survey

Malware Dynamic Analysis Evasion Techniques: A Survey

Authors:
Amir Afianian

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran

0000-0003-1933-3385
View Profile

,
Salman Niksefat

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran
View Profile

,
Babak Sadeghiyan

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran

APA Research Center, Amirkabir University of Technology, Valiasr Square, Tehran, Iran
View Profile

,
David Baptiste

ESIEA (C + V)O Lab, Laval, France

ESIEA (C + V)O Lab, Laval, France
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 52 Issue 6Article No.: 126pp 1–28https://doi.org/10.1145/3365001

Published:14 November 2019Publication History

ACM Computing Surveys

Abstract

The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding is pursued often through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this article, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their efficacy holds against different types of detection and analysis approaches.

Our observations attest that evasive behavior is mostly concerned with detecting and evading sandboxes. The primary tactic of such malware we argue is fingerprinting followed by new trends for reverse Turing test tactic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies, beginning with reactive methods to endeavors for more transparent analysis systems, are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling. Accordingly, we would recommend the pursuit of more generic defensive strategies with an emphasis on path exploration techniques that has the potential to thwart all the evasive tactics.

References

Sanjeev Kumar Aggarwal and Sarath M. Kumar. 2002. Debuggers for programming languages. In The Compiler Design Handbook. CRC Press, 297--329.Google Scholar
Anish. 2012. Reptile Malware - Behavioral Analysis. Retrieved October 2018 from http://malwarecrypt.blogspot.com/2012/01/reptile-malware-behavioral-analysis.html.Google Scholar
Apriorit. 2016. Anti Debugging Protection Techniques. Retrieved October 2018 from https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software.Google Scholar
Yaniv Assor. 2016. Anti-VM and Anti-Sandbox Explained. Retrieved September 2018 from https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/.Google Scholar
AV-TEST. 2017. The AV-TEST Security Report 2016/2017. Retrieved September 2018 from https://www.av-test.org/en/news/the-it-security-status-at-a-glance-the-av-test-security-report-20162017/.Google Scholar
Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Annual Network and Distributed System Security Symposium (NDSS). http://www.isoc.org/isoc/conferences/ndss/10/pdf/24.pdf.Google Scholar
Sebastian Banescu, Christian Collberg, Vijay Ganesh, Zack Newsham, and Alexander Pretschner. 2016. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 189--200.Google ScholarDigital Library
Jason Barlow. 2000. Tribe Flood Network 2000 (TFN2K). Retrieved September 2018 from https://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt.Google Scholar
Alex Bassett, Christiaan Beek, Niamh Minihane, Eric Peterson, Raj Samani, Craig Schmugar, ReseAnne Sims, Dan Sommer, and Bing Sun. 2018. MacAfee Labs Threat Report March 2018. Technical Report. McAfee Labs. https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf.Google Scholar
Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A Tool for Analyzing Malware.Google Scholar
Ulrich Bayer, Andreas Moser, Christopher Kruegel, and Engin Kirda. 2006. Dynamic analysis of malicious code. Journal in Computer Virology 2, 1 (2006), 67--77.Google ScholarCross Ref
Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.Google ScholarDigital Library
Alex Chiu Ben Baker. 2015. Threat Spotlight: Rombertik, Gazing Past the Smoke, Mirrors, and Trapdoors. Retrieved November 2018 from https://blogs.cisco.com/security/talos/rombertik.Google ScholarCross Ref
B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. 2012. The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4 (4), 971--1003.Google ScholarCross Ref
Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, and Bulent Yener. 2016. AVLeak: Fingerprinting antivirus emulators through black-box testing. In Proceedings of the 10th USENIX Conference on Offensive Technologies. USENIX Association, 91--105.Google Scholar
Jean-Marie Borello and Ludovic Me. 2008. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology 4, 3 (2008), 211--220.Google ScholarCross Ref
Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat (2012).Google Scholar
