On the Dissection of Evasive Malware

Daniele Cono D'Elia; Emilio Coppa; Federico Palmaro; Lorenzo Cavallaro

doi:10.1109/TIFS.2020.2976559

On the Dissection of Evasive Malware

Daniele Cono D'Elia, Emilio Coppa, Federico Palmaro, Lorenzo Cavallaro

Sapienza University of Rome

Research output: Contribution to journal › Article › peer-review

28 Citations (Scopus)

463 Downloads (Pure)

Abstract

Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.

Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

Original language	English
Article number	9018111
Pages (from-to)	2750-2765
Number of pages	16
Journal	IEEE Transactions on Information Forensics and Security
Volume	15
Early online date	28 Feb 2020
DOIs	https://doi.org/10.1109/TIFS.2020.2976559
Publication status	Published - 2020

Keywords

Malware analysis
dissection
dynamic binary instrumentation
evasion
red pill
reverse engineering
sandbox

Access to Document

10.1109/TIFS.2020.2976559

On the Dissection of_D'ELIA_Acc11Feb2020Epub28Feb2020_GREEN AAM
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Accepted author manuscript, 2.02 MB

Cite this

@article{913129054340419b888dc5c9c7e05dc9,

title = "On the Dissection of Evasive Malware",

abstract = "Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.",

keywords = "Malware analysis, dissection, dynamic binary instrumentation, evasion, red pill, reverse engineering, sandbox",

author = "{Cono D'Elia}, Daniele and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro",

year = "2020",

doi = "10.1109/TIFS.2020.2976559",

language = "English",

volume = "15",

pages = "2750--2765",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - On the Dissection of Evasive Malware

AU - Cono D'Elia, Daniele

AU - Coppa, Emilio

AU - Palmaro, Federico

AU - Cavallaro, Lorenzo

PY - 2020

Y1 - 2020

N2 - Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

AB - Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

KW - Malware analysis

KW - dissection

KW - dynamic binary instrumentation

KW - evasion

KW - red pill

KW - reverse engineering

KW - sandbox

UR - http://www.scopus.com/inward/record.url?scp=85082078852&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2020.2976559

DO - 10.1109/TIFS.2020.2976559

M3 - Article

SN - 1556-6013

VL - 15

SP - 2750

EP - 2765

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

M1 - 9018111

ER -

On the Dissection of Evasive Malware

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this