Botas, Álvaro; Rodríguez, Ricardo J; Matellan, Vicente; Garcia, Juan F; Trobajo, M T; Carriegos, Miguel V
On Fingerprinting of Public Malware Analysis Services Journal Article
In: Logic Journal of the IGPL, 2019, ISSN: 1367-0751.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability
@article{BRMGTC-IGPL-19,
title = {On Fingerprinting of Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellan and Juan F Garcia and M T Trobajo and Miguel V Carriegos},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMGTC-IGPL-19.pdf},
doi = {10.1093/jigpal/jzz050},
issn = {1367-0751},
year = {2019},
date = {2019-01-01},
journal = {Logic Journal of the IGPL},
abstract = {Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability},
pubstate = {published},
tppubtype = {article}
}
Botas, Álvaro; Rodríguez, Ricardo J; Matellán, Vicente; García, Juan F
Empirical Study to Fingerprint Public Malware Analysis Services Proceedings Article
In: Proceedings of the International Joint Conference SOCO'17-CISIS'17-ICEUTE'17, pp. 589–599, Springer International Publishing, 2017, ISBN: 978-3-319-67180-2.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox
@inproceedings{BRMG-CISIS-17,
title = {Empirical Study to Fingerprint Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellán and Juan F García},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMG-CISIS-17.pdf},
doi = {10.1007/978-3-319-67180-2_57},
isbn = {978-3-319-67180-2},
year = {2017},
date = {2017-01-01},
booktitle = {Proceedings of the International Joint Conference SOCO'17-CISIS'17-ICEUTE'17},
volume = {649},
pages = {589--599},
publisher = {Springer International Publishing},
series = {Advances in Intelligent Systems and Computing},
abstract = {The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox},
pubstate = {published},
tppubtype = {inproceedings}
}