, Ibrahim, Eltanani, S., Kabir, Sohag, Lefoane, Moemedi

19 December 2023

No / Developing advanced and efficient malware detection systems is becoming significant in light of the growing threat landscape in cybersecurity. This work aims to tackle the enduring problem of identifying malware and protecting digital assets from cyber-attacks. Conventional methods frequently prove ineffective in adjusting to the ever-evolving field of harmful activity. As such, novel approaches that improve precision while simultaneously taking into account the ever-changing landscape of modern cybersecurity problems are needed. To address this problem this research focuses on the detection of malware in network traffic. This work proposes a machine-learning-based approach for malware detection, with particular attention to the Random Forest (RF), Support Vector Machine (SVM), and Adaboost algorithms. In this paper, the model’s performance was evaluated using an assessment matrix. Included the Accuracy (AC) for overall performance, Precision (PC) for positive predicted values, Recall Score (RS) for genuine positives, and the F1 Score (SC) for a balanced viewpoint. A performance comparison has been performed and the results reveal that the built model utilizing Adaboost has the best performance. The TPR for the three classifiers performs over 97% and the FPR performs < 4% for each of the classifiers. The created model in this paper has the potential to help organizations or experts anticipate and handle malware. The proposed model can be used to make forecasts and provide management solutions in the network’s everyday operational activities.

Machine learning

Malware detection

Intrusion detection

Malware analysis

Adaboost algorithm

Random forest

K-nearest neighbor algorithm

Emulátor byte kódu jazyka Java vhodný pro detekci a analýzu malware / Java Byte Code Emulator Suitable for Malware Detection and Analysis

Kubernát, Tomáš

January 2013

The goal of this thesis is to create a virtual machine that emulates a running programs written in Java programing language, which would be suitable for malware analysis and detection. The emulator is able to detect arguments of exploitable methods from Java standard classes, the order of calling these exploitable methods and also execution the test application. Overall functionality was tested on appropriate examples in which held its own measurements. At the end of the paper we describe testing of the emulator, which also contains tables and graphs for better results visualization.

On the (in)security of behavioral-based dynamic anti-malware techniques

Ersan, Erkan

21 April 2017

The Internet has become the primary vector for the delivery of malicious code in cyber attacks, and malware has rapidly become a pervasive critical threat. Anti- malware products offer effective protection from malware threats for servers and endpoint devices using a variety of techniques. Advanced enterprise-level anti-malware products rely on state-of-art behavioral-based detection algorithms, in addition to traditional signature-based mechanisms. These dynamic detection techniques have been around for more than a decade and in response hackers have developed methods to evade them. However, currently known bypass methods require intensive manual labor. Moreover, this manual work has to be repeated whenever a parameter of the environment (such as the payload, operating system, Antivirus version, etc) changes, making these methods impractical. This may lead to the belief that dynamic techniques provide a good deterrence, and hence good protection. In this thesis we evaluate dynamic techniques. Specifically, we build tools to implement generic unhooking and funneling, and using these tools we show how dynamic techniques can be bypassed with considerably less effort than by fully manual methods. We also extend the repertoire of existing bypass methods and introduce a new malicious function call technique which exploits detection techniques that monitor a limited collection of critical system functions, as well as a method for bypassing guard-page protections. We demonstrate the effectiveness of all our techniques by conducting attacks against two enterprise antivirus products. Our results lead us to conclude that that dynamic techniques do not provide sufficient protection. / Graduate / 2018-02-07 / 0984 / erkanersan@gmail.com

Malware

Malware Detection

Computer Security

Anti-malware

Antivirus

Cyber Attacks

Behavioral-based Detection

EMET

Hooking

Unhooking

Guard Pages

Bypassing Techniques

Evasion Techniques

Evasion

funneling

Control Flow Integrity

CFI

Web-based malware

ROP

Return-Oriented Programming

Shellcode

Payload

Windows

Anti-malware Evaluation

Antivirus Evaluation

Anti-malware Effectiveness

Antivirus Effectiveness

Reverse Engineering of a Malware : Eyeing the Future of Computer Security

Burji, Supreeth Jagadish

05 October 2009

No description available.

