Abstract
The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding is pursued often through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this article, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their efficacy holds against different types of detection and analysis approaches.
Our observations attest that evasive behavior is mostly concerned with detecting and evading sandboxes. The primary tactic of such malware we argue is fingerprinting followed by new trends for reverse Turing test tactic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies, beginning with reactive methods to endeavors for more transparent analysis systems, are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling. Accordingly, we would recommend the pursuit of more generic defensive strategies with an emphasis on path exploration techniques that has the potential to thwart all the evasive tactics.
- Sanjeev Kumar Aggarwal and Sarath M. Kumar. 2002. Debuggers for programming languages. In The Compiler Design Handbook. CRC Press, 297--329.Google Scholar
- Anish. 2012. Reptile Malware - Behavioral Analysis. Retrieved October 2018 from http://malwarecrypt.blogspot.com/2012/01/reptile-malware-behavioral-analysis.html.Google Scholar
- Apriorit. 2016. Anti Debugging Protection Techniques. Retrieved October 2018 from https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software.Google Scholar
- Yaniv Assor. 2016. Anti-VM and Anti-Sandbox Explained. Retrieved September 2018 from https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/.Google Scholar
- AV-TEST. 2017. The AV-TEST Security Report 2016/2017. Retrieved September 2018 from https://www.av-test.org/en/news/the-it-security-status-at-a-glance-the-av-test-security-report-20162017/.Google Scholar
- Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Annual Network and Distributed System Security Symposium (NDSS). http://www.isoc.org/isoc/conferences/ndss/10/pdf/24.pdf.Google Scholar
- Sebastian Banescu, Christian Collberg, Vijay Ganesh, Zack Newsham, and Alexander Pretschner. 2016. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 189--200.Google ScholarDigital Library
- Jason Barlow. 2000. Tribe Flood Network 2000 (TFN2K). Retrieved September 2018 from https://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt.Google Scholar
- Alex Bassett, Christiaan Beek, Niamh Minihane, Eric Peterson, Raj Samani, Craig Schmugar, ReseAnne Sims, Dan Sommer, and Bing Sun. 2018. MacAfee Labs Threat Report March 2018. Technical Report. McAfee Labs. https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf.Google Scholar
- Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A Tool for Analyzing Malware.Google Scholar
- Ulrich Bayer, Andreas Moser, Christopher Kruegel, and Engin Kirda. 2006. Dynamic analysis of malicious code. Journal in Computer Virology 2, 1 (2006), 67--77.Google ScholarCross Ref
- Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.Google ScholarDigital Library
- Alex Chiu Ben Baker. 2015. Threat Spotlight: Rombertik, Gazing Past the Smoke, Mirrors, and Trapdoors. Retrieved November 2018 from https://blogs.cisco.com/security/talos/rombertik.Google ScholarCross Ref
- B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. 2012. The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4 (4), 971--1003.Google ScholarCross Ref
- Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, and Bulent Yener. 2016. AVLeak: Fingerprinting antivirus emulators through black-box testing. In Proceedings of the 10th USENIX Conference on Offensive Technologies. USENIX Association, 91--105.Google Scholar
- Jean-Marie Borello and Ludovic Me. 2008. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology 4, 3 (2008), 211--220.Google ScholarCross Ref
- Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat (2012).Google Scholar
- Michael Brengel, Michael Backes, and Christian Rossow. 2016. Detecting hardware-assisted virtualization. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 207--227.Google ScholarDigital Library
- Nicolas Brulez. 2012. Scan of the Month 33: Anti Reverse Engineering Uncovered. Retrieved October 2018 from http://old.honeynet.org/scans/scan33/nico/index.html.Google Scholar
- David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically identifying trigger-based behavior in malware. In Botnet Detection. Springer, 65--88.Google Scholar
