Advertisement

Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware

  • Ping ChenEmail author
  • Christophe Huygens
  • Lieven Desmet
  • Wouter Joosen
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 471)

Abstract

Malware is becoming more and more advanced. As part of the sophistication, malware typically deploys various anti-debugging and anti-VM techniques to prevent detection. While defenders use debuggers and virtualized environment to analyze malware, malware authors developed anti-debugging and anti-VM techniques to evade this defense approach. In this paper, we investigate the use of anti-debugging and anti-VM techniques in modern malware, and compare their presence in 16,246 generic and 1,037 targeted malware samples (APTs). As part of this study we found several counter-intuitive trends. In particular, our study concludes that targeted malware does not use more anti-debugging and anti-VM techniques than generic malware, although targeted malware tend to have a lower antivirus detection rate. Moreover, this paper even identifies a decrease over time of the number of anti-VM techniques used in APTs and the Winwebsec malware family.

Keywords

Virtual Machine Presence Measurement Advance Persistent Threat Static Detection Method Distribute Computing Framework 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

We would like to thank VirusTotal for providing us a private API, and the anonymous reviewers for their comments. This research is partially funded by the Research Fund KU Leuven, iMinds, IWT, and by the EU FP7 projects WebSand, NESSoS and STREWS. With the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).

References

  1. 1.
  2. 2.
    VirusTotal Private API. https://www.virustotal.com
  3. 3.
    Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware Anti-debugging, Anti-disassembly and Anti-VM. In: Blackhat (2012)Google Scholar
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014)Google Scholar
  8. 8.
    Chen, X., et al. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks, pp. 177–186 (2008)Google Scholar
  9. 9.
    Cylance. Operation Cleaver (2014)Google Scholar
  10. 10.
    Peter Ferrie. The Ultimate Anti-Debugging Reference (2011)Google Scholar
  11. 11.
    FireEye: FireEye Advanced Threat Report: 2013 (2014)Google Scholar
  12. 12.
    Giura, P., Wang, W.: Using large scale distributed computing to unveil advanced persistent threats. Science 1(3) (2013)Google Scholar
  13. 13.
    Hutchins, E.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Proceedings of the 6th International Conference on Information Warfare and Security (2013)Google Scholar
  14. 14.
    Kaspersky: The Icefog APT: A Tale of Cloak and Three Daggers (2013)Google Scholar
  15. 15.
    Kaspersky: Energetic Bear - Crouching Yeti (2014)Google Scholar
  16. 16.
    Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an NGO. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 543–558. USENIX Association (2014)Google Scholar
  17. 17.
    Mandiant: APT1: Exposing One of China’s Cyber Espionage Unit (2013)Google Scholar
  18. 18.
    Mohanty, D.: Anti-Virus Evasion Techniques Virus Evasion Techniques Virus Evasion Techniques and Countermeasures. http://repo.hackerzvoice.net/depot_madchat/vxdevl/papers/vxers/AV_Evasion.pdf
  19. 19.
    Arbor Networks: Illuminating the Etumbot APT Backdoor (2014)Google Scholar
  20. 20.
    Rin, N.: Virtual Machines Detection Enhanced (2013). http://artemonsecurity.com/vmde.pdf
  21. 21.
    Singh, A., Zheng, B.: Hot Knives Through Butter: Evading File-based Sandboxes (2014)Google Scholar
  22. 22.
  23. 23.
    Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M.: Industrial espionage and targeted attacks: understanding the characteristics of an escalating threat. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 64–85. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Villeneuve, N., et al.: Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs (2013)Google Scholar
  25. 25.
    Wikipedia: Ransomware -Reveton. http://en.wikipedia.org/wiki/Ransomware#Reveton

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Ping Chen
    • 1
    Email author
  • Christophe Huygens
    • 1
  • Lieven Desmet
    • 1
  • Wouter Joosen
    • 1
  1. 1.iMinds-DistriNetKU LeuvenLeuvenBelgium

Personalised recommendations