survey

Malware Dynamic Analysis Evasion Techniques: A Survey

Authors:

Salman Niksefat,

Babak Sadeghiyan,

David BaptisteAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 52, Issue 6

Article No.: 126, Pages 1 - 28

https://doi.org/10.1145/3365001

Published: 14 November 2019 Publication History

Abstract

The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding is pursued often through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this article, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their efficacy holds against different types of detection and analysis approaches.

Our observations attest that evasive behavior is mostly concerned with detecting and evading sandboxes. The primary tactic of such malware we argue is fingerprinting followed by new trends for reverse Turing test tactic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies, beginning with reactive methods to endeavors for more transparent analysis systems, are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling. Accordingly, we would recommend the pursuit of more generic defensive strategies with an emphasis on path exploration techniques that has the potential to thwart all the evasive tactics.

References

[1]

Sanjeev Kumar Aggarwal and Sarath M. Kumar. 2002. Debuggers for programming languages. In The Compiler Design Handbook. CRC Press, 297--329.

[2]

Anish. 2012. Reptile Malware - Behavioral Analysis. Retrieved October 2018 from http://malwarecrypt.blogspot.com/2012/01/reptile-malware-behavioral-analysis.html.

[3]

Apriorit. 2016. Anti Debugging Protection Techniques. Retrieved October 2018 from https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software.

[4]

Yaniv Assor. 2016. Anti-VM and Anti-Sandbox Explained. Retrieved September 2018 from https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/.

[5]

AV-TEST. 2017. The AV-TEST Security Report 2016/2017. Retrieved September 2018 from https://www.av-test.org/en/news/the-it-security-status-at-a-glance-the-av-test-security-report-20162017/.

[6]

Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Annual Network and Distributed System Security Symposium (NDSS). http://www.isoc.org/isoc/conferences/ndss/10/pdf/24.pdf.

[7]

Sebastian Banescu, Christian Collberg, Vijay Ganesh, Zack Newsham, and Alexander Pretschner. 2016. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM, 189--200.

Digital Library

[8]

Jason Barlow. 2000. Tribe Flood Network 2000 (TFN2K). Retrieved September 2018 from https://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt.

[9]

Alex Bassett, Christiaan Beek, Niamh Minihane, Eric Peterson, Raj Samani, Craig Schmugar, ReseAnne Sims, Dan Sommer, and Bing Sun. 2018. MacAfee Labs Threat Report March 2018. Technical Report. McAfee Labs. https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf.

[10]

Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A Tool for Analyzing Malware.

[11]

Ulrich Bayer, Andreas Moser, Christopher Kruegel, and Engin Kirda. 2006. Dynamic analysis of malicious code. Journal in Computer Virology 2, 1 (2006), 67--77.

[12]

Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.

Digital Library

[13]

Alex Chiu Ben Baker. 2015. Threat Spotlight: Rombertik, Gazing Past the Smoke, Mirrors, and Trapdoors. Retrieved November 2018 from https://blogs.cisco.com/security/talos/rombertik.

[14]

B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi. 2012. The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4 (4), 971--1003.

[15]

Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, and Bulent Yener. 2016. AVLeak: Fingerprinting antivirus emulators through black-box testing. In Proceedings of the 10th USENIX Conference on Offensive Technologies. USENIX Association, 91--105.

[16]

Jean-Marie Borello and Ludovic Me. 2008. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology 4, 3 (2008), 211--220.

[17]

Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat (2012).

[18]

Michael Brengel, Michael Backes, and Christian Rossow. 2016. Detecting hardware-assisted virtualization. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 207--227.

Digital Library

[19]

Nicolas Brulez. 2012. Scan of the Month 33: Anti Reverse Engineering Uncovered. Retrieved October 2018 from http://old.honeynet.org/scans/scan33/nico/index.html.

[20]

David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically identifying trigger-based behavior in malware. In Botnet Detection. Springer, 65--88.

[21]

Alexei Bulazel and Bülent Yener. 2017. A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. ACM, 2.

Digital Library

[22]

Ping Chen, Christophe Huygens, Lieven Desmet, and Wouter Joosen. 2016. Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In IFIP International Information Security and Privacy Conference. Springer, 323--336.

[23]

Thomas M. Chen and Jean-Marc Robert. 2004. The evolution of viruses and worms. Statistical Methods in Computer Security 1 (2004).

[24]

Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In IEEE International Conference on Dependable Systems and Networks With FTCS and DCC. IEEE, 177--186.