- Alexei Bulazel and Bülent Yener. 2017. A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. ACM, 2.Google ScholarDigital Library
- Ping Chen, Christophe Huygens, Lieven Desmet, and Wouter Joosen. 2016. Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In IFIP International Information Security and Privacy Conference. Springer, 323--336.Google ScholarCross Ref
- Thomas M. Chen and Jean-Marc Robert. 2004. The evolution of viruses and worms. Statistical Methods in Computer Security 1 (2004).Google Scholar
- Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In IEEE International Conference on Dependable Systems and Networks With FTCS and DCC. IEEE, 177--186.Google ScholarCross Ref
- Anton Cherepanov. 2017. WIN32/INDUSTROYER, A New Threat for Industrial Control Systems. Retrieved October 2018 from https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf.Google Scholar
- Michael Chourdakis. 2008. Toggle Hardware Data/Read/Execute Breakpoints Programmatically. Retrieved February 2018 from https://www.codeproject.com/Articles/28071/Toggle-hardware-data-read-execute-breakpoints-prog.Google Scholar
- Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong. 2006. Temporal search: Detecting hidden malware timebombs with virtual machines. In ACM SIGARCH Computer Architecture News, Vol. 34. ACM, 25--36.Google Scholar
- CTurt. 2012. Reverse Engineering VertexNet Malware. Retrieved March 2018 from https://cturt.github.io/vertex-net.html.Google Scholar
- Jiyong Jang Dhilung Kirat. 2018. DeepLocker: How AI Can Power a Stealthy New Breed of Malware. Retrieved March 2018 from https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/.Google Scholar
- Marc Ph. Stoecklin Dhilung Kirat, and Jiyong Jang. 2018. DeepLocker: Concealing Targeted Attacks with AI Locksmithing. Retrieved October 2018 from https://i.blackhat.com/us-18/Thu-August-9/us-18-Kirat-DeepLocker-Concealing-Targeted-Attacks-with-AI-Locksmithing.pdf.Google Scholar
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, 51--62.Google ScholarDigital Library
- Dennis Distler and Charles Hornat. 2007. Malware analysis: An introduction. SANS Institute InfoSec Reading Room (2007), 18--19.Google Scholar
- Brendan Dolan-Gavitt and Yacin Nadji. 2010. See No Evil: Evasions in Honeymonkey Systems. Technical Report. http://moyix.net/honeymonkey.pdf.Google Scholar
- David Reguera Garcia Dreg. 2018. A Tool to Detect and Crash Cuckoo Sandbox. Retrieved October 2018 from https://github.com/David-Reguera-Garcia-Dreg/anticuckoo.Google Scholar
- Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR) 44 (2012), 6.Google ScholarDigital Library
- Nicolas Falliere. 2007. Windows Anti-Debug Reference. Retrieved October 2018 from http://www.security-focus.com/infocus/1893.Google Scholar
- Nicolas Falliere, Liam O. Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White Paper, Symantec Corp., Security Response 5, 6 (2011), 29.Google Scholar
- Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, and Mattia Monga. [n.d.]. Dynamic and transparent analysis of commodity production systems. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering. ACM, 417--426.Google Scholar
- Peter Ferrie. 2008. Anti-unpacker tricks, part one. Virus Bulletin 4 (2008).Google Scholar
- P. Ferrie. 2011. The Ultimate Anti-Debugging Reference. Retrieved October 2018 from http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf.Google Scholar
- Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, and Leendert Van Doorn. 2008. Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Operating Systems Review 42, 3 (2008), 83--92.Google ScholarDigital Library
- Shang Gao and Qian Lin. 2012. Debugging classification and anti-debugging strategies. In 4th International Conference on Machine Vision (ICMV 2011): Computer Vision and Image Analysis; Pattern Recognition and Basic Technologies, Vol. 8350. International Society for Optics and Photonics, 83503C.Google Scholar
- Yuxin Gao, Zexin Lu, and Yuqing Luo. 2014. Survey on malware anti-analysis. In 5th International Conference on Intelligent Control and Information Processing (ICICIP ’14). IEEE, 270--275.Google ScholarCross Ref
- Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. In HotOS.Google Scholar
