A New Method For Gradual Detection of Environmental Conditions and Resources Required by Smart Malware

Document Type : Original Article

Authors

Abstract

Smart malware samples have two different types of behaviors, namely defensive and aggrasive which they exhibit according to environmental conditions. This article offers a new method for detection of              environmental conditions suitable for exhibition of aggrasive behaviors. Considering the list of system  functions, apparant in the IAT table of a malware, those APIs which are not invoked at runtime could be identified as grounds for suspecting the executable file as a malware. Analyzing the functionality and task of these APIs and the ones invoked at runtime, the conditions and resources required for the malware to     reveal its malicious behavior, could be determined. In fact, supplying all the required conditions and      resources requested through one or more API calls, at a run, the malware could be prepared for asking for the next possible resource in the next run. This process could be repeated as far as no more conditions or resources are looked for. In order to evaluate the suggested method, three known malware samples are   analysed in our sandboxing environment, Parsa.
 

Keywords


V. S. Subrahmanian, et al, “Types of Malware and Malware Distribution Strategies,” The Global Cyber-Vulnerability Report, Springer International Publishing, pp. 33-46, 2015.##
A. Moser, K. Christopher, and K. Engin, “Exploring multiple execution paths for malware analysis,” Security and Privacy, 2007. SP’07. IEEE Symposium on. IEEE, 2007.##
D. Brumley, et al, “Automatically identifying trigger-based behavior in malware,” Botnet Detection, pp. 65-88, 2008.##
B. Kang, J. YANG, J. So, and C. Y. Kim, “Detecting Trigger-based Behaviors in Botnet Malware,” In Proceedings of the 2015 Conference on research in adaptive and convergent systems, ACM, 2015.##
S. Bahtiyar, “Anatomy of targeted attacks with smart malware,” Security and Communication Networks 9.18, pp. 6215-6226, 2016.##
G. Hăjmăşan, M .Alexandra, and C. Octavian, “Dynamic behavior evaluation for malware detection,” Digital Forensic and Security (ISDFS), 2017 5th International Symposium on. IEEE, 2017.##
R. de Tangil and S.Guillermo, “Mining structural and behavioral patterns in smart malware,” Diss. Universidad Carlos III de Madrid, 2014.##
C. Matthew, T. Liston, and E. Skoudis, “Hiding virtualization from attackers and malware,” IEEE Security & Privacy, vol. 5, no. 3, 2007.##
M. Mehra and P. Dhawal, “Event triggered malware: A new challenge to sandboxing,” India Conference (INDICON), 2015 Annual IEEE. IEEE, 2015.##
S. N. Alsagoff, “Malware self protection mechanism,” Information Technology, 2008. ITSim 2008. International Symposium on. vol. 3, IEEE, 2008.##
K. Navroop, A. K. Bindal, and A. PhD, “A Complete Dynamic Malware Analysis,” International Journal of Computer Applications, vol. 135, no. 4, pp. 20-25, 2016.##
D. Keragala, “Detecting malware and sandbox evasion techniques,” SANS Institute InfoSec Reading Room, vol. 16, 2016.##
C. Ravi and R. Manoharan, “Malware detection using windows api sequence and machine learning,” International Journal of Computer Applications, vol. 43, no. 17, pp.          12-16, 2012.##
L. Desmond, P. Watters, and X. Wu, “Rbacs: Rootkit behavioral analysis and classification system,” Knowledge Discovery and Data Mining, WKDD'10. Third International Conference on, 2010.##
D. Vidyarthi, S. P. Choudhary, S. Rakshit, and C. Kumar, “Malware Detection by Static Checking and Dynamic Analysis of Executables,” International Journal of Information Security and Privacy, 2017.##
P. Xie, et al., “An automatic approach to detect                       anti-debugging in malware analysis,” International Conference on Trustworthy Computing and Services, Springer, Berlin, Heidelberg, 2012.##
B. Kang, J. Yang, J. So, and C. Y. Kim, “Detecting       Trigger-based Behaviors in Botnet Malware,” In Proceedings of the 2015 Conference on ‎research in adaptive and convergent systems, 2015.##
M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting environment-sensitive malware,” In International Workshop on Recent ‎Advances in Intrusion Detection, 2011.##
