Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L
Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks Journal Article
In: Digital Threats: Research and Practice, vol. 3, no. 2, pp. 28, 2022.
Abstract | Links | BibTeX | Tags: analysis evasion, Analysis-aware malware, Dynamic binary instrumentation
@article{SRF-DTRAP-22,
title = {Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks},
author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-DTRAP-21.pdf},
doi = {10.1145/3480463},
year = {2022},
date = {2022-01-01},
journal = {Digital Threats: Research and Practice},
volume = {3},
number = {2},
pages = {28},
abstract = {Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.},
keywords = {analysis evasion, Analysis-aware malware, Dynamic binary instrumentation},
pubstate = {published},
tppubtype = {article}
}
Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L
Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Proceedings Article
In: Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation
@inproceedings{SRF-MICRADS-19,
title = {Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks},
author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-MICRADS-19.pdf},
doi = {10.1007/978-981-13-9155-2_1},
isbn = {978-981-13-9155-2},
year = {2020},
date = {2020-01-01},
booktitle = {Developments and Advances in Defense and Security},
volume = {152},
pages = {3--13},
publisher = {Springer Singapore},
address = {Singapore},
abstract = {Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.},
keywords = {Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation},
pubstate = {published},
tppubtype = {inproceedings}
}
Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.
Botas, Álvaro; Rodríguez, Ricardo J; Matellan, Vicente; Garcia, Juan F; Trobajo, M T; Carriegos, Miguel V
On Fingerprinting of Public Malware Analysis Services Journal Article
In: Logic Journal of the IGPL, 2019, ISSN: 1367-0751.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability
@article{BRMGTC-IGPL-19,
title = {On Fingerprinting of Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellan and Juan F Garcia and M T Trobajo and Miguel V Carriegos},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMGTC-IGPL-19.pdf},
doi = {10.1093/jigpal/jzz050},
issn = {1367-0751},
year = {2019},
date = {2019-01-01},
journal = {Logic Journal of the IGPL},
abstract = {Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability},
pubstate = {published},
tppubtype = {article}
}
Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.
Botas, Álvaro; Rodríguez, Ricardo J; Matellán, Vicente; García, Juan F
Empirical Study to Fingerprint Public Malware Analysis Services Proceedings Article
In: Proceedings of the International Joint Conference SOCO'17-CISIS'17-ICEUTE'17, pp. 589–599, Springer International Publishing, 2017, ISBN: 978-3-319-67180-2.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox
@inproceedings{BRMG-CISIS-17,
title = {Empirical Study to Fingerprint Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellán and Juan F García},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMG-CISIS-17.pdf},
doi = {10.1007/978-3-319-67180-2_57},
isbn = {978-3-319-67180-2},
year = {2017},
date = {2017-01-01},
booktitle = {Proceedings of the International Joint Conference SOCO'17-CISIS'17-ICEUTE'17},
volume = {649},
pages = {589--599},
publisher = {Springer International Publishing},
series = {Advances in Intelligent Systems and Computing},
abstract = {The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox},
pubstate = {published},
tppubtype = {inproceedings}
}
The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting.
Rodríguez, Ricardo J; Rodríguez-Gastón, Iñaki; Alonso, Javier
Towards the Detection of Isolation-Aware Malware Journal Article
In: IEEE Latin America Transactions (Revista IEEE America Latina), vol. 14, no. 2, pp. 1024–1036, 2016, ISSN: 1548-0992.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, Dynamic binary instrumentation, program binary analysis
@article{RRA-LATAM-16,
title = {Towards the Detection of Isolation-Aware Malware},
author = {Ricardo J Rodríguez and Iñaki Rodríguez-Gastón and Javier Alonso},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-LATAM-16.pdf},
doi = {10.1109/TLA.2016.7437254},
issn = {1548-0992},
year = {2016},
date = {2016-01-01},
journal = {IEEE Latin America Transactions (Revista IEEE America Latina)},
volume = {14},
number = {2},
pages = {1024--1036},
abstract = {Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a non-harmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.},
keywords = {Analysis-aware malware, Dynamic binary instrumentation, program binary analysis},
pubstate = {published},
tppubtype = {article}
}
Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a non-harmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.