Scarecrow: Deactivating Evasive Malware via Its Own Evasive Logic

Security analysts widely use dynamic malware analysis environments to exercise malware samples and derive virus signatures. Unfortunately, malware authors are becoming more aware of such analysis environments. Therefore, many have embedded evasive logic into malware to probe execution environments before exposing malicious behaviors. Consequently, such analysis environments become useless and evasive malware can damage victim systems with unforeseen malicious activities. However, adopting evasive techniques to bypass dynamic malware analysis is a double-edged sword. While evasive techniques can avoid early detection through sandbox analysis, it also significantly constrains the spectrum of execution environments where the malware activates. In this paper, we exploit this dilemma and seek to reverse the challenge by camouflaging end-user execution environments into analysis-like environments using a lightweight deception engine called SCARECROW. We thoroughly evaluate SCARECROW with real evasive malware samples and demonstrate that we can successfully deactivate 89.56% of evasive malware samples and the variants of ransomware (e.g., WannaCry and Locky) with little or no impact on the most commonly used benign software. Our evaluation also shows that SCARECROW is able to steer state-of-the-art analysis environment fingerprinting techniques so that end-user execution environments with SCARECROW and malware analysis environments with SCARECROW become indistinguishable.

[1]  Xuxian Jiang,et al.  Process Implanting: A New Active Introspection Framework for Virtualization , 2011, 2011 IEEE 30th International Symposium on Reliable Distributed Systems.

[2]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[3]  Amit Vasudevan,et al.  Cobra: fine-grained malware analysis using stealth localized-executions , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Angelos Stavrou,et al.  Using Hardware Features for Increased Debugging Transparency , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[6]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[7]  Bülent Yener,et al.  AVLeak: Fingerprinting Antivirus Emulators through Black-Box Testing , 2016, WOOT.

[8]  Giovanni Vigna,et al.  MalGene: Automatic Extraction of Malware Analysis Evasion Signature , 2015, CCS.

[9]  Tsutomu Matsumoto,et al.  SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion , 2016, RAID.

[10]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[11]  Kangbin Yim,et al.  Malware Obfuscation Techniques: A Brief Survey , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[12]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[13]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[14]  Gabriel Negreira Barbosa,et al.  Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies , 2012 .

[15]  Michalis Polychronakis,et al.  Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[17]  Leyla Bilge,et al.  Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence , 2015, USENIX Security Symposium.

[18]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[19]  Yoshihiro Oyama,et al.  Trends of anti-analysis operations of malwares observed in API call logs , 2017, Journal of Computer Virology and Hacking Techniques.

[20]  Guofei Gu,et al.  AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems.

[21]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.