- Andrew Go, Christopher del Fierro, Lovely Bruiz, and Xavier Capilitan. 2018. Where We Go, We Don’t Need Files: Analysis of Fileless Malware “Rozena”. Retrieved October 2018 from https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena.Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, Eric A. Brewer, et al. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, Vol. 6. 1--1.Google ScholarDigital Library
- Robert P. Goldberg. 1974. Survey of virtual machine research. Computer 7, 6 (1974), 34--45.Google ScholarDigital Library
- GReAT. 2014. The Darkhotel APT. Retrieved October 2018 from https://securelist.com/the-darkhotel-apt/66779/.Google Scholar
- Claudio Guarnieri, Allessandro Tanasi, Jurriaan Bremer, and Mark Schloesser. 2012. Retrieved October 2018 from The Cuckoo Sandbox. https://cuckoosandbox.org.Google Scholar
- Fanglu Guo, Peter Ferrie, and Tzi-Cker Chiueh. 2008. A study of the packer problem and its solutions. In International Workshop on Recent Advances in Intrusion Detection. Springer, 98--115.Google ScholarDigital Library
- Thorsten Holz and Frederic Raynal. 2005. Detecting honeypots and other suspicious environments. In Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop (IAW’05). IEEE, 29--36.Google ScholarCross Ref
- Lexi Security Hub. 2014. Overview of the Kronos Banking Malware Rootkit. Retrieved January 2019 from https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en.Google Scholar
- Chong Rong Hwa. 2013. Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks. Retrieved February 2019 from https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html.Google Scholar
- Infosec Institute. 2015. ZEROACCESS Malware - Part 1. Retrieved January 2019 from https://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/.Google Scholar
- Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: Automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 216--225.Google ScholarDigital Library
- JOESandbox. 2010. Automated Malware Analysis Report for Wdf01000.sys. Retrieved October 2018 from https://www.joesandbox.com/analysis/45221/0/pdf.Google Scholar
- JOESandbox. 2018. shcndhss.exe. Retrieved January 2019 from https://www.joesandbox.com/analysis/50204/0/html.Google Scholar
- Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security. ACM, 11--22.Google ScholarDigital Library
- Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 124--143.Google ScholarCross Ref
- Kaspersky. 2000. VIRUS.WIN32.HIV. Retrieved September 2018 from https://threats.kaspersky.com/en/threat/Virus.Win32.HIV/.Google Scholar
- Dhilung Kirat and Giovanni Vigna. 2015. Malgene: Automatic extraction of malware analysis evasion signature. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 769--780.Google ScholarDigital Library
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. Barebox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 403--412.Google ScholarDigital Library
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security Symposium. 287--301.Google Scholar
- Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 285--296.Google ScholarDigital Library
- Vitali Kremez. 2017. Let’s Learn: Decoding Latest “TrickBot” Loader String Template and New Tor Plugin Server Communication. Retrieved September 2018 from https://www.vkremez.com/2018/07/lets-learn-trickbot-new-tor-plugin.html.Google Scholar
- Christopher Kruegel. 2014. How To Build An Effective Malware Analysis Sandbox. Retrieved September 2018 from https://www.lastline.com/labsblog/different-sandboxing-techniques-to-detect-advanced-malware/.Google Scholar
- Christopher Kruegel. 2015. Evasive malware exposed and deconstructed. In RSA Conference. 12--20.Google Scholar
- MacAfee Labs. 2018. Threats Report. Retrieved November 2018 from https://www.mcafee.com/es/resources/reports/rp-quarterly-threats-mar-2018.pdf.Google Scholar
- Boris Lau and Vanja Svajcer. 2010. Measuring virtual machine detection in malware using DSD tracer. Journal in Computer Virology 6, 3 (2010), 181--195.Google ScholarCross Ref
- Kevin Lawton. 2003. Bochs: The open source IA-32 emulation project.Google Scholar
- Van Lam Le, Ian Welch, Xiaoying Gao, and Peter Komisarczuk. 2013. Anatomy of drive-by download attack. In Proceedings of the 11h Australasian Information Security Conference--Volume 138. Australian Computer Society, Inc., 49--58.Google Scholar
- Kevin Leach, Chad Spensky, Westley Weimer, and Fengwei Zhang. 2016. Towards transparent introspection. In IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Vol. 1. IEEE, 248--259.Google ScholarCross Ref
- Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 386--395.Google ScholarDigital Library
- Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 338--357.Google ScholarDigital Library
- Tao Liu, Nuo Xu, Qi Liu, Yanzhi Wang, and Wujie Wen. 2019. A system-level perspective to understand the vulnerability of deep learning systems. In Proceedings of the 24th Asia and South Pacific Design Automation Conference. ACM, 506--511.Google ScholarDigital Library
- Leo Loobeek. 2016. Ebowla: Framework for Making Environmental Keyed Payloads. Retrieved October 2018 from https://github.com/Genetic-Malware/Ebowla.Google Scholar
- Dejan Lukan. 2014. Pafish (Paranoid Fish). Retrieved September 2018 from https://resources.infosecinstitute.com/pafish-paranoid-fish/.Google Scholar
- Malwarebytes. 2018. SamSam Ransomware: Controlled Distribution for an Elusive Malware. Technical Report. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/.Google Scholar
- MalwareTech. 2015. Kelihos Analysis, Part 1. Retrieved September 2018 from https://www.malwaretech.com/2015/12/kelihos-analysis-part-1.html.Google Scholar
- Steve Mansfield-Devine. 2017. Fileless attacks: Compromising targets without malware. Network Security 2017, 4 (2017), 7--11.Google ScholarDigital Library
- Jonathan A. P. Marpaung, Mangal Sain, and Hoon-Jae Lee. 2012. Survey on malware evasion techniques: State of the art and challenges. In 2012 14th International Conference on Advanced Communication Technology (ICACT’12). IEEE, 744--749.Google Scholar
- McAfee. 2000. The W9x.CIH virus. Retrieved December 2018 from https://home.mcafee.com/virusinfo/virusprofile.aspx?key=10300.Google Scholar
- McAfee. 2003. W97M/Opey.bg. Retrieved September 2018 from https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100091#none.Google Scholar
- McAfee. 2007. W32.Mydoom.M@mm. Retrieved September 2018 from https://www.symantec.com/security-center/writeup/2004-072615-3527-99.Google Scholar
- McAfee. 2017. McAfee Labs Threats Report. Retrieved September 2018 from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-jun-2017.pdf.Google Scholar
- Gary McGraw and Greg Morrisett. 2000. Attacking malicious code: A report to the Infosec research council. IEEE Software 17, 5 (2000), 33--41.Google ScholarDigital Library
- Microsoft. 2006. Win32/Phatbot.A. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Phatbot.A.Google Scholar
- Microsoft. 2017. Worm:Win32/Rbot.ST. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Rbot.ST.Google Scholar
- Microsoft. 2018. Acquiring High-Resolution Time Stamps. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/sysinfo/acquiring-high-resolution-time-stamps.Google Scholar
- Microsoft. 2018. PEB Structure. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx.Google Scholar
- Microsoft. 2018. Structured Exception Handling. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/Debug/structured-exception-handling.Google Scholar
- Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. 2017. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In IEEE Symposium on Security and Privacy (SP). IEEE, 1009--1024.Google ScholarCross Ref
- Carbon Monoxide. 2016. ScyllaHide. Retrieved September 2018 from https://bitbucket.org/NtQuery/scyllahide.Google Scholar
- Travis Morrow and Josh Pitts. 2016. Genetic malware: Designing payloads for specific targets. Talk at Infiltrate (2016).Google Scholar
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In IEEE Symposium on Security and Privacy (SP’07). IEEE, 231--245.Google ScholarDigital Library
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.Google ScholarCross Ref
- H. Mourad. 2015. Sleeping your way out of the sandbox. SANS Security Report.Google Scholar
- Microsoft msdn. 2018. Debugging Functions. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303(v=vs.85).aspx.Google Scholar
- Microsoft msdn. 2018. ZwSetInformationThread function. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread.Google Scholar
- Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Annual Computer Security Applications Conference (ACSAC’09). IEEE, 441--450.Google Scholar
- Norman. 2018. Norman Sandbox. Retrieved September 2018 from http://www.norman.com.Google Scholar
