Efficient detection of split personalities in malware

Balzarotti, Davide; Cova, Marco; Karlberger, Christoph; Kruegel, Christopher; Kirda, Engin; Vigna, Giovanni
NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd, 2010, San Diego, USA

Malware is the root cause of many security threats on the Internet. To cope with the thousands of new malware samples that are discovered every day, security companies and analysts rely on automated tools to extract the runtime behavior of malicious programs. Of course, malware authors are aware of these tools and increasingly try to thwart their analysis techniques. To this end, malware code is often equipped with checks that look for evidence of emulated or virtualized analysis environments. When such evidence is found, the malware program behaves differently or crashes, thus showing a different \personality" than on a real system. Recent work has introduced transparent analysis platforms (such as Ether or Cobra) that make it significantly more dicult for malware programs to detect their presence. Others have proposed techniques to identify and bypass checks introduced by malware authors. Both approaches are often successful in exposing the runtime behavior of malware even when the malicious code attempts to thwart analysis efforts. However, these techniques induce significant performance overhead, especially for negrained analysis. Unfortunately, this makes them unsuitable for the analysis of current high-volume malware feeds. In this paper, we present a technique that efficiently detects when a malware program behaves differently in an emulated analysis environment and on an uninstrumented reference host. The basic idea is  simple: we just compare the runtime behavior of a sample in our analysis system and on a reference machine. However, obtaining a robust and efficient comparison is very dicult. In particular, our approach consists of recording the interactions of the malware with the operating system in one run and using this information to deterministically replay the program in our analysis environment. Our experiments demonstrate that, by using our approach, one can eciently detect malware samples that use a variety of techniques to identify emulated analysis environments.

San Diego
Sécurité numérique
Eurecom Ref:
© ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd, 2010, San Diego, USA and is available at :
See also:

PERMALINK : https://www.eurecom.fr/publication/3022