Over the years, miscreants realized the lucrative business behind online services and recognized the role played by Internet as a fundamental pillar in modern economies. As a consequence, over 317 million new malware variants were discovered in 2014. These malicious software caused a significant financial loss to private citizens and companies. A rough estimation is around 400 billion dollars in 2014.
Modern malware analysis is in large part automated, and only a small subset of the collected samples are manually analyzed by reverse engineering experts. These malware samples are analyzed inside an instrumented environment (normally called a sandbox). These sandboxes are a really flexible and powerful tool for the analyst. Unfortunately, this process has several limitations that may be exploited by advanced malware. For this reason, the analysis of sophisticated malware often involves runtime information collected on the infected systems, typically in the form of a dump of the physical memory.
This dissertation proposes improvements to the modern malware and memory analysis. Although these fields have been extensively studied from different perspectives in the last years, there are still several aspects that may be significantly improved. In particular, sandboxes can be optimized to have more granular network containment techniques. In addition, researchers can monitor samples submissions to spot active malware developments on these online systems and prioritize the samples assigned for a manual analysis.
Along the same lines, memory analysis is still a young field with room for improvements. In this case, we proposed the first framework able to analyze virtual machines and hypervisors also when nested configurations are in place. Moreover, we leveraged memory analysis to cope with advanced threats that do not require code injection techniques.
