The power of procrastination: Detection and mitigation of execution-stalling malicious code

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2011, Pages 285-296

  Kolbitsch, Clemens ^a   Kirda, Engin ^b   Kruegel, Christopher ^c  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^b NORTHEASTERN UNIVERSITY   (United States)

^c UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Emulation; Evasion; Malware analysis

Indexed keywords

ANTI-MALWARE; DEFENSE MECHANISM; EMULATION; EVASION; MALICIOUS ACTIVITIES; MALICIOUS BEHAVIOR; MALICIOUS CODES; MALWARE ANALYSIS; MALWARES; SECURITY PROBLEMS;

COMPUTER CRIME; SECURITY OF DATA;

DYNAMIC ANALYSIS;

EID: 80755168350     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2046707.2046740     Document Type: Conference Paper

References (28)

1. Forum Posting - Detection of Sandboxes. http://www.opensc.ws/snippets/ 3558-detect-5-different-sandboxes.html, 2009.
2. http://anubis.iseclab.org, 2010.
3. http://www.cwsandbox.org, 2010.
4. http://www.norman.com/enterprise/all-products/malware-analyzer/ norman-sandbox-analyzer/en, 2010.
5. http://msdn.microsoft.com/en-us/library/ms724408%28VS.85%29.aspx, 2010.
6. BALZAROTTI, D., COVA, M., KARLBERGER, C., KRUEGEL, C., KIRDA, E., AND VIGNA, G. Efficient Detection of Split Personalities in Malware. In Network and Distributed System Security Symposium (NDSS) (2010).
7. BAYER, U., HABIBI, I., BALZAROTTI, D., KIRDA, E., AND KRUEGEL, C. A View on Current Malware Behaviors. In Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009).
8. BAYER, U., MILANI COMPARETTI, P., HLAUSCHEK, C., KRUEGEL, C., AND KIRDA, E. Scalable, Behavior-Based Malware Clustering. In Network and Distributed System Security Symposium (2009).
9. BRUMLEY, D., HARTWIG, C., LIANG, Z., NEWSOME, J., SONG, D., AND YIN, H. Towards automatically identifying trigger-based behavior in malware using symbolic execution and binary analysis. Tech. Rep. CMU-CS-07-105, Carnegie Mellon University, 2007.
10. CRANDALL, J., WASSERMANN, G., DE OLIVEIRA, D., SU, Z., WU, F., AND CHONG, F. Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines. In Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2006).
11. DINABURG, A., ROYAL, P., SHARIF, M., AND LEE, W. Ether: Malware Analysis via Hardware Virtualization Extensions. In ACM Conference on Computer and Communications Security (2008).
12. FATTORI, A., PALEARI, R., MARTIGNONI, L., AND MONGA, M. Dynamic and Transparent Analysis of Commodity Production Systems. In International Conference on Automated Software Engineering (ASE) (2010).
13. FERRIE, P. Attacks on Virtual Machines. In Proceedings of the Association of Anti-Virus Asia Researchers Conference (2007).
14. FREDRIKSON, M., JHA, S., CHRISTODORESCU, M., SAILER, R., AND YAN, X. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In IEEE Symposium on Security and Privacy (2010).
15. FREILING, F., HOLZ, T., AND WICHERSKI, G. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In European Symposium On Research In Computer Security (ESORICS) (2005).
16. JOHN, J., MOSHCHUK, A., GRIBBLE, S., AND KRISHNAMURTHY, A. Studying Spamming Botnets Using Botlab. In Usenix Symposium on Networked Systems Design and Implementation (NSDI) (2009).
17. KANG, M., YIN, H., HANNA, S., MCCAMANT, S., AND SONG, D. Emulating Emulation-Resistant Malware. In Workshop on Virtual Machine Security (VMSec) (2010).
18. KOLBITSCH, C., HOLZ, T., KRUEGEL, C., AND KIRDA, E. Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries. In IEEE Symposium on Security and Privacy (2010).
19. KOLBITSCH, C., MILANI COMPARETTI, P., KRUEGEL, C., KIRDA, E., ZHOU, X., AND WANG, X. Effective and Efficient Malware Detection at the End Host. In Usenix Security Symposium (2009).
20. MARTIGNONI, L., PALEARI, R., ROGLIA, G. F., AND BRUSCHI, D. Testing CPU Emulators. In International Symposium on Software Testing and Analysis (ISSTA) (2009).
21. MOSER, A., KRUEGEL, C., AND KIRDA, E. Exploring Multiple Execution Paths for Malware Analysis. In IEEE Symposium on Security and Privacy (2007).
22. PALEARI, R., MARTIGNONI, L., ROGLIA, G. F., AND BRUSCHI, D. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In usenix-woot (2009).
23. RAFFETSEDER, T., KRUEGEL, C., AND KIRDA, E. Detecting System Emulators. In Proceedings of the Information Security Conference (2007).
24. RUTKOWSKA, J. Red Pill⋯ or how to detect VMM using (almost) one CPU instruction. http://www.invisiblethings.org/papers/redpill.html, 2004.
25. SONG, D., BRUMLEY, D., YIN, H., CABALLERO, J., JAGER, I., KANG, M. G., LIANG, Z., NEWSOME, J., POOSANKAM, P., AND SAXENA, P. BitBlaze: A new approach to computer security via binary analysis. In Conference on Information Systems Security (Invited Paper) (2008).
26. SREEDHAR, V. C., GAO, G. R., AND FONG LEE, Y. Identifying loops using DJ graphs, 1995.
27. STONE-GROSS, B., COVA, M., CAVALLARO, L., GILBERT, B., SZYDLOWSKI, M., KEMMERER, R., KRUEGEL, C., AND VIGNA, G. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In ACM Conference on Computer and Communications Security (CCS) (2009).
28. WILHELM, J., AND CHIUEH, T.-C. A Forced Sampled Execution Approach to Kernel Rootkit Identification. In Recent Advances in Intrusion Detection. 2007.