[25]

Anton Cherepanov. 2017. WIN32/INDUSTROYER, A New Threat for Industrial Control Systems. Retrieved October 2018 from https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf.

[26]

Michael Chourdakis. 2008. Toggle Hardware Data/Read/Execute Breakpoints Programmatically. Retrieved February 2018 from https://www.codeproject.com/Articles/28071/Toggle-hardware-data-read-execute-breakpoints-prog.

[27]

Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong. 2006. Temporal search: Detecting hidden malware timebombs with virtual machines. In ACM SIGARCH Computer Architecture News, Vol. 34. ACM, 25--36.

[28]

CTurt. 2012. Reverse Engineering VertexNet Malware. Retrieved March 2018 from https://cturt.github.io/vertex-net.html.

[29]

Jiyong Jang Dhilung Kirat. 2018. DeepLocker: How AI Can Power a Stealthy New Breed of Malware. Retrieved March 2018 from https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/.

[30]

Marc Ph. Stoecklin Dhilung Kirat, and Jiyong Jang. 2018. DeepLocker: Concealing Targeted Attacks with AI Locksmithing. Retrieved October 2018 from https://i.blackhat.com/us-18/Thu-August-9/us-18-Kirat-DeepLocker-Concealing-Targeted-Attacks-with-AI-Locksmithing.pdf.

[31]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, 51--62.

Digital Library

[32]

Dennis Distler and Charles Hornat. 2007. Malware analysis: An introduction. SANS Institute InfoSec Reading Room (2007), 18--19.

[33]

Brendan Dolan-Gavitt and Yacin Nadji. 2010. See No Evil: Evasions in Honeymonkey Systems. Technical Report. http://moyix.net/honeymonkey.pdf.

[34]

David Reguera Garcia Dreg. 2018. A Tool to Detect and Crash Cuckoo Sandbox. Retrieved October 2018 from https://github.com/David-Reguera-Garcia-Dreg/anticuckoo.

[35]

Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR) 44 (2012), 6.

Digital Library

[36]

Nicolas Falliere. 2007. Windows Anti-Debug Reference. Retrieved October 2018 from http://www.security-focus.com/infocus/1893.

[37]

Nicolas Falliere, Liam O. Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White Paper, Symantec Corp., Security Response 5, 6 (2011), 29.

[38]

Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, and Mattia Monga. [n.d.]. Dynamic and transparent analysis of commodity production systems. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering. ACM, 417--426.

[39]

Peter Ferrie. 2008. Anti-unpacker tricks, part one. Virus Bulletin 4 (2008).

[40]

P. Ferrie. 2011. The Ultimate Anti-Debugging Reference. Retrieved October 2018 from http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf.

[41]

Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, and Leendert Van Doorn. 2008. Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Operating Systems Review 42, 3 (2008), 83--92.

Digital Library

[42]

Shang Gao and Qian Lin. 2012. Debugging classification and anti-debugging strategies. In 4th International Conference on Machine Vision (ICMV 2011): Computer Vision and Image Analysis; Pattern Recognition and Basic Technologies, Vol. 8350. International Society for Optics and Photonics, 83503C.

[43]

Yuxin Gao, Zexin Lu, and Yuqing Luo. 2014. Survey on malware anti-analysis. In 5th International Conference on Intelligent Control and Information Processing (ICICIP ’14). IEEE, 270--275.

[44]

Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. In HotOS.

[45]

Andrew Go, Christopher del Fierro, Lovely Bruiz, and Xavier Capilitan. 2018. Where We Go, We Don’t Need Files: Analysis of Fileless Malware “Rozena”. Retrieved October 2018 from https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena.

[46]

Ian Goldberg, David Wagner, Randi Thomas, Eric A. Brewer, et al. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, Vol. 6. 1--1.

Digital Library

[47]

Robert P. Goldberg. 1974. Survey of virtual machine research. Computer 7, 6 (1974), 34--45.

Digital Library

[48]

GReAT. 2014. The Darkhotel APT. Retrieved October 2018 from https://securelist.com/the-darkhotel-apt/66779/.

[49]

Claudio Guarnieri, Allessandro Tanasi, Jurriaan Bremer, and Mark Schloesser. 2012. Retrieved October 2018 from The Cuckoo Sandbox. https://cuckoosandbox.org.

[50]

Fanglu Guo, Peter Ferrie, and Tzi-Cker Chiueh. 2008. A study of the packer problem and its solutions. In International Workshop on Recent Advances in Intrusion Detection. Springer, 98--115.

