Contributions to Proceedings:
M. Lindorfer, C. Kolbitsch, P. Milani Comparetti:
"Detecting Environment-Sensitive Malware";
in: "Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (2011)",
The execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in popularity, they are faced with the problem of malicious code detecting the instrumented environment to evade analysis. In the absence of an "undetectable", fully transparent analysis sandbox, defense against sandbox evasion is mostly reactive: Sandbox developers and operators tweak their systems to thwart individual evasion techniques as they become aware of them, leading to a never-ending arms race.
The goal of this work is to automate one step of this fight: Screening malware samples for evasive behavior. Thus, we propose novel techniques for detecting malware samples that exhibit semantically different behavior across different analysis sandboxes. These techniques are compatible with any monitoring technology that can be used for dynamic analysis, and are completely agnostic to the way that malware achieves evasion. We implement the proposed techniques in a tool called Disarm, and demonstrate that it can accurately detect evasive malware, leading to the discovery of previously unknown evasion techniques.
Malware, Dynamic Analysis, Sandbox Detection, Behavior Comparison
Electronic version of the publication:
Project Head Paolo Milani Comparetti:
i-Code: Real-time Malicious Code Identification
Project Head Christian Platzer:
A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet: Europe for the World
Project Head Gilbert Wondracek:
TRUDIE - Trust Relationships in Underground IT Economies
Created from the Publication Database of the Vienna University of Technology.