- Kulchytskyi Oleg. 2016. Anti-Debug Protection Techniques: Implementation and Neutralization. Retrieved September 2018 from https://www.codeproject.com/Articles/1090943/Anti-Debug-Protection-Techniques-Implementation-an.Google Scholar
- Yoshihiro Oyama. 2018. Trends of anti-analysis operations of malwares observed in API call logs. Journal of Computer Virology and Hacking Techniques 14, 1 (2018), 69--85.Google ScholarCross Ref
- Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09), Vol. 41. 86.Google Scholar
- David Patten. 2017. The evolution to fileless malware. Infosec Writers (2017).Google Scholar
- Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th European Workshop on System Security. ACM, 3.Google ScholarDigital Library
- Gábor Pék, Levente Buttyán, and Boldizsár Bencsáth. 2013. A survey of security issues in hardware virtualization. ACM Computing Surveys (CSUR) 45, 3 (2013), 40.Google ScholarDigital Library
- Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-force: Force-executing binary programs for security applications. In 23rd USENIX Security Symposium (USENIX Security’14). 829--844.Google Scholar
- Larry Ponemon and Jack Danahy. 2018. The 2017 State of Endpoint Security Risk Report. Technical Report. Ponemon Institute. https://www.barkly.com/ponemon-2018-endpoint-security-statistics-trends.Google Scholar
- Nguyen Anh Quynh and Kuniyasu Suzaki. 2010. Virt-ice: Next-generation debugger for malware analysis. Black Hat USA (2010).Google Scholar
- Babak Bashari Rad, Maslin Masrom, and Suhaimi Ibrahim. 2012. Camouflage in malware: From encryption to metamorphism. International Journal of Computer Science and Network Security 12, 8 (2012), 74--83.Google Scholar
- Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18.Google ScholarDigital Library
- Curesec Security Research. 2013. Inkasso Trojaner - Part 3. Retrieved September 2018 from https://curesec.com/blog/article/blog/Inkasso-Trojaner--Part-3-24.html.Google Scholar
- Paul Roberts. 2004. Mydoom Sets Speed Records. Retrieved September 2018 from https://www.pcworld.com/article/114461/article.html.Google Scholar
- Paul Royal. 2012. Entrapment: Tricking malware with transparent, scalable malware analysis. Talk at Black Hat (2012).Google Scholar
- Abhishek Singh and Sai Omkar Vashisht. 2014. Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction. Retrieved September 2018 from https://www.fireeye.com/blog/threat-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html.Google Scholar
- Mike Schiffman. 2010. A Brief History of Malware Obfuscation. Retrieved September 2018 from https://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_2_of_2.Google Scholar
- Sriranga Seetharamaiah and Carl D. Woodward. 2019. Protecting computer systems used in virtualization environments against fileless malware. US Patent Appl. 15/708,328. Filed date is January 31st., 2019.Google Scholar
- Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In Proceedings of the Symposium on Applied Computing. ACM, 1703--1710.Google ScholarDigital Library
- Tyler Shields. 2010. Anti-debugging—A developers view. Veracode Inc., USA (2010).Google Scholar
- Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press.Google Scholar
- Arunpreet Singh. 2017. Malware Evasion Techniques: Same Wolf - Different Clothing. Retrieved October 2018 from https://www.lastline.com/labsblog/malware-evasion-techniques/.Google Scholar
- Arunpreet Singh and Clemens Kolbitsch. 2014. Not So Fast My Friend—Using Inverted Timing Attacks to Bypass Dynamic Analysis. Retrieved November 2018 from https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/.Google Scholar
- Sophos. 2015. W32/Agobot-OT. Retrieved October 2018 from https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32 Agobot-OT/detailed-analysis.aspx.Google Scholar
- Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-observable physical host instrumentation for malware analysis. In Annual Network and Distributed System Security Symposium (NDSS’16).Google ScholarCross Ref
- Symantec. 2000. Xeram.1664. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2000-121913-2839-99.Google Scholar
- Symantec. 2007. Trojan.Peacomm.C. Retrieved October 2018 from https://www.symantec.com/security-center/writeup/2007-082212-2341-99.Google Scholar
