Abstract
Malware is often designed to make analysis difficult – behaving differently if it detects that it is in an analysis environment. We propose that such anti-analysis malware can be detected by their anti-analysis behavior in terms of certain signals. Signals form semantic features of potential anti-analysis techniques and are characterized as: weak, strong, or composite. We prototype a system to show the viability of detection. Experiments on malware and also non-malware show that both malware and non-malware can exhibit signals, however, anti-analysis malware tends to have more and stronger signals. We present the malware with an environment which behaves either like an analysis environment or not – we find anti-analysis malware behave differently in both cases. Normal programs, however, do not exhibit such behavior even when they have some weak signals. Signal detection is shown to have potential of distinguishing anti-analysis malware from non-malware.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A system call is also a Windows API but not all APIs lead to system calls.
- 2.
The API implementation reads the flag, so is not a system call.
References
https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html
http://www.symantec.com/connect/blogs/does-malware-still-detect-virtual-machines
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: DSN (2008)
Deng, Z., Zhang, X., Xu, D.: SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC (2013)
Johnson, N.M., Caballero, J., Chen, K.Z., McCamant, S., Poosankam, P., Reynaud, D., Song, D.: Differential slicing: identifying causal execution differences for security applications. In: S&P (2011)
Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation resistant malware. In: VMSec (2009)
Kirat, D., Vigna, G., Kruegel, C.: BareCloud: Bare-metal analysis-based evasive malware detection. In: USENIX Security (2014)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI (2005)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: EUROSEC (2014)
Vishnani, K., Pais, A.R., Mohandas, R.: Detecting and defeating split personality malware. In: Secureware (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Tan, J.W.J., Yap, R.H.C. (2016). Detecting Malware Through Anti-analysis Signals - A Preliminary Study. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)