Abstract
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information in the reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect.
The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment is not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions.
In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the PoW-How framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
This cannot be applied to ForbiddenTear since it is written in .NET.
- 3.
- 4.
This reference has been anonymized not to violate the terms of service of sandbox vendors [1].
- 5.
References
Evasive malware analysis report (2020). anonymized
Evasive malware analysis report - 1 (2020). anonymized
Evasive malware analysis report - 2 (2020). anonymized
Evasive malware analysis report - 3 (2020). anonymized
Evasive malware analysis sandbox (2020). anonymized
Adam Back: Hashcash: antin-spam tool (2020). http://www.hashcash.org/
Alexander Peslyak, T.H.: yescrypt - scalable KDF and password hashing scheme (2015). www.openwall.com/yescrypt
Alsmeyer, G.: Chebyshev’s inequality. In: Lovric, M. (eds.) International Encyclopedia of Statistical Science. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-04898-2_167
anonymized: Sandbox 1 (2020). anonymized
anonymized: Sandbox 2 (2020). http://www.anonymized
anonymized: Sandbox 3 (2020). http://www.anonymized
Nappa, A., et al.: PoC Behaviour (No Evasion) - anonymized (2020). http://www.anonymized
Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A.: Artifact repository. https://github.com/anonnymousubmission/Esorics2021_Paper159 (2021)
Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A.: Relec + PoW + static sanitization - anonymized (2021). http://www.anonymized
Balzarotti, D., Cova, M., Karlberger, C., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS) (2010)
Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS. The Internet Society (2009). http://dblp.uni-trier.de/db/conf/ndss/ndss2009.html#BayerCHKK09
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, 21–24 March 2016 (2016)
Biryukov, A., Dinu, D., Khovratovich, D., Josefsson, S.: Argon2 rfc (2019). www.tools.ietf.org/id/draft-irtf-cfrg-argon2-05.html
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16), Austin, TX. USENIX Association, August 2016. https://www.usenix.org/conference/woot16/workshop-program/presentation/blackthorne
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)
Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: Heimdahl, M.P.E., Su, Z. (eds.) International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, 15–20 July 2012, pp. 122–132. ACM (2012). https://doi.org/10.1145/2338965.2336768
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), pp. 177–186. IEEE (2008)
Forler, C., Lucks, S., Wenzel, J.: The catena password-scrambling framework (2015). www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Mediensicherheit/Research/Publications/catena-v3.1.pdf
Chronicle Security: File statistics during last 7 days (2020). https://www.virustotal.com/en/statistics/
Coker, J.: Evasive malware threats on the rise despite decline in overall attacks (2020). https://www.infosecurity-magazine.com/news/evasive-malware-rise-decline/
Cybersecurity Ventures: Global cybercrime damages predicted to reach \$6 trillion annually by 2021 (2018). https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
Digiconomist: Yara Signature Detector (2007). https://digiconomist.net/bitcoin-energy-consumption
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, New York, NY, USA, pp. 51–62. Association for Computing Machinery (2008). https://doi.org/10.1145/1455770.1455779
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)
Dugan, J., Elliott, S., Mah, B.A., Poskanzer, J., Prabhu, K.: iPerf - the ultimate speed test tool for TCP, UDP and SCTP (2020). https://iperf.fr/
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10
Feldman, R., Dagan, I.: Knowledge discovery in textual databases (KDT). In: Proceedings of the First International Conference on Knowledge Discovery and Data Mining, KDD 1995, pp. 112–117. AAAI Press (1995)
Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Van Doorn, L.: Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper. Syst. Rev. 42(3), 83–92 (2008)
Graziano, M., Canali, D., Bilge, L., Lanzi, A., Balzarotti, D.: Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence. In: Proceedings of the 24rd USENIX Security Symposium (USENIX Security), August 2015
Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC 2009), December 2009
Guarnieri, C.: Cuckoo sandbox (2010). https://cuckoosandbox.org/
Haq, I.U., Chica, S., Caballero, J., Jha, S.: Malware lineage in the wild. Comput. Secur. 78(C), 347–363, August 2018. https://doi.org/10.1016/j.cose.2018.07.012
Infosecurity Magazine: Cybercrime costs global economy \$2.9m per minute (2019). https://www.infosecurity-magazine.com/news/cybercrime-costs-global-economy/
Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, pp. 287–301. USENIX Association, August 2014. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kirat
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S&P 2019) (2019)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: automated extraction of proprietary gadgets from malware binaries. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, pp. 29–44. IEEE Computer Society (2010). https://doi.org/10.1109/SP.2010.10