- Symantec. 2011. Trojan.Zeroaccess. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2011-071314-0410-99.Google Scholar
- Cylance Threat Guidance Team. 2017. Threat-Spotlight-Satan-RaaS. Retrieved November 2018 from https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html.Google Scholar
- Christopher Thompson, Maria Huntley, and Chad Link. 2010. Virtualization detection: New strategies and their effectiveness. University of Minnesota (unpublished).Google Scholar
- Joshua Tully. An Anti-Reverse Engineering Guide. Retrieved November 9, 2008 from https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide.Google Scholar
- UIC. 2013. McRat Malware Analysis - Part 1. Retrieved November 2018 from https://quequero.org/2013/04/mcrat-malware-analysis-part1/.Google Scholar
- Amit Vasudevan and Ramesh Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In 2006 IEEE Symposium on Security and Privacy (S&P’’06). IEEE, 15 pp.Google ScholarDigital Library
- Virustotal. 2015. vti-rescan. Retrieved November 2018 from https://www.virustotal.com/en/file/e1988a1876263837ca18b58d69028c3678dc3df51baf1721535df3204481e6a1/analysis/.Google Scholar
- Kyle Yang Walter (Tiezhu) Kong. 2013. Unlocking LockScreen. Retrieved November 2018 from https://www.virusbulletin.com/virusbulletin/2013/07/unlocking-lockscreen.Google Scholar
- Jeffrey Wilhelm and Tzi-cker Chiueh. 2007. A forced sampled execution approach to kernel rootkit identification. In International Workshop on Recent Advances in Intrusion Detection. Springer, 219--235.Google ScholarCross Ref
- Carsten Willems, Thorsten Holz, and Felix Freiling. 2007. Toward automated dynamic malware analysis using cwsandbox. IEEE Security 8 Privacy 5, 2 (2007).Google ScholarDigital Library
- Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012. Down to the bare metal: Using processor features for binary analysis. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 189--198.Google ScholarDigital Library
- Rubio Wu. 2017. New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis. Retrieved November 2018 from https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/.Google Scholar
- XPN. 2017. Windows Anti-Debug Techniques - OpenProcess Filtering. Retrieved November 2018 from https://blog.xpnsec.com/anti-debug-openprocess/.Google Scholar
- Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. ACM SIGPLAN Notices 47, 7 (2012), 227--238.Google ScholarDigital Library
- Abhishek Singh and Yasir Khalid. 2012. Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. Retrieved November 2018 from https://www.fireeye.com/blog/threat-research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html.Google Scholar
- Mark Vincent Yason. 2007. The Art of Unpacking. Retrieved November 2018 from https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf.Google Scholar
- Akira Yokoyama, Kou Ishii, Rui Tanabe, Yinmin Papa, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Daisuke Inoue, Michael Brengel, Michael Backes, et al. 2016. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 165--187.Google ScholarCross Ref
- Katsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii, and Tsutomu Matsumoto. 2011. Your sandbox is blinded: Impact of decoy injection to public malware analysis systems. Journal of Information Processing 19 (2011), 153--168.Google ScholarCross Ref
- Ilsun You and Kangbin Yim. 2010. Malware obfuscation techniques: A brief survey. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications. IEEE, 297--300.Google ScholarDigital Library
- Fengwei Zhang, Kevin Leach, Angelos Stavrou, and Haining Wang. 2018. Towards transparent debugging. IEEE Transactions on Dependable and Secure Computing 15, 2 (2018), 321--335.Google ScholarCross Ref
- Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using hardware features for increased debugging transparency. In 2015 IEEE Symposium on Security and Privacy (SP’15). IEEE, 55--69.Google ScholarDigital Library
- Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. Spectre: A dependable introspection framework via system management mode. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’13). IEEE, 1--12.Google ScholarDigital Library
Index Terms
- Malware Dynamic Analysis Evasion Techniques: A Survey
Recommendations
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and NetworkingMalware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Comments