Skip to main content
SpringerLink
Log in

Measuring and Defeating Anti-Instrumentation-Equipped Malware

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of-the-art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/necst/arancino.

References

  1. Exeinfo PE. http://exeinfo.atwebpages.com/

  2. Obsidium. https://www.obsidium.de/show/download/en

  3. PESpin. http://www.pespin.com/

  4. Aaraj, N., Raghunathan, A., Jha, N.K.: Dynamic binary instrumentation-based framework for malware defense. In: Proceeding of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2008)

    Google Scholar 

  5. Arne, S., Alaeddine, M.: One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques. https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-Them-All-WP.pdf

  6. Arora, R., Singh, A., Pareek, H., Edara, U.R.: A heuristics-based static analysis approach for detecting packed PE binaries. Int. J. Secur. Appl. 7(5), 257–268 (2013)

    Google Scholar 

  7. Bania, P.: Generic unpacking of self-modifying, aggressive, packed binary programs. arXiv preprint arXiv:0905.4581 (2009)

  8. BromiumLabs. The Packer Attacker is a generic hidden code extractor for Windows malware. https://github.com/BromiumLabs/PackerAttacker

  9. Bruening, D., Duesterwald, E., Amarasinghe, S.: Design and implementation of a dynamic optimization framework for windows. In: ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4) (2001)

    Google Scholar 

  10. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Detection (2008)

    Google Scholar 

  11. Caballero, J., Johnson, N.M., McCamant, S., Song, D.: Binary code extraction and interface identification for security applications. Technical report, DTIC Document (2009)

    Google Scholar 

  12. Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceeding of the Annual Conference on Computer Security Applications (ACSAC) (2016)

    Google Scholar 

  13. Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: Proceeding of Working Conference on Reverse Engineering (WCRE). IEEE (2009)

    Google Scholar 

  14. Deng, Z., Zhang, X., Spider, D.: Stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceeding of the Annual Computer Security Applications Conference (ACSAC) (2013)

    Google Scholar 

  15. Falcon, F., Riva, N.: Dynamic binary instrumentation frameworks: i know you’re there spying on me. In: Proceeding of Reverse Engineering Conference (2012)

    Google Scholar 

  16. Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_3

    Chapter  Google Scholar 

  17. Guo, F., Ferrie, P., Chiueh, T.-C.: A study of the packer problem and its solutions. In: Proceeding of International Workshop on Recent Advances in Intrusion Detection (RAID) (2008)

    Google Scholar 

  18. Hex-Rays. IDA Universal Unpacker. https://www.hex-rays.com/products/ida/support/tutorials/unpack_pe/index.shtml

  19. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables (2007)

    Google Scholar 

  20. Kirat, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare-metal. In: Proceeding of the Annual Computer Security Applications Conference (ACSAC). ACM (2011)

    Google Scholar 

  21. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceeding of USENIX Security (2014)

    Google Scholar 

  22. Lenoir, J.: Implementing Your Own Generic Unpacker (2015)

    Google Scholar 

  23. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices. ACM (2005)

    Google Scholar 

  24. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. In: Proceeding of IEEE symposium on Security and Privacy (SP). IEEE (2007)

    Google Scholar 

  25. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceeding of the Annual Computer Security Applications Conference (ACSAC). IEEE (2007)

    Google Scholar 

  26. Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P.: TaintPipe: pipelined symbolic taint analysis. In: Proceeding of USENIX Security (2015)

    Google Scholar 

  27. Ming, J., Xu, D., Wang, L., Wu, D.: Loop: logic-oriented opaque predicate detection in obfuscated binary code. In: Proceeding of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2015)

    Google Scholar 

  28. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceeding of IEEE symposium on Security and Privacy (SP) (2007)

    Google Scholar 

  29. Nethercote, N., Seward, J.: Valgrind: a program supervision framework. Electron. Notes Theor. Comput. Sci. 89(2), 44–66 (2003)

    Article  Google Scholar 

  30. Polino, M., Scorti, A., Maggi, F., Zanero, S.: Jackdaw: towards automatic reverse engineering of large datasets of binaries. In: Proceeding of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2015)

    Google Scholar 

  31. Quist, D.: Circumventing software armoring techniques. https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Presentation/bh-usa-07-quist_and_valsmith.pdf

  32. Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: Proceeding of IEEE symposium on Security and Privacy (SP) (2012)

    Google Scholar 

  33. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware (2006)

    Google Scholar 

  34. SebastiĂ¡n, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_11

    Chapter  Google Scholar 

  35. Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_31

    Chapter  Google Scholar 

  36. Sikorski, M., Honig, A.: Practical Malware Analysis. No Starch Press, San Francisco (2012)

    Google Scholar 

  37. Spensky, C., Hu, H., Leach, K.: LO-PHI: low observable physical host instrumentation. In: Proceeding of the Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  38. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G. SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceeding of IEEE symposium on Security and Privacy (SP). IEEE (2015)

    Google Scholar 

  39. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: RAMBO: run-time packer analysis with multiple branch observation. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 186–206. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_10

    Google Scholar 

  40. Vasudevan, A., Yerraballi, R.: Stealth breakpoints. In: Proceeding of the Annual Computer Security Applications Conference (ACSAC). IEEE (2005)

    Google Scholar 

  41. Vasudevan, A., Yerraballi, R.: Spike: engineering malware analysis tools using unobtrusive binary-instrumentation. In: Proceeding of the 29th Australasian Computer Science Conference, vol. 48. Australian Computer Society Inc. (2006)

    Google Scholar 

  42. Wilhelm, J., Chiueh, T.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74320-0_12

    Chapter  Google Scholar 

  43. Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: Proceeding of IEEE symposium on Security and Privacy (SP). IEEE (2015)

    Google Scholar 

  44. Yu, S.-C., Li, Y.-C.: A unpacking and reconstruction system-agunpacker. In: Proceeding of International Symposium on Computer Network and Multimedia Technology, (CNMT). IEEE (2009)

    Google Scholar 

Download references

Acknowledgements

We would like to thank our reviewers and our shepherd Alexandros Kapravelos for their valuable comments and input to improve our paper. We would also like to thank Alessandro Frossi for his insightful feedback and VirusTotal for providing us access to malware samples. This work was supported in part by the MIUR FACE Project No. RBFR13AJFT. This project has also received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700326.

Author information

Authors and Affiliations

  1. DEIB, Politecnico di Milano, Milano, Italy

    Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo Fontana, Fabio Gritti & Stefano Zanero

Authors
  1. Mario Polino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrea Continella
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sebastiano Mariani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefano D’Alessio
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lorenzo Fontana
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Fabio Gritti
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Stefano Zanero
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Mario Polino , Andrea Continella or Stefano Zanero .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Polino, M. et al. (2017). Measuring and Defeating Anti-Instrumentation-Equipped Malware. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation