Segmented sandboxing - A novel approach to Malware polymorphism detection

Malware polymorphic and metamorphic obfuscation techniques combined with so-called "sandboxing evasion techniques" continue to erode the effectiveness of both static detection (signature matching), and dynamic detection (sandboxing). Specifically, signature based techniques are overwhelmed by the sheer number of samples generated from a single seminal binary through the use of polymorphic variations (encryption, ISP obfuscation together with ISP emulators, semantically neutral transformations, and so forth). Anti-virus security vendors often report more than 100,000 new Malware signatures a day. In most cases, the preponderance of these variations can be attributed to just a handful of seminal Malware families. In 2011, FireEye reported that over 50% of observed successful Malware infections were attributable to just 13 Malware families (seminals).1 Similarly, sandboxing2, also known as dynamic Malware detection, has suffered from its own set of limitations. Mainly, (1) Malware writers embed in their code the ability to discover virtualized environments by checking for live internet access, or certain system properties inherent to virtualized environments, (2) Wait and seek (aka dormant Malware), a technique where knowing the execution time limitations of sandboxes, the Malware just waits, and (3) evasion techniques based on diverse communication. While the benefits of either dynamic or static approaches for Malware detection look quite tempting from each of their counterpart's perspectives, their weakness are daunting in their own right as well. In this manuscript we attempted to combine the best part of both approaches, while minimizing the disadvantages of either of them. We call this mixed approach "static Malware detection with segmented sandboxing". It was first developed by modeling the problem from a classical automata theory that leads from a formal problem formulation to a practical solution implementation. Preliminary results have shown that this approach is extremely effective in at least two significant ways. First, it sequentially minimizes both false negatives (misses) and false positives (FPs) enabling response resources to be focused on a more complete set of attacks with far less distraction from false alarms. Second, it overcomes many of the known limitations of sandboxing technology.

[1]  Daniel Bilar,et al.  Opcodes as predictor for malware , 2007, Int. J. Electron. Secur. Digit. Forensics.

[2]  Halvar Flake,et al.  Graph-based binary analysis , 2002 .

[3]  Guillaume Bonfante,et al.  Morphological detection of malware , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[4]  Barton P. Miller,et al.  Who Wrote This Code? Identifying the Authors of Program Binaries , 2011, ESORICS.

[5]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[6]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[8]  Andrew Walenstein,et al.  Header information in malware families and impact on automated classifiers , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[9]  Georg Wicherski,et al.  peHash: A Novel Approach to Fast Malware Clustering , 2009, LEET.

[10]  Tzi-cker Chiueh,et al.  Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[11]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[12]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[13]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[14]  Fernando C. Colón Osorio,et al.  Overcoming the limitations in computer worm models , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[15]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[16]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[17]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[18]  Hongyuan Qiu,et al.  Static malware detection with Segmented Sandboxing , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[19]  Arun Lakhotia,et al.  Using engine signature to detect metamorphic malware , 2006, WORM '06.