Abstract
In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types of threats. Therefore, it is difficult to gather information from public systems about CPL, .NET/Mono, 64-bits, reboot-dependent, or malware targeting systems newer than Windows XP, which result in a lack of understanding about how current malware behave during infections on modern operating systems. In this paper, we discuss the challenges and issues faced during the development of this type of analysis system, mainly due to security features available in NT 6.x kernel versions of Windows OS. We also introduce a dynamic analysis system that addresses the aforementioned types of malware as well as present results obtained from their analyses.
Similar content being viewed by others
Notes
As detailed on Sect. 4.4
We identified as .NET 0.6, 1.1, and 7.6% of all samples from our dataset collected in 2013, 2014, and the first quarter of 2015, respectively.
Solutions like Sandboxie (http://www.sandboxie.com) are not designed for this purpose and can be detected due to their userland modules.
We measure suspended processes to avoid penalties from external factors.
References
Afonso, V., Filho, D., Gregio, A., de Geus, P., Jino, M.: A hybrid framework to analyze web and os malware. In: 2012 IEEE International Conference on Communications (ICC), pp. 966–970 (2012). doi:10.1109/ICC.2012.6364108
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium. San Diego, USA (2010)
Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: 15th European Institute for Computer Antivirus Research Annual Conference (2006)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, pp. 41–41. USENIX Association, Berkeley, CA, USA (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401
Blog, S.L.: The inevitable mode—64-bit zeus enhanced with tor (2013). http://securelist.com/blog/events/58184/
Corregedor, M., Von Solms, S.: Windows 8 32 bit—improved security? In: AFRICON. IEEE, pp. 1–5 (2013). doi:10.1109/AFRCON.2013.6757678
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pp. 51–62. ACM, New York, NY, USA (2008). doi:10.1145/1455770.1455779
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP ’11, pp. 297–312. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/SP.2011.11
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6 (2012)
Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, pp. 417–426. ACM, New York, NY, USA (2010). doi:10.1145/1858996.1859085
Guarnieri, C.: Cuckoo sandbox. http://www.cuckoosandbox.org/ (2013)
Guri, M., Kedma, G., Sela, T., Carmeli, B., Rosner, A., Elovici, Y.: Noninvasive detection of anti-forensic malware. In: 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE), pp. 1–10 (2013). doi:10.1109/MALWARE.2013.6703679
j00ru: Defeating windows driver signature enforcement 3: the ultimate encounter. http://j00ru.vexillium.org/?p=1455
Kaspersky: Equation group: questions and answers. http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
Kirat, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 403–412. ACM (2011)
Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kirat
Kruegel, C.: Full system emulation: achieving successful automated dynamic analysis of evasive malware. https://www.blackhat.com/docs/us-14/materials/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware.pdf (2014)
Lab, K.: The regin platform—nation-state ownage of gsm networks. http://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf
Lindorfer, M., Di Federico, A., Maggi, F., Comparetti, P.M., Zanero, S.: Lines of malicious code: insights into the malicious software industry. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACSAC ’12, pp. 349–358. ACM, New York, NY, USA (2012)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Recent Advances in Intrusion Detection Symposium (2011)
Mercês, F.: Cpl malware—malicious control panel items. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
Microsoft: Device input and output control (ioctl). https://msdn.microsoft.com/pt-br/library/windows/desktop/aa363219%28v=vs.85%29.aspx
Microsoft: I/o request packets. https://msdn.microsoft.com/en-us/library/windows/hardware/hh439638%28v=vs.85%29.aspx
Microsoft: Queueuserapc function. [https://msdn.microsoft.com/en-us/library/windows/desktop/ms684954%28v=vs.85%29.aspx
Microsoft: Reg_notify_class enumeration. https://msdn.microsoft.com/pt-br/library/windows/hardware/ff560950%28v=vs.85%29.aspx
Microsoft: Running 32-bit applications. https://msdn.microsoft.com/en-us/library/windows/desktop/aa384249%28v=vs.85%29.aspx
Microsoft: Trojan:win32/jorik.c. http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Jorik.C
Microsoft: Using cplapplet. https://msdn.microsoft.com/en-us/library/windows/desktop/cc144199%28v=vs.85%29.aspx
Microsoft: Win32/wootbot. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2FWootbot
Microsoft: CreateRemoteThread. http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx (2013)
Microsoft: CmRegisterCallback. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541918(v=vs.85).aspx (2014)
Microsoft: CmRegisterCallbackEx. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx (2014)
More, A., Tapaswi, S.: Virtual machine introspection: towards bridging the semantic gap. J. Cloud Comput. 3(1), 1–14 (2014). doi:10.1186/s13677-014-0016-2
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec ’14, pp. 5:1–5:6. ACM, New York, NY, USA (2014)
Pietrek, M.: Peering inside the pe: a tour of the win32 portable executable file format. https://msdn.microsoft.com/en-us/library/ms809762.aspx
Reloaded, P.: Skywing. http://uninformed.org/?v=8&a=5
Rienhardt, F.: Kernel-basedmonitoringonwindows(32/64bit). http://www.bitnuts.de/KernelBasedMonitoring.pdf (2012)
Rodionov, E., Matrosov, A.: The evolution of tdl: conquering x64. http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., Endicott-Popovsky, B.: Capture—a behavioral analysis tool for applications and documents. Digit. Investig. 4S, 23–30 (2007)
Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)
skape, Skywing: Bypassing patchguard on windows x64. http://uninformed.org/index.cgi?v=3&a=3
Skywing: Subverting patchguard version 2. http://www.uninformed.org/?a=1&t=txt&v=6
Thomas, S., Sherly, K., Dija, S.: Extraction of memory forensic artifacts from windows 7 ram image. In: 2013 IEEE Conference on Information and Communication Technologies (ICT), pp. 937–942. IEEE (2013)
TrendMicro: Darkkomet. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET
TrendMicro: Tspy64_zbot.aanp. http://about-threats.trendmicro.com/Malware.aspx?language=au&name=TSPY64_ZBOT.AANP
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Priv. 5, 32–39 (2007)
Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Tech. Rep. TR-HGI-2012-002, HGI, Ruhr-Universitat Bochum (2012)
Acknowledgements
This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, Universal 14/2014, process 444487/2014-0) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Botacin, M.F., de Geus, P.L. & Grégio, A.R.A. The other guys: automated analysis of marginalized malware. J Comput Virol Hack Tech 14, 87–98 (2018). https://doi.org/10.1007/s11416-017-0292-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-017-0292-8