King's College London

Research portal

On the Dissection of Evasive Malware

Research output: Contribution to journalArticlepeer-review

Daniele Cono D'Elia, Emilio Coppa, Federico Palmaro, Lorenzo Cavallaro

Original languageEnglish
Article number9018111
Pages (from-to)2750-2765
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Early online date28 Feb 2020
Accepted/In press11 Feb 2020
E-pub ahead of print28 Feb 2020


  • On the Dissection of_D'ELIA_Acc11Feb2020Epub28Feb2020_GREEN AAM

    tifs20.pdf, 2.02 MB, application/pdf

    Uploaded date:30 Mar 2020

    Version:Accepted author manuscript

    © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.

King's Authors


Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.

Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

Download statistics

No data available

View graph of relations

© 2020 King's College London | Strand | London WC2R 2LS | England | United Kingdom | Tel +44 (0)20 7836 5454