论文信息 - Detecting environment-sensitive malware based on taint analysis

Detecting environment-sensitive malware based on taint analysis

Dynamic analysis technique extracts malicious behavior by monitoring the execution of malware. But due to the differences between analysis environment and real environment, Malware can easily hide its malicious behavior in suspicious environment. This paper proposed a method in detecting environment-sensitive malware based on taint analysis, which monitored the use of environment-sensitive features, and detected malicious behavior by executing along hidden path. Our approach firstly extracted sensitive system calls and special instructions to mark tainted features, then achieved environment-sensitive controlled jump based on taint propagation analysis while code was running, and at last forced execution along different paths according to the extraction of path jump constraint conditions. We designed and implemented a prototype that can be automatically applied on malware analysis. The evaluation of the prototype by comparing with static and dynamic tools showed it can recognize the environment-sensitive features comprehensively, and can effectively increase the ability in malware detection with high efficiency.

Dawei Shi | Zhibin Ye | Xiucun Tang

[1] Martina Lindorfer,et al. Detecting Environment-Sensitive Malware , 2011, RAID.

[2] Jonathon T. Giffin,et al. Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[3] Navroop Kaur,et al. A Complete Dynamic Malware Analysis , 2016 .

[4] Zhendong Su,et al. Temporal search: detecting hidden malware timebombs with virtual machines , 2006, ASPLOS XII.

[5] Xiaohong Su,et al. A Framework for Understanding Dynamic Anti-Analysis Defenses , 2014, PPREW-4.

[6] Wenke Lee,et al. Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[7] Zhenkai Liang,et al. BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[8] Stephen McCamant,et al. Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[9] Chunfu Jia,et al. Directed Hidden-Code Extractor for Environment-Sensitive Malwares , 2012 .

[10] Lorenzo Martignoni,et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.