Michael Brengel, Michael Backes, and Christian Rossow. 2016. Detecting hardware-assisted virtualization. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 207--227.Google ScholarDigital Library
Nicolas Brulez. 2012. Scan of the Month 33: Anti Reverse Engineering Uncovered. Retrieved October 2018 from http://old.honeynet.org/scans/scan33/nico/index.html.Google Scholar
David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically identifying trigger-based behavior in malware. In Botnet Detection. Springer, 65--88.Google Scholar
Alexei Bulazel and Bülent Yener. 2017. A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. ACM, 2.Google ScholarDigital Library
Ping Chen, Christophe Huygens, Lieven Desmet, and Wouter Joosen. 2016. Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In IFIP International Information Security and Privacy Conference. Springer, 323--336.Google ScholarCross Ref
Thomas M. Chen and Jean-Marc Robert. 2004. The evolution of viruses and worms. Statistical Methods in Computer Security 1 (2004).Google Scholar
Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In IEEE International Conference on Dependable Systems and Networks With FTCS and DCC. IEEE, 177--186.Google ScholarCross Ref
Anton Cherepanov. 2017. WIN32/INDUSTROYER, A New Threat for Industrial Control Systems. Retrieved October 2018 from https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf.Google Scholar
Michael Chourdakis. 2008. Toggle Hardware Data/Read/Execute Breakpoints Programmatically. Retrieved February 2018 from https://www.codeproject.com/Articles/28071/Toggle-hardware-data-read-execute-breakpoints-prog.Google Scholar
Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong. 2006. Temporal search: Detecting hidden malware timebombs with virtual machines. In ACM SIGARCH Computer Architecture News, Vol. 34. ACM, 25--36.Google Scholar
CTurt. 2012. Reverse Engineering VertexNet Malware. Retrieved March 2018 from https://cturt.github.io/vertex-net.html.Google Scholar
Jiyong Jang Dhilung Kirat. 2018. DeepLocker: How AI Can Power a Stealthy New Breed of Malware. Retrieved March 2018 from https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/.Google Scholar
Marc Ph. Stoecklin Dhilung Kirat, and Jiyong Jang. 2018. DeepLocker: Concealing Targeted Attacks with AI Locksmithing. Retrieved October 2018 from https://i.blackhat.com/us-18/Thu-August-9/us-18-Kirat-DeepLocker-Concealing-Targeted-Attacks-with-AI-Locksmithing.pdf.Google Scholar
Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, 51--62.Google ScholarDigital Library
Dennis Distler and Charles Hornat. 2007. Malware analysis: An introduction. SANS Institute InfoSec Reading Room (2007), 18--19.Google Scholar
Brendan Dolan-Gavitt and Yacin Nadji. 2010. See No Evil: Evasions in Honeymonkey Systems. Technical Report. http://moyix.net/honeymonkey.pdf.Google Scholar
David Reguera Garcia Dreg. 2018. A Tool to Detect and Crash Cuckoo Sandbox. Retrieved October 2018 from https://github.com/David-Reguera-Garcia-Dreg/anticuckoo.Google Scholar
Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR) 44 (2012), 6.Google ScholarDigital Library
Nicolas Falliere. 2007. Windows Anti-Debug Reference. Retrieved October 2018 from http://www.security-focus.com/infocus/1893.Google Scholar
Nicolas Falliere, Liam O. Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White Paper, Symantec Corp., Security Response 5, 6 (2011), 29.Google Scholar
Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, and Mattia Monga. [n.d.]. Dynamic and transparent analysis of commodity production systems. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering. ACM, 417--426.Google Scholar
Peter Ferrie. 2008. Anti-unpacker tricks, part one. Virus Bulletin 4 (2008).Google Scholar
P. Ferrie. 2011. The Ultimate Anti-Debugging Reference. Retrieved October 2018 from http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf.Google Scholar
Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, and Leendert Van Doorn. 2008. Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Operating Systems Review 42, 3 (2008), 83--92.Google ScholarDigital Library
Shang Gao and Qian Lin. 2012. Debugging classification and anti-debugging strategies. In 4th International Conference on Machine Vision (ICMV 2011): Computer Vision and Image Analysis; Pattern Recognition and Basic Technologies, Vol. 8350. International Society for Optics and Photonics, 83503C.Google Scholar
Yuxin Gao, Zexin Lu, and Yuqing Luo. 2014. Survey on malware anti-analysis. In 5th International Conference on Intelligent Control and Information Processing (ICICIP ’14). IEEE, 270--275.Google ScholarCross Ref
Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. In HotOS.Google Scholar
Andrew Go, Christopher del Fierro, Lovely Bruiz, and Xavier Capilitan. 2018. Where We Go, We Don’t Need Files: Analysis of Fileless Malware “Rozena”. Retrieved October 2018 from https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena.Google Scholar
Ian Goldberg, David Wagner, Randi Thomas, Eric A. Brewer, et al. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, Vol. 6. 1--1.Google ScholarDigital Library
Robert P. Goldberg. 1974. Survey of virtual machine research. Computer 7, 6 (1974), 34--45.Google ScholarDigital Library
GReAT. 2014. The Darkhotel APT. Retrieved October 2018 from https://securelist.com/the-darkhotel-apt/66779/.Google Scholar
Claudio Guarnieri, Allessandro Tanasi, Jurriaan Bremer, and Mark Schloesser. 2012. Retrieved October 2018 from The Cuckoo Sandbox. https://cuckoosandbox.org.Google Scholar
Fanglu Guo, Peter Ferrie, and Tzi-Cker Chiueh. 2008. A study of the packer problem and its solutions. In International Workshop on Recent Advances in Intrusion Detection. Springer, 98--115.Google ScholarDigital Library
Thorsten Holz and Frederic Raynal. 2005. Detecting honeypots and other suspicious environments. In Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop (IAW’05). IEEE, 29--36.Google ScholarCross Ref
Lexi Security Hub. 2014. Overview of the Kronos Banking Malware Rootkit. Retrieved January 2019 from https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en.Google Scholar
Chong Rong Hwa. 2013. Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks. Retrieved February 2019 from https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html.Google Scholar
Infosec Institute. 2015. ZEROACCESS Malware - Part 1. Retrieved January 2019 from https://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/.Google Scholar
Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: Automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 216--225.Google ScholarDigital Library
JOESandbox. 2010. Automated Malware Analysis Report for Wdf01000.sys. Retrieved October 2018 from https://www.joesandbox.com/analysis/45221/0/pdf.Google Scholar
JOESandbox. 2018. shcndhss.exe. Retrieved January 2019 from https://www.joesandbox.com/analysis/50204/0/html.Google Scholar
Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security. ACM, 11--22.Google ScholarDigital Library
Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 124--143.Google ScholarCross Ref
Kaspersky. 2000. VIRUS.WIN32.HIV. Retrieved September 2018 from https://threats.kaspersky.com/en/threat/Virus.Win32.HIV/.Google Scholar
Dhilung Kirat and Giovanni Vigna. 2015. Malgene: Automatic extraction of malware analysis evasion signature. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 769--780.Google ScholarDigital Library
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. Barebox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 403--412.Google ScholarDigital Library
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security Symposium. 287--301.Google Scholar
Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 285--296.Google ScholarDigital Library
Vitali Kremez. 2017. Let’s Learn: Decoding Latest “TrickBot” Loader String Template and New Tor Plugin Server Communication. Retrieved September 2018 from https://www.vkremez.com/2018/07/lets-learn-trickbot-new-tor-plugin.html.Google Scholar
Christopher Kruegel. 2014. How To Build An Effective Malware Analysis Sandbox. Retrieved September 2018 from https://www.lastline.com/labsblog/different-sandboxing-techniques-to-detect-advanced-malware/.Google Scholar
Christopher Kruegel. 2015. Evasive malware exposed and deconstructed. In RSA Conference. 12--20.Google Scholar
MacAfee Labs. 2018. Threats Report. Retrieved November 2018 from https://www.mcafee.com/es/resources/reports/rp-quarterly-threats-mar-2018.pdf.Google Scholar
Boris Lau and Vanja Svajcer. 2010. Measuring virtual machine detection in malware using DSD tracer. Journal in Computer Virology 6, 3 (2010), 181--195.Google ScholarCross Ref
Kevin Lawton. 2003. Bochs: The open source IA-32 emulation project.Google Scholar
Van Lam Le, Ian Welch, Xiaoying Gao, and Peter Komisarczuk. 2013. Anatomy of drive-by download attack. In Proceedings of the 11h Australasian Information Security Conference--Volume 138. Australian Computer Society, Inc., 49--58.Google Scholar
Kevin Leach, Chad Spensky, Westley Weimer, and Fengwei Zhang. 2016. Towards transparent introspection. In IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Vol. 1. IEEE, 248--259.Google ScholarCross Ref
Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 386--395.Google ScholarDigital Library
Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 338--357.Google ScholarDigital Library
Tao Liu, Nuo Xu, Qi Liu, Yanzhi Wang, and Wujie Wen. 2019. A system-level perspective to understand the vulnerability of deep learning systems. In Proceedings of the 24th Asia and South Pacific Design Automation Conference. ACM, 506--511.Google ScholarDigital Library
Leo Loobeek. 2016. Ebowla: Framework for Making Environmental Keyed Payloads. Retrieved October 2018 from https://github.com/Genetic-Malware/Ebowla.Google Scholar
Dejan Lukan. 2014. Pafish (Paranoid Fish). Retrieved September 2018 from https://resources.infosecinstitute.com/pafish-paranoid-fish/.Google Scholar
Malwarebytes. 2018. SamSam Ransomware: Controlled Distribution for an Elusive Malware. Technical Report. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/.Google Scholar
MalwareTech. 2015. Kelihos Analysis, Part 1. Retrieved September 2018 from https://www.malwaretech.com/2015/12/kelihos-analysis-part-1.html.Google Scholar
Steve Mansfield-Devine. 2017. Fileless attacks: Compromising targets without malware. Network Security 2017, 4 (2017), 7--11.Google ScholarDigital Library
Jonathan A. P. Marpaung, Mangal Sain, and Hoon-Jae Lee. 2012. Survey on malware evasion techniques: State of the art and challenges. In 2012 14th International Conference on Advanced Communication Technology (ICACT’12). IEEE, 744--749.Google Scholar
McAfee. 2000. The W9x.CIH virus. Retrieved December 2018 from https://home.mcafee.com/virusinfo/virusprofile.aspx?key=10300.Google Scholar
McAfee. 2003. W97M/Opey.bg. Retrieved September 2018 from https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100091#none.Google Scholar
McAfee. 2007. W32.Mydoom.M@mm. Retrieved September 2018 from https://www.symantec.com/security-center/writeup/2004-072615-3527-99.Google Scholar
McAfee. 2017. McAfee Labs Threats Report. Retrieved September 2018 from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-jun-2017.pdf.Google Scholar
Gary McGraw and Greg Morrisett. 2000. Attacking malicious code: A report to the Infosec research council. IEEE Software 17, 5 (2000), 33--41.Google ScholarDigital Library
Microsoft. 2006. Win32/Phatbot.A. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Phatbot.A.Google Scholar
Microsoft. 2017. Worm:Win32/Rbot.ST. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Rbot.ST.Google Scholar
Microsoft. 2018. Acquiring High-Resolution Time Stamps. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/sysinfo/acquiring-high-resolution-time-stamps.Google Scholar
Microsoft. 2018. PEB Structure. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx.Google Scholar
Microsoft. 2018. Structured Exception Handling. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/Debug/structured-exception-handling.Google Scholar
Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. 2017. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In IEEE Symposium on Security and Privacy (SP). IEEE, 1009--1024.Google ScholarCross Ref
Carbon Monoxide. 2016. ScyllaHide. Retrieved September 2018 from https://bitbucket.org/NtQuery/scyllahide.Google Scholar
Travis Morrow and Josh Pitts. 2016. Genetic malware: Designing payloads for specific targets. Talk at Infiltrate (2016).Google Scholar
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In IEEE Symposium on Security and Privacy (SP’07). IEEE, 231--245.Google ScholarDigital Library
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.Google ScholarCross Ref
H. Mourad. 2015. Sleeping your way out of the sandbox. SANS Security Report.Google Scholar
Microsoft msdn. 2018. Debugging Functions. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303(v=vs.85).aspx.Google Scholar
Microsoft msdn. 2018. ZwSetInformationThread function. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread.Google Scholar
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Annual Computer Security Applications Conference (ACSAC’09). IEEE, 441--450.Google Scholar
Norman. 2018. Norman Sandbox. Retrieved September 2018 from http://www.norman.com.Google Scholar
Kulchytskyi Oleg. 2016. Anti-Debug Protection Techniques: Implementation and Neutralization. Retrieved September 2018 from https://www.codeproject.com/Articles/1090943/Anti-Debug-Protection-Techniques-Implementation-an.Google Scholar
Yoshihiro Oyama. 2018. Trends of anti-analysis operations of malwares observed in API call logs. Journal of Computer Virology and Hacking Techniques 14, 1 (2018), 69--85.Google ScholarCross Ref
Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09), Vol. 41. 86.Google Scholar
David Patten. 2017. The evolution to fileless malware. Infosec Writers (2017).Google Scholar
Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th European Workshop on System Security. ACM, 3.Google ScholarDigital Library
Gábor Pék, Levente Buttyán, and Boldizsár Bencsáth. 2013. A survey of security issues in hardware virtualization. ACM Computing Surveys (CSUR) 45, 3 (2013), 40.Google ScholarDigital Library
Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-force: Force-executing binary programs for security applications. In 23rd USENIX Security Symposium (USENIX Security’14). 829--844.Google Scholar
Larry Ponemon and Jack Danahy. 2018. The 2017 State of Endpoint Security Risk Report. Technical Report. Ponemon Institute. https://www.barkly.com/ponemon-2018-endpoint-security-statistics-trends.Google Scholar
Nguyen Anh Quynh and Kuniyasu Suzaki. 2010. Virt-ice: Next-generation debugger for malware analysis. Black Hat USA (2010).Google Scholar
Babak Bashari Rad, Maslin Masrom, and Suhaimi Ibrahim. 2012. Camouflage in malware: From encryption to metamorphism. International Journal of Computer Science and Network Security 12, 8 (2012), 74--83.Google Scholar
Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18.Google ScholarDigital Library
Curesec Security Research. 2013. Inkasso Trojaner - Part 3. Retrieved September 2018 from https://curesec.com/blog/article/blog/Inkasso-Trojaner--Part-3-24.html.Google Scholar
Paul Roberts. 2004. Mydoom Sets Speed Records. Retrieved September 2018 from https://www.pcworld.com/article/114461/article.html.Google Scholar
Paul Royal. 2012. Entrapment: Tricking malware with transparent, scalable malware analysis. Talk at Black Hat (2012).Google Scholar
Abhishek Singh and Sai Omkar Vashisht. 2014. Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction. Retrieved September 2018 from https://www.fireeye.com/blog/threat-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html.Google Scholar
Mike Schiffman. 2010. A Brief History of Malware Obfuscation. Retrieved September 2018 from https://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_2_of_2.Google Scholar
Sriranga Seetharamaiah and Carl D. Woodward. 2019. Protecting computer systems used in virtualization environments against fileless malware. US Patent Appl. 15/708,328. Filed date is January 31st., 2019.Google Scholar
Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In Proceedings of the Symposium on Applied Computing. ACM, 1703--1710.Google ScholarDigital Library
Tyler Shields. 2010. Anti-debugging—A developers view. Veracode Inc., USA (2010).Google Scholar
Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press.Google Scholar
Arunpreet Singh. 2017. Malware Evasion Techniques: Same Wolf - Different Clothing. Retrieved October 2018 from https://www.lastline.com/labsblog/malware-evasion-techniques/.Google Scholar
Arunpreet Singh and Clemens Kolbitsch. 2014. Not So Fast My Friend—Using Inverted Timing Attacks to Bypass Dynamic Analysis. Retrieved November 2018 from https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/.Google Scholar
Sophos. 2015. W32/Agobot-OT. Retrieved October 2018 from https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32 Agobot-OT/detailed-analysis.aspx.Google Scholar
Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-observable physical host instrumentation for malware analysis. In Annual Network and Distributed System Security Symposium (NDSS’16).Google ScholarCross Ref
Symantec. 2000. Xeram.1664. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2000-121913-2839-99.Google Scholar
Symantec. 2007. Trojan.Peacomm.C. Retrieved October 2018 from https://www.symantec.com/security-center/writeup/2007-082212-2341-99.Google Scholar
Symantec. 2011. Trojan.Zeroaccess. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2011-071314-0410-99.Google Scholar
Cylance Threat Guidance Team. 2017. Threat-Spotlight-Satan-RaaS. Retrieved November 2018 from https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html.Google Scholar
Christopher Thompson, Maria Huntley, and Chad Link. 2010. Virtualization detection: New strategies and their effectiveness. University of Minnesota (unpublished).Google Scholar
Joshua Tully. An Anti-Reverse Engineering Guide. Retrieved November 9, 2008 from https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide.Google Scholar
UIC. 2013. McRat Malware Analysis - Part 1. Retrieved November 2018 from https://quequero.org/2013/04/mcrat-malware-analysis-part1/.Google Scholar
Amit Vasudevan and Ramesh Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In 2006 IEEE Symposium on Security and Privacy (S&P’’06). IEEE, 15 pp.Google ScholarDigital Library
Virustotal. 2015. vti-rescan. Retrieved November 2018 from https://www.virustotal.com/en/file/e1988a1876263837ca18b58d69028c3678dc3df51baf1721535df3204481e6a1/analysis/.Google Scholar
Kyle Yang Walter (Tiezhu) Kong. 2013. Unlocking LockScreen. Retrieved November 2018 from https://www.virusbulletin.com/virusbulletin/2013/07/unlocking-lockscreen.Google Scholar
Jeffrey Wilhelm and Tzi-cker Chiueh. 2007. A forced sampled execution approach to kernel rootkit identification. In International Workshop on Recent Advances in Intrusion Detection. Springer, 219--235.Google ScholarCross Ref
Carsten Willems, Thorsten Holz, and Felix Freiling. 2007. Toward automated dynamic malware analysis using cwsandbox. IEEE Security 8 Privacy 5, 2 (2007).Google ScholarDigital Library
Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012. Down to the bare metal: Using processor features for binary analysis. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 189--198.Google ScholarDigital Library
Rubio Wu. 2017. New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis. Retrieved November 2018 from https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/.Google Scholar
XPN. 2017. Windows Anti-Debug Techniques - OpenProcess Filtering. Retrieved November 2018 from https://blog.xpnsec.com/anti-debug-openprocess/.Google Scholar
Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. ACM SIGPLAN Notices 47, 7 (2012), 227--238.Google ScholarDigital Library
Abhishek Singh and Yasir Khalid. 2012. Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. Retrieved November 2018 from https://www.fireeye.com/blog/threat-research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html.Google Scholar
Mark Vincent Yason. 2007. The Art of Unpacking. Retrieved November 2018 from https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf.Google Scholar
Akira Yokoyama, Kou Ishii, Rui Tanabe, Yinmin Papa, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Daisuke Inoue, Michael Brengel, Michael Backes, et al. 2016. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 165--187.Google ScholarCross Ref
Katsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii, and Tsutomu Matsumoto. 2011. Your sandbox is blinded: Impact of decoy injection to public malware analysis systems. Journal of Information Processing 19 (2011), 153--168.Google ScholarCross Ref
Ilsun You and Kangbin Yim. 2010. Malware obfuscation techniques: A brief survey. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications. IEEE, 297--300.Google ScholarDigital Library
Fengwei Zhang, Kevin Leach, Angelos Stavrou, and Haining Wang. 2018. Towards transparent debugging. IEEE Transactions on Dependable and Secure Computing 15, 2 (2018), 321--335.Google ScholarCross Ref
Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using hardware features for increased debugging transparency. In 2015 IEEE Symposium on Security and Privacy (SP’15). IEEE, 55--69.Google ScholarDigital Library
Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. Spectre: A dependable introspection framework via system management mode. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’13). IEEE, 1--12.Google ScholarDigital Library

Index Terms

Malware Dynamic Analysis Evasion Techniques: A Survey
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Read More
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and Networking

Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...
Read More
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 52, Issue 6
November 2020
806 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3368196
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 November 2019
- Accepted: 1 September 2019
- Revised: 1 June 2019
- Received: 1 November 2018
Published in csur Volume 52, Issue 6

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Malware
anti-debugging
evasion techniques
sandbox evasion
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 110
  Total Citations
  View Citations
- 3,443
  Total Downloads
- Downloads (Last 12 months)756
- Downloads (Last 6 weeks)120
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Malware Dynamic Analysis Evasion Techniques: A Survey

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

Malware Detection Method Focusing on Anti-debugging Functions

Correlation Analysis between Spamming Botnets and Malware Infected Hosts