Skip to main content
SpringerLink
Log in

The other guys: automated analysis of marginalized malware

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types of threats. Therefore, it is difficult to gather information from public systems about CPL, .NET/Mono, 64-bits, reboot-dependent, or malware targeting systems newer than Windows XP, which result in a lack of understanding about how current malware behave during infections on modern operating systems. In this paper, we discuss the challenges and issues faced during the development of this type of analysis system, mainly due to security features available in NT 6.x kernel versions of Windows OS. We also introduce a dynamic analysis system that addresses the aforementioned types of malware as well as present results obtained from their analyses.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. As detailed on Sect. 4.4

  2. We identified as .NET 0.6, 1.1, and 7.6% of all samples from our dataset collected in 2013, 2014, and the first quarter of 2015, respectively.

  3. Solutions like Sandboxie (http://www.sandboxie.com) are not designed for this purpose and can be detected due to their userland modules.

  4. https://www.vmray.com/technology/

  5. http://www.sandboxie.com/index.php?ContributedUtilities#BlockProcessAccess

  6. http://www.sandboxie.com/index.php?ExperimentalProtection

  7. We measure suspended processes to avoid penalties from external factors.

  8. http://anubis.iseclab.org, https://malwr.com, http://www.threatexpert.com, http://camas.comodo.com, http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

  9. https://github.com/a0rtega/pafish

References

  1. Afonso, V., Filho, D., Gregio, A., de Geus, P., Jino, M.: A hybrid framework to analyze web and os malware. In: 2012 IEEE International Conference on Communications (ICC), pp. 966–970 (2012). doi:10.1109/ICC.2012.6364108

  2. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium. San Diego, USA (2010)

  3. Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: 15th European Institute for Computer Antivirus Research Annual Conference (2006)

  4. Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, pp. 41–41. USENIX Association, Berkeley, CA, USA (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401

  5. Blog, S.L.: The inevitable mode—64-bit zeus enhanced with tor (2013). http://securelist.com/blog/events/58184/

  6. Corregedor, M., Von Solms, S.: Windows 8 32 bit—improved security? In: AFRICON. IEEE, pp. 1–5 (2013). doi:10.1109/AFRCON.2013.6757678

  7. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pp. 51–62. ACM, New York, NY, USA (2008). doi:10.1145/1455770.1455779

  8. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP ’11, pp. 297–312. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/SP.2011.11

  9. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6 (2012)

    Article  Google Scholar 

  10. Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, pp. 417–426. ACM, New York, NY, USA (2010). doi:10.1145/1858996.1859085

  11. Guarnieri, C.: Cuckoo sandbox. http://www.cuckoosandbox.org/ (2013)

  12. Guri, M., Kedma, G., Sela, T., Carmeli, B., Rosner, A., Elovici, Y.: Noninvasive detection of anti-forensic malware. In: 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE), pp. 1–10 (2013). doi:10.1109/MALWARE.2013.6703679

  13. j00ru: Defeating windows driver signature enforcement 3: the ultimate encounter. http://j00ru.vexillium.org/?p=1455

  14. Kaspersky: Equation group: questions and answers. http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

  15. Kirat, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 403–412. ACM (2011)

  16. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kirat

  17. Kruegel, C.: Full system emulation: achieving successful automated dynamic analysis of evasive malware. https://www.blackhat.com/docs/us-14/materials/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware.pdf (2014)

  18. Lab, K.: The regin platform—nation-state ownage of gsm networks. http://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

  19. Lindorfer, M., Di Federico, A., Maggi, F., Comparetti, P.M., Zanero, S.: Lines of malicious code: insights into the malicious software industry. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACSAC ’12, pp. 349–358. ACM, New York, NY, USA (2012)

  20. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Recent Advances in Intrusion Detection Symposium (2011)

  21. Mercês, F.: Cpl malware—malicious control panel items. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

  22. Microsoft: Device input and output control (ioctl). https://msdn.microsoft.com/pt-br/library/windows/desktop/aa363219%28v=vs.85%29.aspx

  23. Microsoft: I/o request packets. https://msdn.microsoft.com/en-us/library/windows/hardware/hh439638%28v=vs.85%29.aspx

  24. Microsoft: Queueuserapc function. [https://msdn.microsoft.com/en-us/library/windows/desktop/ms684954%28v=vs.85%29.aspx

  25. Microsoft: Reg_notify_class enumeration. https://msdn.microsoft.com/pt-br/library/windows/hardware/ff560950%28v=vs.85%29.aspx

  26. Microsoft: Running 32-bit applications. https://msdn.microsoft.com/en-us/library/windows/desktop/aa384249%28v=vs.85%29.aspx

  27. Microsoft: Trojan:win32/jorik.c. http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Jorik.C

  28. Microsoft: Using cplapplet. https://msdn.microsoft.com/en-us/library/windows/desktop/cc144199%28v=vs.85%29.aspx

  29. Microsoft: Win32/wootbot. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2FWootbot

  30. Microsoft: CreateRemoteThread. http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx (2013)

  31. Microsoft: CmRegisterCallback. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541918(v=vs.85).aspx (2014)

  32. Microsoft: CmRegisterCallbackEx. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx (2014)

  33. More, A., Tapaswi, S.: Virtual machine introspection: towards bridging the semantic gap. J. Cloud Comput. 3(1), 1–14 (2014). doi:10.1186/s13677-014-0016-2

    Article  Google Scholar 

  34. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec ’14, pp. 5:1–5:6. ACM, New York, NY, USA (2014)

  35. Pietrek, M.: Peering inside the pe: a tour of the win32 portable executable file format. https://msdn.microsoft.com/en-us/library/ms809762.aspx

  36. Reloaded, P.: Skywing. http://uninformed.org/?v=8&a=5

  37. Rienhardt, F.: Kernel-basedmonitoringonwindows(32/64bit). http://www.bitnuts.de/KernelBasedMonitoring.pdf (2012)

  38. Rodionov, E., Matrosov, A.: The evolution of tdl: conquering x64. http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

  39. Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., Endicott-Popovsky, B.: Capture—a behavioral analysis tool for applications and documents. Digit. Investig. 4S, 23–30 (2007)

    Article  Google Scholar 

  40. Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)

    Google Scholar 

  41. skape, Skywing: Bypassing patchguard on windows x64. http://uninformed.org/index.cgi?v=3&a=3

  42. Skywing: Subverting patchguard version 2. http://www.uninformed.org/?a=1&t=txt&v=6

  43. Thomas, S., Sherly, K., Dija, S.: Extraction of memory forensic artifacts from windows 7 ram image. In: 2013 IEEE Conference on Information and Communication Technologies (ICT), pp. 937–942. IEEE (2013)

  44. TrendMicro: Darkkomet. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET

  45. TrendMicro: Tspy64_zbot.aanp. http://about-threats.trendmicro.com/Malware.aspx?language=au&name=TSPY64_ZBOT.AANP

  46. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Priv. 5, 32–39 (2007)

    Article  Google Scholar 

  47. Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Tech. Rep. TR-HGI-2012-002, HGI, Ruhr-Universitat Bochum (2012)

Download references

Acknowledgements

This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, Universal 14/2014, process 444487/2014-0) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).

Author information

Authors and Affiliations

  1. University of Campinas, Campinas, SP, Brazil

    Marcus Felipe Botacin & Paulo Lício de Geus

  2. Federal University of Paraná, Curitiba, PR, Brazil

    André Ricardo Abed Grégio

Authors
  1. Marcus Felipe Botacin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paulo Lício de Geus
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. André Ricardo Abed Grégio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marcus Felipe Botacin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Botacin, M.F., de Geus, P.L. & Grégio, A.R.A. The other guys: automated analysis of marginalized malware. J Comput Virol Hack Tech 14, 87–98 (2018). https://doi.org/10.1007/s11416-017-0292-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-017-0292-8

Keywords

Search

Navigation