Digital Library

[51]

Thorsten Holz and Frederic Raynal. 2005. Detecting honeypots and other suspicious environments. In Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop (IAW’05). IEEE, 29--36.

[52]

Lexi Security Hub. 2014. Overview of the Kronos Banking Malware Rootkit. Retrieved January 2019 from https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en.

[53]

Chong Rong Hwa. 2013. Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks. Retrieved February 2019 from https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html.

[54]

Infosec Institute. 2015. ZEROACCESS Malware - Part 1. Retrieved January 2019 from https://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/.

[55]

Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: Automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 216--225.

Digital Library

[56]

JOESandbox. 2010. Automated Malware Analysis Report for Wdf01000.sys. Retrieved October 2018 from https://www.joesandbox.com/analysis/45221/0/pdf.

[57]

JOESandbox. 2018. shcndhss.exe. Retrieved January 2019 from https://www.joesandbox.com/analysis/50204/0/html.

[58]

Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security. ACM, 11--22.

Digital Library

[59]

Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 124--143.

[60]

Kaspersky. 2000. VIRUS.WIN32.HIV. Retrieved September 2018 from https://threats.kaspersky.com/en/threat/Virus.Win32.HIV/.

[61]

Dhilung Kirat and Giovanni Vigna. 2015. Malgene: Automatic extraction of malware analysis evasion signature. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 769--780.

Digital Library

[62]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. Barebox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 403--412.

Digital Library

[63]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In USENIX Security Symposium. 287--301.

[64]

Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 285--296.

Digital Library

[65]

Vitali Kremez. 2017. Let’s Learn: Decoding Latest “TrickBot” Loader String Template and New Tor Plugin Server Communication. Retrieved September 2018 from https://www.vkremez.com/2018/07/lets-learn-trickbot-new-tor-plugin.html.

[66]

Christopher Kruegel. 2014. How To Build An Effective Malware Analysis Sandbox. Retrieved September 2018 from https://www.lastline.com/labsblog/different-sandboxing-techniques-to-detect-advanced-malware/.

[67]

Christopher Kruegel. 2015. Evasive malware exposed and deconstructed. In RSA Conference. 12--20.

[68]

MacAfee Labs. 2018. Threats Report. Retrieved November 2018 from https://www.mcafee.com/es/resources/reports/rp-quarterly-threats-mar-2018.pdf.

[69]

Boris Lau and Vanja Svajcer. 2010. Measuring virtual machine detection in malware using DSD tracer. Journal in Computer Virology 6, 3 (2010), 181--195.

[70]

Kevin Lawton. 2003. Bochs: The open source IA-32 emulation project.

[71]

Van Lam Le, Ian Welch, Xiaoying Gao, and Peter Komisarczuk. 2013. Anatomy of drive-by download attack. In Proceedings of the 11h Australasian Information Security Conference--Volume 138. Australian Computer Society, Inc., 49--58.

[72]

Kevin Leach, Chad Spensky, Westley Weimer, and Fengwei Zhang. 2016. Towards transparent introspection. In IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Vol. 1. IEEE, 248--259.

[73]

Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 386--395.

Digital Library

[74]

Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment-sensitive malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 338--357.

Digital Library

[75]

Tao Liu, Nuo Xu, Qi Liu, Yanzhi Wang, and Wujie Wen. 2019. A system-level perspective to understand the vulnerability of deep learning systems. In Proceedings of the 24th Asia and South Pacific Design Automation Conference. ACM, 506--511.

Digital Library

[76]

Leo Loobeek. 2016. Ebowla: Framework for Making Environmental Keyed Payloads. Retrieved October 2018 from https://github.com/Genetic-Malware/Ebowla.

[77]

Dejan Lukan. 2014. Pafish (Paranoid Fish). Retrieved September 2018 from https://resources.infosecinstitute.com/pafish-paranoid-fish/.

[78]

Malwarebytes. 2018. SamSam Ransomware: Controlled Distribution for an Elusive Malware. Technical Report. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/.

[79]

MalwareTech. 2015. Kelihos Analysis, Part 1. Retrieved September 2018 from https://www.malwaretech.com/2015/12/kelihos-analysis-part-1.html.

[80]

Steve Mansfield-Devine. 2017. Fileless attacks: Compromising targets without malware. Network Security 2017, 4 (2017), 7--11.

Digital Library

[81]

Jonathan A. P. Marpaung, Mangal Sain, and Hoon-Jae Lee. 2012. Survey on malware evasion techniques: State of the art and challenges. In 2012 14th International Conference on Advanced Communication Technology (ICACT’12). IEEE, 744--749.