Kotzias, P., Bilge, L., Caballero, J.: Measuring PUP prevalence and pup distribution through pay-per-install services. In: Proceedings of the 25th USENIX Security Symposium (2016)
Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: using system-centric models for malware protection. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, 4–8 October 2010, pp. 399–412. ACM (2010). https://doi.org/10.1145/1866307.1866353
Larimer, D.: Momentum-a memory-hard proof-of-work via finding birthday collisions. Technical report (2014)
Lastline Inc.: Not so fast my friend - using inverted timing attacks to bypass dynamic analysis (2014). www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/
Laurie, B., Clayton, R.: Proof-of-work proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004)
Li, L.W., Duc, G., Pacalet, R.: Hardware-assisted memory tracing on new SoCs embedding FPGA fabrics. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, New York, NY, USA, pp. 461–470. Association for Computing Machinery (2015). https://doi.org/10.1145/2818000.2818030
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18
Lipp, M., et al.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)
LLVM: Clang: a C language family frontend for LLVM (2020). https://clang.llvm.org/
Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: ACSAC 2007 (2007)
Martignoni, L., Paleari, R., Fresi Roglia, G., Bruschi, D.: Testing CPU emulators. In: Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), Chicago, Illinois, USA, pp. 261–272. ACM (2009)
Martignoni, L., Paleari, R., Fresi Roglia, G., Bruschi, D.: Testing system virtual machines. In: Proceedings of the 2010 International Symposium on Testing and Analysis (ISSTA), Trento, Italy (2010)
Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1009–1024, May 2017. https://doi.org/10.1109/SP.2017.42
Moser, A., Krügel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, 20–23 May 2007, pp. 231–245. IEEE Computer Society (2007). https://doi.org/10.1109/SP.2007.17
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf
Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Gu, G.: Cyberprobe: towards internet-scale active detection of malicious servers. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS 2014), February 2014
Oprişa, C., Ignat, N.: A measure of similarity for binary programs with a hierarchical structure. In: 2015 IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), pp. 117–123 (2015). https://doi.org/10.1109/ICCP.2015.7312615
Oreans: Advanced windows software protection system (2020). https://www.oreans.com/themida.php
The Boost organization: Boost C++ libraries (2020). https://www.boost.org/
Ozarslan, S.: Online malware sandboxes (2016). www.medium.com/@su13ym4n/15-online-sandboxes-for-malware-analysis-f8885ecb8a35
Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: How to automatically generate procedures to detect cpu emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, WOOT 2009, USA, p. 2. USENIX Association (2009)
Protocol Labs: Filecoin: a decentralized storage network (2020). https://filecoin.io/
Red Hat Inc.: Ansible it automation (2020). https://github.com/ansible
Rutkowska, J.: Red pill ... or how to detect VMM using (almost) one CPU instruction (2004). https://securiteam.com/securityreviews/6z00h20bqs/
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy, vol. 0, pp. 94–109 (2009). http://doi.ieeecomputersociety.org/10.1109/SP.2009.27
Tanabe, R., Ueno, W., Ishii, K., Yoshioka, K., Matsumoto, T., Kasama, T., Inoue, D., Rossow, C.: Evasive malware via identifier implanting. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 162–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_8
Tromp, J.: Cuckoo cycle: a memory bound graph-theoretic proof-of-work. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 49–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48051-9_4
Tuwiner, J.: Bitmain antminer s9 review (2017). https://www.buybitcoinworldwide.com/mining/hardware/antminer-s9/
Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673, May 2015. https://doi.org/10.1109/SP.2015.46
VirusShare: Virusshare.com - because sharing is caring (2020). https://virusshare.com/l
Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (Oakland 2010), May 2010
Wikipedia: Wannacry ransomware hits prevalently windows (2017). https://en.wikipedia.org/wiki/WannaCry_ransomware_attack/
Wong, D.: Np complexity (2013). https://www.cryptologie.net/article/43/np-complexity/
Xu, Z., Nappa, A., Baykov, R., Yang, G., Caballero, J., Gu, G.: AutoProbe: towards automatic active malicious server probing using dynamic binary analysis. In: Proceedings of the 21st ACM Conference on Computer and Communication Security (2014)
Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 165–187. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_8
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Nappa, A., Papadopoulos, P., Varvello, M., Gomez, D.A., Tapiador, J., Lanzi, A. (2021). PoW-How: An Enduring Timing Side-Channel to Evade Online Malware Sandboxes. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)