Ricerc@Sapienza

With thousands of malware samples surfacing every day, dynamic monitoring systems play a key role in the automatic characterization and detection of malicious behaviors that undermine the security of computing systems. Modern malware strains, however, adopt reconnaissance techniques on the execution environment, looking for artifacts that are indicative of the presence of a monitoring system and hiding their normally harmful behavior to elude detection and analysis.

In the arms race between malware writers and defenders, researchers and security firms have invested in stealth analysis environments based on virtualization, emulation, or bare-metal execution. Unfortunately, realizing an analysis system that is indistinguishable from a victim machine is in practice impossible due to the discrepancies inevitably introduced by analysis agents. While vendors try to patch imperfections, malware writers regularly find unanticipated ways to expose monitoring systems. The malware analyst is then left with the sole option of manually dissecting an evasive malware sample to understand the employed adversarial technique: a lengthy and complex process.

We propose an innovative methodology for identifying unforeseen evasion strategies and aiding their disarm. We build on a simple intuition: while a sample may adopt different strategies for different monitoring systems, it still features identifiable patterns that characterize the points where environmental checks lead to evasion decisions. We plan to use data-flow analysis to fully understand how already-known checks are carried out; the gained information will then guide tainting and fuzzing techniques for discovering the novel fingerprinting checks in that sample.

Our tools will aid the productivity of analysts when dismantling unforeseen evasions, and contribute to patching monitoring systems by providing a methodology to point out the underpinnings of adversarial techniques meant for their detection.