[82]

McAfee. 2000. The W9x.CIH virus. Retrieved December 2018 from https://home.mcafee.com/virusinfo/virusprofile.aspx?key=10300.

[83]

McAfee. 2003. W97M/Opey.bg. Retrieved September 2018 from https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100091#none.

[84]

McAfee. 2007. W32.Mydoom.M@mm. Retrieved September 2018 from https://www.symantec.com/security-center/writeup/2004-072615-3527-99.

[85]

McAfee. 2017. McAfee Labs Threats Report. Retrieved September 2018 from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-jun-2017.pdf.

[86]

Gary McGraw and Greg Morrisett. 2000. Attacking malicious code: A report to the Infosec research council. IEEE Software 17, 5 (2000), 33--41.

Digital Library

[87]

Microsoft. 2006. Win32/Phatbot.A. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Phatbot.A.

[88]

Microsoft. 2017. Worm:Win32/Rbot.ST. Retrieved September 2018 from https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Rbot.ST.

[89]

Microsoft. 2018. Acquiring High-Resolution Time Stamps. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/sysinfo/acquiring-high-resolution-time-stamps.

[90]

Microsoft. 2018. PEB Structure. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx.

[91]

Microsoft. 2018. Structured Exception Handling. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows/desktop/Debug/structured-exception-handling.

[92]

Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. 2017. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In IEEE Symposium on Security and Privacy (SP). IEEE, 1009--1024.

[93]

Carbon Monoxide. 2016. ScyllaHide. Retrieved September 2018 from https://bitbucket.org/NtQuery/scyllahide.

[94]

Travis Morrow and Josh Pitts. 2016. Genetic malware: Designing payloads for specific targets. Talk at Infiltrate (2016).

[95]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In IEEE Symposium on Security and Privacy (SP’07). IEEE, 231--245.

Digital Library

[96]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.

[97]

H. Mourad. 2015. Sleeping your way out of the sandbox. SANS Security Report.

[98]

Microsoft msdn. 2018. Debugging Functions. Retrieved September 2018 from https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303(v=vs.85).aspx.

[99]

Microsoft msdn. 2018. ZwSetInformationThread function. Retrieved September 2018 from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread.

[100]

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Annual Computer Security Applications Conference (ACSAC’09). IEEE, 441--450.

[101]

Norman. 2018. Norman Sandbox. Retrieved September 2018 from http://www.norman.com.

[102]

Kulchytskyi Oleg. 2016. Anti-Debug Protection Techniques: Implementation and Neutralization. Retrieved September 2018 from https://www.codeproject.com/Articles/1090943/Anti-Debug-Protection-Techniques-Implementation-an.

[103]

Yoshihiro Oyama. 2018. Trends of anti-analysis operations of malwares observed in API call logs. Journal of Computer Virology and Hacking Techniques 14, 1 (2018), 69--85.

[104]

Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09), Vol. 41. 86.

[105]

David Patten. 2017. The evolution to fileless malware. Infosec Writers (2017).

[106]

Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th European Workshop on System Security. ACM, 3.

Digital Library

[107]

Gábor Pék, Levente Buttyán, and Boldizsár Bencsáth. 2013. A survey of security issues in hardware virtualization. ACM Computing Surveys (CSUR) 45, 3 (2013), 40.

Digital Library

[108]

Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-force: Force-executing binary programs for security applications. In 23rd USENIX Security Symposium (USENIX Security’14). 829--844.

[109]

Larry Ponemon and Jack Danahy. 2018. The 2017 State of Endpoint Security Risk Report. Technical Report. Ponemon Institute. https://www.barkly.com/ponemon-2018-endpoint-security-statistics-trends.

[110]

Nguyen Anh Quynh and Kuniyasu Suzaki. 2010. Virt-ice: Next-generation debugger for malware analysis. Black Hat USA (2010).

[111]

Babak Bashari Rad, Maslin Masrom, and Suhaimi Ibrahim. 2012. Camouflage in malware: From encryption to metamorphism. International Journal of Computer Science and Network Security 12, 8 (2012), 74--83.

[112]

Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18.

Digital Library

[113]

Curesec Security Research. 2013. Inkasso Trojaner - Part 3. Retrieved September 2018 from https://curesec.com/blog/article/blog/Inkasso-Trojaner--Part-3-24.html.

[114]

Paul Roberts. 2004. Mydoom Sets Speed Records. Retrieved September 2018 from https://www.pcworld.com/article/114461/article.html.

