GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

  • Zhaoyan Xu
  • Jialong Zhang
  • Guofei Gu
  • Zhiqiang Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


A critical challenge when combating malware threat is how to efficiently and effectively identify the targeted victim’s environment, given an unknown malware sample. Unfortunately, existing malware analysis techniques either use a limited, fixed set of analysis environments (not effective) or employ expensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a malware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GoldenEye, and evaluated it with a large real-world malware dataset. The experimental results show that GoldenEye outperforms existing solutions and can effectively and efficiently expose malware’s targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat.


Dynamic Malware Analysis Speculative Execution 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anubis: Analyzing unknown binaries,
  2. 2.
  3. 3.
    Disassembler library for x86/amd64,
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
    Symantec intelligence quarterly,
  15. 15.
    Symantec: Triage analysis of targeted attacks,
  16. 16.
    The Nitro Attacks: Stealing Secrets from the Chemical Industry,
  17. 17.
    Trends in targeted attacks,
  18. 18.
  19. 19.
  20. 20.
  21. 21.
  22. 22.
    Avgerinos, T., Schwartz, E., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proc. of IEEE S&P 2010 (2010)Google Scholar
  23. 23.
    Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proc of NDSS 2010 (2010)Google Scholar
  24. 24.
    Bilge, L., Dumitras, T.: Before we knew it: An empirical study of zero-day attacks in the real world. In: Proc. of CCS 2012 (2012)Google Scholar
  25. 25.
    Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Analysis and Defense. AIS, vol. 36, pp. 65–88. Springer, Heidelberg (2008)Google Scholar
  26. 26.
    Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: A binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  27. 27.
    Royal, P., Song, C., Lee, W.: Impeding automated malware analysis with environment-sensitive malware. In: Proc. of HotSec 20 12 (2012)Google Scholar
  28. 28.
    Chen, X., Andersen, J., Mao, M., Bailey, M., Nazario, J.: Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. In: Proc. of DSN 2008 (2008)Google Scholar
  29. 29.
    Comparetti, P.M., Salvaneschi, G., Kirda, E., Kolbitsch, C., Krugel, C., Zanero, S.: Identifying dormant functionality in malware programs. In: Proc. of S&P 2010 (2010)Google Scholar
  30. 30.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proc of CCS 2008 (2008)Google Scholar
  31. 31.
    Gonzlez, J., Gonzlez, A.: Speculative execution via address prediction and data prefetching. In: Proc. of ICS 1197 (1997)Google Scholar
  32. 32.
    Graziano, M., Leita, C., Balzarotti, D.: Towards network containment in malware analysis systems. In: Proc. of ACSAC 2012 (December 2012)Google Scholar
  33. 33.
    Kolbitsch, C., Milani Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proc. of USENIX Security 2009 (2009)Google Scholar
  34. 34.
    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: Detection and mitigation of execution-stalling malicious code. In: Proc. of CCS 2011 (2011)Google Scholar
  35. 35.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: Proc. of S&P 2012 (2012)Google Scholar
  36. 36.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting Environment-Sensitive Malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  37. 37.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proc. of S&P 2007 (2007)Google Scholar
  38. 38.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proc. of ACSAC 2007 (2007)Google Scholar
  39. 39.
    Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games. In: Proc. of ACSAC 2011 (2011)Google Scholar
  40. 40.
    Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Gu, G.: Cyberprobe: Towards internet-scale active detection of alicious servers. In: Proc. of NDSS 2014 (2014)Google Scholar
  41. 41.
    Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting Malware’s Failover C&C Strategies with SQUEEZE. In: Proc. of ACSAC 2011 (2011)Google Scholar
  42. 42.
    Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: Force-executing binary programs for security applications. In: Proceedings of the 2014 USENIX Security Symposium, San Diego, CA (August 2014)Google Scholar
  43. 43.
    Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points (2009),
  44. 44.
    Shin, S., Xu, Z., Gu, G.: Effort: Efficient and effective bot malware detection. In: Proc. of INFOCOM 2012 Mini-Conference (2012)Google Scholar
  45. 45.
    Sikorski, M.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (2012) (No Starch Press)Google Scholar
  46. 46.
    Wilhelm, J., Chiueh, T.-c.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  47. 47.
    Xu, Z., Chen, L., Gu, G., Kruegel, C.: PeerPress: Utilizing enemies’ p2p strength against them. In: Proc.of CCS 2012 (2012)Google Scholar
  48. 48.
    Xu, Z., Zhang, J., Gu, G., Lin, Z.: AUTOVAC: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In: Proc. of ICDCS 2013 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Zhaoyan Xu
    • 1
  • Jialong Zhang
    • 1
  • Guofei Gu
    • 1
  • Zhiqiang Lin
    • 2
  1. 1.Texas A&M UniversityCollege StationUSA
  2. 2.The University of Texas at DallasRichardsonUSA

Personalised recommendations