Botas, Álvaro; Rodríguez, Ricardo J; Matellan, Vicente; Garcia, Juan F; Trobajo, M T; Carriegos, Miguel V
On Fingerprinting of Public Malware Analysis Services Journal Article
In: Logic Journal of the IGPL, 2019, ISSN: 1367-0751.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability
@article{BRMGTC-IGPL-19,
title = {On Fingerprinting of Public Malware Analysis Services},
author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellan and Juan F Garcia and M T Trobajo and Miguel V Carriegos},
url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMGTC-IGPL-19.pdf},
doi = {10.1093/jigpal/jzz050},
issn = {1367-0751},
year = {2019},
date = {2019-01-01},
journal = {Logic Journal of the IGPL},
abstract = {Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.},
keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability},
pubstate = {published},
tppubtype = {article}
}
Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.