Malware Deception with Automatic Analysis and Generation of HoneyResource

  • Zhaoyan Xu
  • Jialong Zhang
  • Zhiqiang Lin
  • Guofei GuEmail author


Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware binary code, and manipulate the environment state as HoneyResource, we would then be able to deceive malware for defense purpose, e.g., immunize a computer from infections, or trick malware into believing something. Towards this end, this chapter introduces our preliminary systematic study and a prototype system, AutoVac, for automatically extracting the system resource constraints from malware code and generating HoneyResource (e.g., malware vaccines) based on the system resource conditions.


Malware analysis Malware immunization Malware deception 



An early version of this chapter appeared in ICDCS’13 [31] . This research is partially supported by NSF (Grant No. CNS-0954096), AFOSR (Grant No. FA9550- 13-1-0077), and DARPA (Grant No. 12011593). All opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of NSF, AFOSR, or DARPA.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    T. Avgerinos, E. Schwartz, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. of IEEE S&P 2010.Google Scholar
  8. 8.
    A.Zeller. Isolating cause-effect chains from computer programs. In Proc. of the 10th ACM SIGSOFT symposium on Foundations of Software Engineering, 2002.Google Scholar
  9. 9.
    U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of NDSS’09, 2009.Google Scholar
  10. 10.
    D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In Proceedings of Computer Aided Verification (CAV), July 2011.Google Scholar
  11. 11.
    J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. of ACM CCS’09, 2009.Google Scholar
  12. 12.
    Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of International Symposium on Software Testing and Analysis, 2012.Google Scholar
  13. 13.
    L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA 2008.Google Scholar
  14. 14.
    M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of SOSP’05, pages 133–147, Brighton, United Kingdom, 2005.Google Scholar
  15. 15.
    M. Fredrikson, J. Somesh, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of the 2010 IEEE Symposium on Security and Privacy, 2010.Google Scholar
  16. 16.
    S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of ACM Symposium on Operating Systems Principles, October 2003.Google Scholar
  17. 17.
    C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.Google Scholar
  18. 18.
    C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proc. S&P’10, 2010.Google Scholar
  19. 19.
    J. Zico Kolter and Marcus A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721–2744, December 2006.Google Scholar
  20. 20.
    A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of the 17th ACM CCS, 2010.Google Scholar
  21. 21.
    Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, February 2010.Google Scholar
  22. 22.
    L. Martignoni, E. Stinsony, M. Fredrikson, S. Jhaz, and J. C.Mithchelly. A layered architecture for detecting malicious behaviors. In RAID 2008.Google Scholar
  23. 23.
    A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. S&P’07, 2007.Google Scholar
  24. 24.
    M.Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. NDSS’08, 2008.Google Scholar
  25. 25.
    N.Johnson, J.Caballero, Z.Chen, S.McCamant, P.Poosankam, D.Reynaud, and D.Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.Google Scholar
  26. 26.
    P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points., 2009.
  27. 27.
    I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained Endpoint Profiling (Googling the Internet). In ACM SIGCOMM’08.Google Scholar
  28. 28.
    A. Wichmann and E. Gerhards-Padilla. Using infection markers as a vaccine against malware attacks. In Proc. of the 2nd workshop on Security of Systems and Software resiLiency, 2012.Google Scholar
  29. 29.
    J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.Google Scholar
  30. 30.
    H. Xin, C. Tzi-cker, and S. Kang G. Large-scale malware indexing using function-call graphs. In Proc CCS ’09, 2009.Google Scholar
  31. 31.
    Z. Xu, J. Zhang, G. Gu, and Z. Lin. Autovac: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In Proceedings of the 33rd International Conference on Distributed Computing Systems (ICDCS’13), Philadelphia, July 2013.Google Scholar
  32. 32.
    X.Wang, Z.Li, J.Xu, M.Reiter, C.Kil, and J.Choi. Packet vaccine: black-box exploit detection and signature generation. In Proc CCS’06, 2006.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Zhaoyan Xu
    • 1
  • Jialong Zhang
    • 1
  • Zhiqiang Lin
    • 2
  • Guofei Gu
    • 1
    Email author
  1. 1.Texas A&M UniversityCollege StationUSA
  2. 2.The Ohio State UniversityColumbusUSA

Personalised recommendations