Rodríguez, Ricardo J; Rodríguez-Gastón, Iñaki; Alonso, Javier
Towards the Detection of Isolation-Aware Malware Journal Article
In: IEEE Latin America Transactions (Revista IEEE America Latina), vol. 14, no. 2, pp. 1024–1036, 2016, ISSN: 1548-0992.
Abstract | Links | BibTeX | Tags: Analysis-aware malware, Dynamic binary instrumentation, program binary analysis
@article{RRA-LATAM-16,
title = {Towards the Detection of Isolation-Aware Malware},
author = {Ricardo J Rodríguez and Iñaki Rodríguez-Gastón and Javier Alonso},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-LATAM-16.pdf},
doi = {10.1109/TLA.2016.7437254},
issn = {1548-0992},
year = {2016},
date = {2016-01-01},
journal = {IEEE Latin America Transactions (Revista IEEE America Latina)},
volume = {14},
number = {2},
pages = {1024--1036},
abstract = {Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a non-harmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.},
keywords = {Analysis-aware malware, Dynamic binary instrumentation, program binary analysis},
pubstate = {published},
tppubtype = {article}
}
Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a non-harmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.