Alan Mills
Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques
Mills, Alan; Legg, Phil
Abstract
Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.
Citation
Mills, A., & Legg, P. (2021). Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques. Journal of Cybersecurity and Privacy, 1(1), 19-39. https://doi.org/10.3390/jcp1010003
Journal Article Type | Article |
---|---|
Acceptance Date | Nov 18, 2020 |
Online Publication Date | Nov 20, 2020 |
Publication Date | Mar 1, 2021 |
Deposit Date | Dec 1, 2020 |
Publicly Available Date | Mar 29, 2024 |
Journal | Journal of Cybersecurity and Privacy |
Electronic ISSN | 2624-800X |
Publisher | MDPI |
Peer Reviewed | Peer Reviewed |
Volume | 1 |
Issue | 1 |
Pages | 19-39 |
DOI | https://doi.org/10.3390/jcp1010003 |
Public URL | https://uwe-repository.worktribe.com/output/6909598 |
Files
Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques
(1.7 Mb)
PDF
Licence
http://creativecommons.org/licenses/by/4.0/
Publisher Licence URL
http://creativecommons.org/licenses/by/4.0/
Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques
(1.6 Mb)
PDF
Licence
http://creativecommons.org/licenses/by/4.0/
Publisher Licence URL
http://creativecommons.org/licenses/by/4.0/
You might also like
Teaching offensive and defensive cyber security in schools using a Raspberry Pi Cyber Range
(2023)
Journal Article
Longitudinal risk-based security assessment of docker software container images
(2023)
Journal Article
Interactive cyber-physical system hacking: Engaging students early using Scalextric
(2022)
Presentation / Conference
Teaching offensive and defensive cyber security in schools using a Raspberry Pi Cyber Range
(2022)
Presentation / Conference
OGMA: Visualisation for software container security analysis and automated remediation
(2022)
Conference Proceeding
Downloadable Citations
About UWE Bristol Research Repository
Administrator e-mail: repository@uwe.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search