[115]

Paul Royal. 2012. Entrapment: Tricking malware with transparent, scalable malware analysis. Talk at Black Hat (2012).

[116]

Abhishek Singh and Sai Omkar Vashisht. 2014. Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction. Retrieved September 2018 from https://www.fireeye.com/blog/threat-research/2014/06/turing-test-in-reverse-new-sandbox-evasion-techniques-seek-human-interaction.html.

[117]

Mike Schiffman. 2010. A Brief History of Malware Obfuscation. Retrieved September 2018 from https://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_2_of_2.

[118]

Sriranga Seetharamaiah and Carl D. Woodward. 2019. Protecting computer systems used in virtualization environments against fileless malware. US Patent Appl. 15/708,328. Filed date is January 31st., 2019.

[119]

Hao Shi and Jelena Mirkovic. 2017. Hiding debuggers from malware with apate. In Proceedings of the Symposium on Applied Computing. ACM, 1703--1710.

Digital Library

[120]

Tyler Shields. 2010. Anti-debugging—A developers view. Veracode Inc., USA (2010).

[121]

Michael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press.

[122]

Arunpreet Singh. 2017. Malware Evasion Techniques: Same Wolf - Different Clothing. Retrieved October 2018 from https://www.lastline.com/labsblog/malware-evasion-techniques/.

[123]

Arunpreet Singh and Clemens Kolbitsch. 2014. Not So Fast My Friend—Using Inverted Timing Attacks to Bypass Dynamic Analysis. Retrieved November 2018 from https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/.

[124]

Sophos. 2015. W32/Agobot-OT. Retrieved October 2018 from https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32 Agobot-OT/detailed-analysis.aspx.

[125]

Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-observable physical host instrumentation for malware analysis. In Annual Network and Distributed System Security Symposium (NDSS’16).

[126]

Symantec. 2000. Xeram.1664. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2000-121913-2839-99.

[127]

Symantec. 2007. Trojan.Peacomm.C. Retrieved October 2018 from https://www.symantec.com/security-center/writeup/2007-082212-2341-99.

[128]

Symantec. 2011. Trojan.Zeroaccess. Retrieved November 2018 from https://www.symantec.com/security-center/writeup/2011-071314-0410-99.

[129]

Cylance Threat Guidance Team. 2017. Threat-Spotlight-Satan-RaaS. Retrieved November 2018 from https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html.

[130]

Christopher Thompson, Maria Huntley, and Chad Link. 2010. Virtualization detection: New strategies and their effectiveness. University of Minnesota (unpublished).

[131]

Joshua Tully. An Anti-Reverse Engineering Guide. Retrieved November 9, 2008 from https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide.

[132]

UIC. 2013. McRat Malware Analysis - Part 1. Retrieved November 2018 from https://quequero.org/2013/04/mcrat-malware-analysis-part1/.

[133]

Amit Vasudevan and Ramesh Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In 2006 IEEE Symposium on Security and Privacy (S&P’’06). IEEE, 15 pp.

Digital Library

[134]

Virustotal. 2015. vti-rescan. Retrieved November 2018 from https://www.virustotal.com/en/file/e1988a1876263837ca18b58d69028c3678dc3df51baf1721535df3204481e6a1/analysis/.

[135]

Kyle Yang Walter (Tiezhu) Kong. 2013. Unlocking LockScreen. Retrieved November 2018 from https://www.virusbulletin.com/virusbulletin/2013/07/unlocking-lockscreen.

[136]

Jeffrey Wilhelm and Tzi-cker Chiueh. 2007. A forced sampled execution approach to kernel rootkit identification. In International Workshop on Recent Advances in Intrusion Detection. Springer, 219--235.

[137]

Carsten Willems, Thorsten Holz, and Felix Freiling. 2007. Toward automated dynamic malware analysis using cwsandbox. IEEE Security 8 Privacy 5, 2 (2007).

Digital Library

[138]

Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012. Down to the bare metal: Using processor features for binary analysis. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 189--198.

Digital Library

[139]

Rubio Wu. 2017. New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis. Retrieved November 2018 from https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/.

[140]

XPN. 2017. Windows Anti-Debug Techniques - OpenProcess Filtering. Retrieved November 2018 from https://blog.xpnsec.com/anti-debug-openprocess/.

[141]

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. ACM SIGPLAN Notices 47, 7 (2012), 227--238.

