King's College London

Research portal

On the Dissection of Evasive Malware

Research output: Contribution to journalArticlepeer-review

Standard

On the Dissection of Evasive Malware. / Cono D'Elia, Daniele; Coppa, Emilio; Palmaro, Federico; Cavallaro, Lorenzo.

In: IEEE Transactions on Information Forensics and Security, Vol. 15, 9018111, 2020, p. 2750-2765.

Research output: Contribution to journalArticlepeer-review

Harvard

Cono D'Elia, D, Coppa, E, Palmaro, F & Cavallaro, L 2020, 'On the Dissection of Evasive Malware', IEEE Transactions on Information Forensics and Security, vol. 15, 9018111, pp. 2750-2765. https://doi.org/10.1109/TIFS.2020.2976559

APA

Cono D'Elia, D., Coppa, E., Palmaro, F., & Cavallaro, L. (2020). On the Dissection of Evasive Malware. IEEE Transactions on Information Forensics and Security, 15, 2750-2765. [9018111]. https://doi.org/10.1109/TIFS.2020.2976559

Vancouver

Cono D'Elia D, Coppa E, Palmaro F, Cavallaro L. On the Dissection of Evasive Malware. IEEE Transactions on Information Forensics and Security. 2020;15:2750-2765. 9018111. https://doi.org/10.1109/TIFS.2020.2976559

Author

Cono D'Elia, Daniele ; Coppa, Emilio ; Palmaro, Federico ; Cavallaro, Lorenzo. / On the Dissection of Evasive Malware. In: IEEE Transactions on Information Forensics and Security. 2020 ; Vol. 15. pp. 2750-2765.

Bibtex Download

@article{913129054340419b888dc5c9c7e05dc9,
title = "On the Dissection of Evasive Malware",
abstract = "Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.",
keywords = "Malware analysis, dissection, dynamic binary instrumentation, evasion, red pill, reverse engineering, sandbox",
author = "{Cono D'Elia}, Daniele and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro",
year = "2020",
doi = "10.1109/TIFS.2020.2976559",
language = "English",
volume = "15",
pages = "2750--2765",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

RIS (suitable for import to EndNote) Download

TY - JOUR

T1 - On the Dissection of Evasive Malware

AU - Cono D'Elia, Daniele

AU - Coppa, Emilio

AU - Palmaro, Federico

AU - Cavallaro, Lorenzo

PY - 2020

Y1 - 2020

N2 - Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

AB - Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-today analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection.Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered antianalysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

KW - Malware analysis

KW - dissection

KW - dynamic binary instrumentation

KW - evasion

KW - red pill

KW - reverse engineering

KW - sandbox

UR - http://www.scopus.com/inward/record.url?scp=85082078852&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2020.2976559

DO - 10.1109/TIFS.2020.2976559

M3 - Article

VL - 15

SP - 2750

EP - 2765

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

M1 - 9018111

ER -

View graph of relations

© 2020 King's College London | Strand | London WC2R 2LS | England | United Kingdom | Tel +44 (0)20 7836 5454