D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin, “Automatically Identifying Trigger-based Behavior in Malware,” In ‎Botnet Detection, Springer, pp. 65-88, 2008.##
Suarez-Tangil, M. Conti, J. E. Tapiador, and P. Peris-Lopez, “Detecting targeted smartphone malware with behavior-triggering stochastic ‎models,” In In European Symposium on Research in Computer Security, 2014.##
A. Moser, C. Kruegel, and E. Kirda, “Exploring multiple execution paths for malware analysis,” in Proceedings- IEEE Symposium on ‎Security and Privacy, 2007.##
D. Fleck, A. Tokhtabayev, A. Alarif, A. Stavrou, and T. Nykodym, “PyTrigger: A system to trigger & extract user-activated malware ‎behavior,” in International Conference on Availability, Reliability and Security, 2013.##
S. Ranu and A. K. Singh, “GraphSig: a scalable approach to mining significant subgraphs in large graph databases,” In IEEE 25th ‎International Conference on Data Engineering, 2009.##
R. Majumdar and S. Koushik, “Hybrid concolic testing,” Software Engineering, 2007. ICSE 2007. 29th International Conference on. IEEE, 2007.##
X. Xu, et al., “Software backdoor analysis based on sensitive flow tracking and concolic execution,” Wuhan University Journal of Natural Sciences vol. 21, no. 5, pp. 421-427, 2016.##
H. Yin and S. Dawn, “Hooking Behavior Analysis,” Automatic Malware Analysis, Springer, New York, pp.       43-58, 2013.##
K. Youngjoon, E. Kim, and H. Kang Kim, “A novel approach to detect malware based on API call sequence analysis,” International Journal of Distributed Sensor Networks, vol. 11, no. 6, 2015.##
J. Berdajs and Z. Bosnić, “Extending applications using an advanced approach to dll injection and api hooking,” Software: Practice and Experience, vol. 40, no. 7, pp.         567-584, 2010.##
J. M. Ceron, C. B. Margi, and L. Zambenedetti, “MARS: An SDN-based malware analysis solution,” In IEEE Symposium on Computers ‎and Communication (ISCC), 2016.##
D. Oktavianto and M. Iqbal, “Cuckoo Malware Analysis,” Packt Publishing Ltd, 2013.##
C. Annachhatre, T. H. Austin, and M. Stamp, “Hidden Markov models for malware classification,” Journal of Computer Virology and Hacking Techniques 11.2,  pp.        59-73, 2015.##
N. Nissim, et al., “Novel active learning methods for enhanced PC malware detection in windows OS,” Expert Systems with Applications 41.13, pp. 5843-5857, 2014.##
I. Rafiqul, et al., “Classification of malware based on integrated static and dynamic features,” Journal of Network and Computer Applications, vol. 36, no. 2, pp. 646-656, 2013.##
I. Santos, et al., “Opem: A static-dynamic approach for machine-learning-based malware detection,” International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions, Springer, Berlin, Heidelberg, 2013.##
S. Silnov and T. O. Vladimirovich, “Analysis of Modern Attacks on Antiviruses,” Journal of Theoretical & Applied Information Technology, vol. 76, no. 1, 2015.##
M. Lindorfer, K.Clemens, and P. Milani Comparetti, “Detecting environment-sensitive malware,” Recent Advances in Intrusion Detection. Springer Berlin/Heidelberg, 2011.##
S.T. King and P. M. Chen, “implementing malware with virtual machines,” Security and Privacy, IEEE, 2006.##
D. Keragala, “Detecting Malware and Sandbox Evasion Techniques,” SANS Institute InfoSec Reading Room, 2016.##
A. Lakhani, “Malware Sandbox and Breach Detection Evasion Techniques,” Doctor Chaos, 18 February 2016. [Online]. Available: http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques/. [Accessed 2016].##
A. B. Cesar and D. Andrade, “Malware Automatic Analysis,”  Computational Intelligence and 11th Brazilian Congress on Computational Intelligence, 2013.##
U. Bayer, K. Christopher, and K. Engin, “TTAnalyze: A tool for analyzing malware,” na, 2006.##
T. Smith and M. Waterman, “Identification of common molecular subsequences,” Journal of molecular biology, pp. 195-197, 1987.##
B. Yadegari and S. Debray, “Symbolic Execution of Obfuscated Code,” In Proceedings of the 22nd ACM SIGSAC Conference on ‎Computer and Communications Security, 2015.##
X. Chen, et al., “Towards an understanding of                        anti-virtualization and anti-debugging behavior in modern malware." Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on. IEEE, 2008.##