Detecting environment-sensitive malware

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6961 LNCS, Issue , 2011, Pages 338-357

  Lindorfer, Martina ^a   Kolbitsch, Clemens ^a   Milani Comparetti, Paolo ^a  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

Behavior Comparison; Dynamic Analysis; Malware; Sandbox Detection

Indexed keywords

BEHAVIOR COMPARISON; ENVIRONMENT-SENSITIVE; MALICIOUS CODES; MALWARE; MALWARE ANALYSIS; MALWARES; MONITORING TECHNOLOGIES; NOVEL TECHNIQUES; ONE STEP;

CODES (SYMBOLS); COMPUTER CRIME; DYNAMIC ANALYSIS; INTRUSION DETECTION; SCREENING;

STATIC ANALYSIS;

EID: 84857329765     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-23644-0_18     Document Type: Conference Paper

References (36)

1. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178-197. Springer, Heidelberg (2007)
2. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient Detection of Split Personalities in Malware. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS (2010)
3. Bayer, U., Comparetti, P., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS (2009)
4. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A View on Current Malware Behaviors. In: 2nd USENIXWorkshop on Large-Scale Exploits and Emergent Threats, LEET (2009)
5. Bayer, U., Kirda, E., Kruegel, C.: Improving the Efficiency of Dynamic Malware Analysis. In: Proceedings of the ACM Symposium on Applied Computing, SAC (2010)
6. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR) Annual Conference (2006)
7. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: USENIX Annual Technical Conference (2005)
8. Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. In: Proceedings of the 38th Annual IEEE International Conference on Dependable Systems and Networks, DSN (2008)
9. Dinaburg, A., Royal, P., Sharif, M., Lee,W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)
10. Ferrie, P.: Attacks on Virtual Machine Emulators. Tech. rep., Symantec Research White Paper (2006)
11. Ferrie, P.: Attacks on More Virtual Machines (2007)
12. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the 11th Workshop on Hot Topics in Operating Systems, HotOS-XI (2007)
13. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows kernel. Addison-Wesley Professional, Reading (2005)
14. Jaccard, P.: The Distribution of Flora in the Alpine Zone. The New Phytologist 11(2) (1912)
15. Johnson, N.M., Caballero, J., Chen, K.Z., McCamant, S., Poosankam, P., Reynaud, D., Song, D.: Differential Slicing: Identifying Causal Execution Differences for Security Applications. In: IEEE Symposium on Security and Privacy (2011)
16. Kamluk, V.: A black hat loses control (2009), http://www.securelist.com/ en/weblog?weblogid=208187881
17. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A Hidden Code Extractor for Packed Executables. In: ACM Workshop on Recurring Malcode, WORM (2007)
18. Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating Emulation- Resistant Malware. In: Proceedings of the 2nd Workshop on Virtual Machine Security, VMSec (2009)
19. Kleissner, P.: Antivirus Tracker (2009), http://avtracker.info/
20. Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. Journal in Computer Virology 6(3) (2010)
21. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2007)
22. Martignoni, L., Paleari, R., Bruschi, D.: A Framework for Behavior-Based Malware Analysis in the Cloud. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 178-192. Springer, Heidelberg (2009)
23. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)
24. Paleari, R., Martignoni, L., Passerini, E., Davidson, D., Fredrikson, M., Giffin, J., Jha, S.: Automatic Generation of Remediation Procedures for Malware Infections. In: Proceedings of the 19th USENIX Conference on Security (2010)
25. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Workshop on Offensive Technologies, WOOT (2009)
26. Pek, G., Bencsath, B., Buttyan, L.: nEther: In-guest Detection of Out-of-the-guest Malware Analyzers. In: ACM European Workshop on System Security, EUROSEC (2011)
27. Perdisci, R., Lee,W., Feamster, N.: Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In: USENIX Conference on Networked Systems Design and Implementation, NSDI (2010)
28. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting System Emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1-18. Springer, Heidelberg (2007)
29. Rutkowska, J.: Red Pill. or how to detect VMM using (almost) one CPU instruction (2004), http://invisiblethings.org/papers/redpill.html
30. Stone-Gross, B., Moser, A., Kruegel, C., Almaroth, K., Kirda, E.: FIRE: FInding Rogue nEtworks. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2009)
31. Tan, C.K.: Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration. Tech. rep., SIG2 G-TEC Lab (2004)
32. The Honeynet Project: Know Your Enemy: Fast-Flux Service Networks (2007), http://www.honeynet.org/papers/ff
33. Trinius, P., Willems, C., Holz, T., Rieck, K.: A Malware Instruction Set for Behavior-Based Analysis. Tech. Rep. 07-2009, University of Mannheim (2009)
34. Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-executions. In: IEEE Symposium on Security and Privacy (2006)
35. Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy 5(2) (2007)
36. Yoshioka, K., Hosobuchi, Y., Orii, T., Matsumoto, T.: Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems. Journal of Information Processing 19 (2011)