Computer Science

Engineering

Experiments

Systems Design

malware

reverse engineering

data mining

rough sets

rogue malwares

lifecycle of a malware

P2P malware

computer security

Improving detection and annotation of malware downloads and infections through deep packet inspection

Nelms, Terry Lee

27 May 2016

Malware continues to be one of the primary tools employed by attackers. It is used in attacks ranging from click fraud to nation state espionage. Malware infects hosts over the network through drive-by downloads and social engineering. These infected hosts communicate with remote command and control (C&C) servers to perform tasks and exfiltrate data. Malware's reliance on the network provides an opportunity for the detection and annotation of malicious communication. This thesis presents four main contributions. First, we design and implement a novel incident investigation system, named WebWitness. It automatically traces back and labels the sequence of events (e.g., visited web pages) preceding malware downloads to highlight how users reach attack pages on the web; providing a better understanding of current attack trends and aiding in the development of more effective defenses. Second, we conduct the first systematic study of modern web based social engineering malware download attacks. From this study we develop a categorization system for classifying social engineering downloads and use it to measure attack properties. From these measurements we show that it is possible to detect the majority of social engineering downloads using features from the download path. Third, we design and implement ExecScent, a novel system for mining new malware C&C domains from live networks. ExecScent automatically learns C&C traffic models that can adapt to the deployment network's traffic. This adaptive approach allows us to greatly reduce the false positives while maintaining a high number of true positives. Lastly, we develop a new packet scheduling algorithm for deep packet inspection that maximizes throughput by optimizing for cache affinity. By scheduling for cache affinity, we are able to deploy our systems on multi-gigabit networks.

Malware

Botnets

Drive-by

Social engineering

Deep packet inspection

Deobfuscation of Packed and Virtualization-Obfuscation Protected Binaries

Coogan, Kevin Patrick

January 2011

Code obfuscation techniques are increasingly being used in software for such reasons as protecting trade secret algorithms from competitors and deterring license tampering by those wishing to use the software for free. However, these techniques have also grown in popularity in less legitimate areas, such as protecting malware from detection and reverse engineering. This work examines two such techniques - packing and virtualization-obfuscation - and presents new behavioral approaches to analysis that may be relevant to security analysts whose job it is to defend against malicious code. These approaches are robust against variations in obfuscation algorithms, such as changing encryption keys or virtual instruction byte code.Packing refers to the process of encrypting or compressing an executable file. This process "scrambles" the bytes of the executable so that byte-signature matching algorithms commonly used by anti-virus programs are ineffective. Standard static analysis techniques are similarly ineffective since the actual byte code of the program is hidden until after the program is executed. Dynamic analysis approaches exist, but are vulnerable to dynamic defenses. We detail a static analysis technique that starts by identifying the code used to "unpack" the executable, then uses this unpacker to generate the unpacked code in a form suitable for static analysis. Results show we are able to correctly unpack several encrypted and compressed malware, while still handling several dynamic defenses.Virtualization-obfuscation is a technique that translates the original program into virtual instructions, then builds a customized virtual machine for these instructions. As with packing, the byte-signature of the original program is destroyed. Furthermore, static analysis of the obfuscated program reveals only the structure of the virtual machine, and dynamic analysis produces a dynamic trace where original program instructions are intermixed, and often indistinguishable from, virtual machine instructions. We present a dynamic analysis approach whereby all instructions that affect the external behavior of the program are identified, thus building an approximation of the original program that is observationally equivalent. We achieve good results at both identifying instructions from the original program, as well as eliminating instructions known to be part of the virtual machine.

malware

packing

security

virtualization

Computer Science

binary analysis

deobfuscation