Digital Library

[142]

Abhishek Singh and Yasir Khalid. 2012. Don’t Click the Left Mouse Button: Introducing Trojan UpClicker. Retrieved November 2018 from https://www.fireeye.com/blog/threat-research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html.

[143]

Mark Vincent Yason. 2007. The Art of Unpacking. Retrieved November 2018 from https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf.

[144]

Akira Yokoyama, Kou Ishii, Rui Tanabe, Yinmin Papa, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Daisuke Inoue, Michael Brengel, Michael Backes, et al. 2016. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 165--187.

[145]

Katsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii, and Tsutomu Matsumoto. 2011. Your sandbox is blinded: Impact of decoy injection to public malware analysis systems. Journal of Information Processing 19 (2011), 153--168.

[146]

Ilsun You and Kangbin Yim. 2010. Malware obfuscation techniques: A brief survey. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications. IEEE, 297--300.

Digital Library

[147]

Fengwei Zhang, Kevin Leach, Angelos Stavrou, and Haining Wang. 2018. Towards transparent debugging. IEEE Transactions on Dependable and Secure Computing 15, 2 (2018), 321--335.

[148]

Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using hardware features for increased debugging transparency. In 2015 IEEE Symposium on Security and Privacy (SP’15). IEEE, 55--69.

Digital Library

[149]

Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. Spectre: A dependable introspection framework via system management mode. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’13). IEEE, 1--12.

Digital Library

Cited By

Caporaso PBianchi GQuaglia F(2024)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemApplied Sciences10.3390/app1405191214:5(1912)Online publication date: 26-Feb-2024
https://doi.org/10.3390/app14051912
Xiong PYang DWen B(2024)Experimental Design of Intranet Penetration for Anti Anti-Virus Traffic CharacterizationProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673279(5-10)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673279
Zhang YLuo SWu HPan L(2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
https://doi.org/10.1109/TII.2023.3327522
Show More Cited By

Index Terms

Malware Dynamic Analysis Evasion Techniques: A Survey
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and Networking

Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 52, Issue 6

November 2020

806 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3368196

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2019

Accepted: 01 September 2019

Revised: 01 June 2019

Received: 01 November 2018

Published in CSUR Volume 52, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

APA research center at Amirkabir University of Technology, Tehran, Iran

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

118
Total Citations
View Citations
3,551
Total Downloads

Downloads (Last 12 months)718
Downloads (Last 6 weeks)42

Reflects downloads up to 07 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Caporaso PBianchi GQuaglia F(2024)JITScanner: Just-in-Time Executable Page Check in the Linux Operating SystemApplied Sciences10.3390/app1405191214:5(1912)Online publication date: 26-Feb-2024
https://doi.org/10.3390/app14051912
Xiong PYang DWen B(2024)Experimental Design of Intranet Penetration for Anti Anti-Virus Traffic CharacterizationProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673279(5-10)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673279
Zhang YLuo SWu HPan L(2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
https://doi.org/10.1109/TII.2023.3327522
Mahmoud RAnagnostopoulos MPastrana SPedersen J(2024)Redefining Malware Sandboxing: Enhancing Analysis Through Sysmon and ELK IntegrationIEEE Access10.1109/ACCESS.2024.340016712(68624-68636)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3400167
Ispahany JIslam MIslam MKhan M(2024)Ransomware Detection Using Machine Learning: A Review, Research Limitations and Future DirectionsIEEE Access10.1109/ACCESS.2024.339792112(68785-68813)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3397921
Patsakis CCasino FLykousas N(2024)Assessing LLMs in malicious code deobfuscation of real-world malware campaignsExpert Systems with Applications10.1016/j.eswa.2024.124912(124912)Online publication date: Jul-2024
https://doi.org/10.1016/j.eswa.2024.124912
Zhao XFok KThing V(2024)Enhancing network intrusion detection performance using generative adversarial networksComputers & Security10.1016/j.cose.2024.104005145(104005)Online publication date: Oct-2024
https://doi.org/10.1016/j.cose.2024.104005
Maniriho PMahmood AChowdhury M(2024)MeMalDetComputers and Security10.1016/j.cose.2024.103864142:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103864
Shenderovitz GNissim N(2024)Bon-APTComputers and Security10.1016/j.cose.2024.103862142:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103862
Peng JGuo CPing YCui YChen YShen G(2024)SNDMI: Spyware network traffic detection method based on inducement operationsComputers & Security10.1016/j.cose.2024.103806140(103806)Online publication date: May-2024
https://doi.org/10.1016/j.cose.2024.103806
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents