Abstract
The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In this paper, we indistinguishably use PMAS as singular and plural acronym.
- 2.
Microsoft is composed by Microsoft Other, Microsoft Defender 10, Microsoft Defender 8, Microsoft Defender 7, Microsoft Vista, XP, Essentials and Others.
References
Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS 2010 (2010)
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: Proceedings of the 10th USENIX Workshop on Offensive Technologies. USENIX Association (2016)
Chen, P., Huygens, C., Desmet, L., Joosen, W.: Advanced or not? A comparative study of the use of anti-debugging and Anti-VM techniques in generic and targeted malware. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 323–336. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_22
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: DSN 2008, pp. 177–186, June 2008
Ferrand, O.: How to detect the Cuckoo Sandbox and to strengthen it? J. Comput. Virol. Hacking Tech. 11(1), 51–58 (2015)
Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, pp. 6:1–6:6. USENIX Association (2007)
Kirat, D., Vigna, G.: MalGene: automatic extraction of malware analysis evasion signature. In: CCS 2015, pp. 769–780. ACM (2015)
Kumar, A.V., Vishnani, K., Kumar, K.V.: Split personality malware detection and defeating in popular virtual machines. In: SIN 2012, pp. 20–26. ACM (2012)
Oyama, Y.: Trends of anti-analysis operations of malwares observed in API call logs. J. Comput. Virol. Hacking Tech., 1–17 (2017). https://link.springer.com/article/10.1007/s11416-017-0290-x
Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: EUROSEC 2011, p. 3:1–3:6. ACM (2011)
Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007). doi:10.1007/978-3-540-75496-1_1
Rodríguez, R.J., Rodríguez-Gastón, I., Alonso, J.: Towards the detection of isolation-aware malware. EEE Lat. Am. Trans. 14(2), 1024–1036 (2016)
Shi, H., Alwabel, A., Mirkovic, J.: Cardinal pill testing of system virtual machines. In: Proceedings of the 23rd USENIX Security Symposium, pp. 271–285 (2014)
Symantec: ISTR - Internet Security Threat Report. Technical report (2016)
Tan, J.W.J., Yap, R.H.C.: Detecting malware through anti-analysis signals - a preliminary study. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 542–551. Springer, Cham (2016). doi:10.1007/978-3-319-48965-0_33
Wang, G., Estrada, Z.J., Pham, C., Kalbarczyk, Z., Iyer, R.K.: Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association (2015)
Yoshioka, K., Hosobuchi, Y., Orii, T., Matsumoto, T.: Your sandbox is blinded: impact of decoy injection to public malware analysis systems. J. Inf. Process. 19, 153–168 (2011)
Acknowledgments
The research of A. Botas, V. Matellán, and J.F. García was supported by INCIBE according to the rule 19 of the Digital Confidence Plan and by the University of León under contract X43. The research of R.J. Rodríguez was supported in part by the Spanish MINECO project CyCriSec (TIN2014-58457-R), by University of Zaragoza and Centro Universitario de la Defensa project UZCUD2016-TEC-06, and by “Ayudas para estancias de Investigadores visitantes en el CEI Triangular-E3” (hosted by University of León).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Botas, Á., Rodríguez, R.J., Matellán, V., García, J.F. (2018). Empirical Study to Fingerprint Public Malware Analysis Services. In: Pérez García, H., Alfonso-Cendón, J., Sánchez González, L., Quintián, H., Corchado, E. (eds) International Joint Conference SOCO’17-CISIS’17-ICEUTE’17 León, Spain, September 6–8, 2017, Proceeding. SOCO ICEUTE CISIS 2017 2017 2017. Advances in Intelligent Systems and Computing, vol 649. Springer, Cham. https://doi.org/10.1007/978-3-319-67180-2_57
Download citation
DOI: https://doi.org/10.1007/978-3-319-67180-2_57
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67179-6
Online ISBN: 978-3-319-67180-2
eBook Packages: EngineeringEngineering (R0)